浏览代码

Fix token for ajax call

Laurent Destailleur 4 年之前
父节点
当前提交
61bd572a9c

+ 10 - 4
htdocs/admin/system/perf.php

@@ -172,7 +172,8 @@ jQuery(document).ready(function() {
   var compphpstring;
   getphpurl = $.ajax({
     type: "GET",
-    url: \''.DOL_URL_ROOT.'/index.php\',
+	data: { token: \''.currentToken().'\' },
+    url: \''.DOL_URL_ROOT.'/public/notice.php\',
     cache: false,
     /* async: false, */
     /* crossDomain: true,*/
@@ -211,10 +212,11 @@ jQuery(document).ready(function() {
   var compcssstring;
   getcssurl = $.ajax({
     type: "GET",
+	data: { token: \'notrequired\' },
     url: \''.DOL_URL_ROOT.'/includes/jquery/css/base/jquery-ui.css\',
     cache: false,
     /* async: false, */
-    /*crossDomain: true, */
+    /* crossDomain: true, */
     success: function () {
       	cachecssstring=getcssurl.getResponseHeader(\'Cache-Control\');
       	/* alert(\'css:\'+getcssurl.getAllResponseHeaders()); */
@@ -250,10 +252,11 @@ jQuery(document).ready(function() {
   var compcssphpstring;
   getcssphpurl = $.ajax({
     type: "GET",
+	data: { token: \''.currentToken().'\' },
     url: \''.DOL_URL_ROOT.'/theme/eldy/style.css.php\',
     cache: false,
     /* async: false, */
-    /*crossDomain: true,*/
+    /* crossDomain: true,*/
     success: function () {
       	cachecssphpstring=getcssphpurl.getResponseHeader(\'Cache-Control\');
       	/* alert(\'cssphp:\'+getcssphpurl.getAllResponseHeaders()); */
@@ -289,10 +292,11 @@ jQuery(document).ready(function() {
   var compimgstring;
   getimgurl = $.ajax({
     type: "GET",
+	data: { token: \'notrequired\' },
     url: \''.DOL_URL_ROOT.'/theme/eldy/img/help.png\',
     cache: false,
     /* async: false, */
-    /*crossDomain: true,*/
+    /* crossDomain: true,*/
     success: function () {
       	cacheimgstring=getimgurl.getResponseHeader(\'Cache-Control\');
       	/* alert(\'img:\'+getimgurl.getAllResponseHeaders()); */
@@ -328,6 +332,7 @@ jQuery(document).ready(function() {
   var compjsstring;
   getjsurl = $.ajax({
     type: "GET",
+	data: { token: \'notrequired\' },
     url: \''.DOL_URL_ROOT.'/core/js/lib_rare.js\',
     cache: false,
     /* async: false, */
@@ -367,6 +372,7 @@ jQuery(document).ready(function() {
   var compjsphpstring;
   getjsphpurl = $.ajax({
     type: "GET",
+	data: { token: \''.currentToken().'\' },
     url: \''.DOL_URL_ROOT.'/core/js/lib_head.js.php\',
     cache: false,
     /* async: false, */

+ 8 - 5
htdocs/blockedlog/admin/blockedlog_list.php

@@ -613,8 +613,10 @@ jQuery(document).ready(function () {
 		var fk_block = $(this).attr("data-blockid");
 
 		$.ajax({
-			url:"../ajax/block-info.php?id="+fk_block
-			,dataType:"html"
+			method: "GET",
+			data: { token: \''.currentToken().'\' },
+			url: "'.DOL_URL_ROOT.'/blockedlog/ajax/block-info.php?id="+fk_block,
+			dataType: "html"
 		}).done(function(data) {
 			jQuery("#dialogforpopup").html(data);
 		});
@@ -630,10 +632,11 @@ if (!empty($conf->global->BLOCKEDLOG_USE_REMOTE_AUTHORITY) && !empty($conf->glob
 		<script type="text/javascript">
 
 			$.ajax({
-				url : "<?php echo dol_buildpath('/blockedlog/ajax/check_signature.php', 1) ?>"
-				,dataType:"html"
+				method: "GET",
+				data: { token: '<?php echo currentToken() ?>' },
+				url: '<?php echo DOL_URL_ROOT.'/blockedlog/ajax/check_signature.php' ?>',
+				dataType: 'html'
 			}).done(function(data) {
-
 				if(data == 'hashisok') {
 					$('#blockchainstatus').html('<?php echo $langs->trans('AuthorityReconizeFingerprintConformity').' '.img_picto($langs->trans('SignatureOK'), 'on') ?>');
 				}

