|
@@ -469,13 +469,15 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
|
|
|
$sensitiveget = true;
|
|
|
}
|
|
|
|
|
|
- // Check all cases that need a mandatory token (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions)
|
|
|
+ // Check a token is provided for all cases that need a mandatory token
|
|
|
+ // (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions)
|
|
|
if (
|
|
|
$_SERVER['REQUEST_METHOD'] == 'POST' ||
|
|
|
$sensitiveget ||
|
|
|
((GETPOSTISSET('actionlogin') || GETPOSTISSET('action') || GETPOSTISSET('massaction')) && defined('CSRFCHECK_WITH_TOKEN'))
|
|
|
) {
|
|
|
- if (!GETPOST('token', 'alpha')) { // If token is not provided or empty
|
|
|
+ // If token is not provided or empty, error (we are in case it is mandatory)
|
|
|
+ if (!GETPOST('token', 'alpha') || GETPOST('token', 'alpha') == 'notrequired') {
|
|
|
if (GETPOST('uploadform', 'int')) {
|
|
|
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused. File size too large.");
|
|
|
$langs->loadLangs(array("errors", "install"));
|
|
@@ -497,7 +499,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
|
|
|
|
|
|
$sessiontokenforthisurl = (empty($_SESSION['token']) ? '' : $_SESSION['token']);
|
|
|
// TODO Get the sessiontokenforthisurl into the array of session token
|
|
|
- if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $sessiontokenforthisurl) {
|
|
|
+ if (GETPOSTISSET('token') && GETPOST('token') != 'notrequired' && GETPOST('token', 'alpha') != $sessiontokenforthisurl) {
|
|
|
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused due to invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
|
|
|
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
|
|
|
setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings');
|
|
@@ -3205,16 +3207,17 @@ if (!function_exists("llxFooter")) {
|
|
|
country_code: '<?php echo $mysoc->country_code ? dol_escape_js($mysoc->country_code) : 'unknown'; ?>',
|
|
|
php_version: '<?php echo dol_escape_js(phpversion()); ?>',
|
|
|
os_version: '<?php echo dol_escape_js(version_os('smr')); ?>',
|
|
|
- distrib: '<?php echo $distrib ? dol_escape_js($distrib) : 'unknown'; ?>'
|
|
|
+ distrib: '<?php echo $distrib ? dol_escape_js($distrib) : 'unknown'; ?>',
|
|
|
+ token: 'notrequired'
|
|
|
},
|
|
|
success: function (data, status, xhr) { // success callback function (data contains body of response)
|
|
|
- console.log("Ping ok");
|
|
|
+ console.log("Ping ok");
|
|
|
$.ajax({
|
|
|
method: 'GET',
|
|
|
url: '<?php echo DOL_URL_ROOT.'/core/ajax/pingresult.php'; ?>',
|
|
|
timeout: 500, // timeout milliseconds
|
|
|
cache: false,
|
|
|
- data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingok' }, // for update
|
|
|
+ data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingok', token: 'notrequired' }, // for update
|
|
|
});
|
|
|
},
|
|
|
error: function (data,status,xhr) { // error callback function
|
|
@@ -3224,7 +3227,7 @@ if (!function_exists("llxFooter")) {
|
|
|
url: '<?php echo DOL_URL_ROOT.'/core/ajax/pingresult.php'; ?>',
|
|
|
timeout: 500, // timeout milliseconds
|
|
|
cache: false,
|
|
|
- data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingko' },
|
|
|
+ data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingko', token: 'notrequired' },
|
|
|
});
|
|
|
}
|
|
|
});
|