+ 3 - 3
htdocs/contact/list.php

@@ -375,13 +375,13 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count
 $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = p.fk_pays";
 $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = p.fk_soc";
 $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_stcommcontact as st ON st.id = p.fk_stcommcontact";
-if (!empty($search_categ)) {
+if (!empty($search_categ) && $search_categ != '-1') {
 	$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_contact as cc ON p.rowid = cc.fk_socpeople"; // We need this table joined to the select in order to filter by categ
 }
-if (!empty($search_categ_thirdparty)) {
+if (!empty($search_categ_thirdparty) && $search_categ_thirdparty != '-1') {
 	$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_societe as cs ON s.rowid = cs.fk_soc"; // We need this table joined to the select in order to filter by categ
 }
-if (!empty($search_categ_supplier)) {
+if (!empty($search_categ_supplier) && $search_categ_supplier != '-1') {
 	$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_fournisseur as cs2 ON s.rowid = cs2.fk_soc"; // We need this table joined to the select in order to filter by categ
 }
 if (!$user->rights->societe->client->voir && !$socid) {

+ 1 - 3
htdocs/core/ajax/pingresult.php

@@ -48,9 +48,7 @@ $hash_algo = GETPOST('hash_algo', 'alpha');
 
 
 // Security check
-if (!empty($user->socid)) {
-	$socid = $user->socid;
-}
+// None.
 
 $now = dol_now();
 

+ 2 - 5
htdocs/core/class/html.form.class.php

@@ -8628,14 +8628,11 @@ class Form
 
 									if ($("select[name='.$target.']").val() == '.$obj->id.') {
 										// get price of kilometer to fill the unit price
-										var data = '.json_encode($params).';
-										data.fk_c_exp_tax_cat = $(this).val();
-
 										$.ajax({
 											method: "POST",
 											dataType: "json",
-											data: data,
-											url: "'.(DOL_URL_ROOT.'/expensereport/ajax/ajaxik.php').'",
+											data: { fk_c_exp_tax_cat: $(this).val(), token: \''.currentToken().'\' },
+											url: "'.(DOL_URL_ROOT.'/expensereport/ajax/ajaxik.php?'.$params).'",
 										}).done(function( data, textStatus, jqXHR ) {
 											console.log(data);
 											if (typeof data.up != "undefined") {

+ 1 - 1
htdocs/core/js/lib_notification.js.php

@@ -153,7 +153,7 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP
 						// Update status of all notifications we sent on browser (listofreminderids)
 						console.log("Flag notification as done for listofreminderids="+listofreminderids);
 						$.ajax("<?php print DOL_URL_ROOT.'/core/ajax/check_notifications.php?action=stopreminder&listofreminderids='; ?>"+listofreminderids, {
-							type: "post",   // Usually post or get
+							type: "POST",   // Usually post or get
 							async: true,
 							data: { time_js_next_test: time_js_next_test, token: 'notrequired' }
 						});

+ 5 - 2
htdocs/core/tpl/ajax/fileupload_main.tpl.php

@@ -63,8 +63,11 @@ $(function () {
 					"<?php echo $langs->trans('Ok'); ?>": function() {
 						$( "#confirm-delete" ).dialog( "close" );
 						if (data.url) {
-							$.ajax(data)
-								.success(function (data) {
+							$.ajax({
+								method: "POST",
+								data: { token: '<?php echo currentToken(); ?>' },
+								url: data.url
+							}).success(function (data) {
 									if (data) {
 										that._adjustMaxNumberOfFiles(1);
 										$(this).fadeOut(function () {

+ 2 - 1
htdocs/loan/schedule.php

@@ -196,9 +196,10 @@ $(document).ready(function() {
 		var capital=price2numjs($(idcap).val());
 		console.log("Change montly amount echeance="+echeance+" idcap="+idcap+" capital="+capital);
 		$.ajax({
+			  method: "GET",
 			  dataType: 'json',
 			  url: 'calcmens.php',
-			  data: { echeance: echeance, mens: mens, capital:capital, rate:<?php echo $object->rate / 100; ?> , nbterm : <?php echo $object->nbterm; ?>},
+			  data: { echeance: echeance, mens: mens, capital:capital, rate:<?php echo $object->rate / 100; ?>, nbterm: <?php echo $object->nbterm; ?>, token: '<?php echo currentToken(); ?>' },
 			  success: function(data) {
 				$.each(data, function(index, element) {
 					var idcap_res='#hi_capital'+index;

+ 10 - 7
htdocs/main.inc.php

@@ -469,13 +469,15 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
 		$sensitiveget = true;
 	}
 
-	// Check all cases that need a mandatory token (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions)
+	// Check a token is provided for all cases that need a mandatory token
+	// (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions)
 	if (
 		$_SERVER['REQUEST_METHOD'] == 'POST' ||
 		$sensitiveget ||
 		((GETPOSTISSET('actionlogin') || GETPOSTISSET('action') || GETPOSTISSET('massaction')) && defined('CSRFCHECK_WITH_TOKEN'))
 	) {
-		if (!GETPOST('token', 'alpha')) {		// If token is not provided or empty
+		// If token is not provided or empty, error (we are in case it is mandatory)
+		if (!GETPOST('token', 'alpha') || GETPOST('token', 'alpha') == 'notrequired') {
 			if (GETPOST('uploadform', 'int')) {
 				dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused. File size too large.");
 				$langs->loadLangs(array("errors", "install"));
@@ -497,7 +499,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
 
 	$sessiontokenforthisurl = (empty($_SESSION['token']) ? '' : $_SESSION['token']);
 	// TODO Get the sessiontokenforthisurl into the array of session token
-	if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $sessiontokenforthisurl) {
+	if (GETPOSTISSET('token') && GETPOST('token') != 'notrequired' && GETPOST('token', 'alpha') != $sessiontokenforthisurl) {
 		dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused due to invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
 		//print 'Unset POST by CSRF protection in main.inc.php.';	// Do not output anything because this create problems when using the BACK button on browsers.
 		setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings');
@@ -3205,16 +3207,17 @@ if (!function_exists("llxFooter")) {
 										  country_code: '<?php echo $mysoc->country_code ? dol_escape_js($mysoc->country_code) : 'unknown'; ?>',
 										  php_version: '<?php echo dol_escape_js(phpversion()); ?>',
 										  os_version: '<?php echo dol_escape_js(version_os('smr')); ?>',
-										  distrib: '<?php echo $distrib ? dol_escape_js($distrib) : 'unknown'; ?>'
+										  distrib: '<?php echo $distrib ? dol_escape_js($distrib) : 'unknown'; ?>',
+										  token: 'notrequired'
 									  },
 									  success: function (data, status, xhr) {   // success callback function (data contains body of response)
-											  console.log("Ping ok");
+											console.log("Ping ok");
 											$.ajax({
 												method: 'GET',
 												url: '<?php echo DOL_URL_ROOT.'/core/ajax/pingresult.php'; ?>',
 												timeout: 500,     // timeout milliseconds
 												cache: false,
-												data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingok' },	// for update
+												data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingok', token: 'notrequired' },	// for update
 											  });
 									  },
 									  error: function (data,status,xhr) {   // error callback function
@@ -3224,7 +3227,7 @@ if (!function_exists("llxFooter")) {
 												  url: '<?php echo DOL_URL_ROOT.'/core/ajax/pingresult.php'; ?>',
 												  timeout: 500,     // timeout milliseconds
 												  cache: false,
-												  data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingko' },
+												  data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingko', token: 'notrequired' },
 												});
 									  }
 								});

+ 1 - 1
htdocs/public/notice.php

@@ -18,7 +18,7 @@
 /**
  *	\file       htdocs/public/notice.php
  *	\brief      Dolibarr page to show a notice.
- *              Default notice is a message to say network connection is off.
+ *              Default notice is a message to say network connection is off or show another message.
  *              You can also call this page with URL:
  *                /public/notice.php?lang=xx_XX&transkey=translation_key  (key must be inside file main.lang, error.lang or other.lang)
  *                /public/notice.php?transphrase=url_encoded_sentence_to_show

+ 10 - 10
htdocs/takepos/floors.php

@@ -154,10 +154,10 @@ function updateplace(idplace, left, top) {
 	console.log("updateplace idplace="+idplace+" left="+left+" top="+top);
 	$.ajax({
 		type: "POST",
-		url: "floors.php",
-		data: { action: "update", left: left, top: top, place: idplace }
-		}).done(function( msg ) {
-		window.location.href='floors.php?mode=edit&floor=<?php echo $floor; ?>';
+		url: "<?php echo DOL_URL_ROOT.'/takepos/floors.php'; ?>",
+		data: { action: "update", left: left, top: top, place: idplace, token: '<?php echo currentToken(); ?>' }
+	}).done(function( msg ) {
+		window.location.href='floors.php?mode=edit&floor=<?php echo urlencode($floor); ?>';
 	});
 }
 
@@ -166,12 +166,12 @@ function updatename(rowid) {
 	console.log("updatename rowid="+rowid+" after="+after);
 	$.ajax({
 		type: "POST",
-		url: "floors.php",
-		data: { action: "updatename", place: rowid, newname: after }
-		}).done(function( msg ) {
-		window.location.href='floors.php?mode=edit&floor=<?php echo $floor; ?>';
-		});
-	}
+		url: "<?php echo DOL_URL_ROOT.'/takepos/floors.php'; ?>",
+		data: { action: "updatename", place: rowid, newname: after, token: '<?php echo currentToken(); ?>' }
+	}).done(function( msg ) {
+		window.location.href='floors.php?mode=edit&floor=<?php echo urlencode($floor); ?>';
+	});
+}
 
 function LoadPlace(place){
 	parent.location.href='index.php?place='+place;

+ 5 - 2
htdocs/takepos/index.php

@@ -705,6 +705,7 @@ function OpenDrawer(){
 	console.log("OpenDrawer call ajax url http://<?php print $conf->global->TAKEPOS_PRINT_SERVER; ?>:8111/print");
 	$.ajax({
 		type: "POST",
+		data: { token: 'notrequired' },
 		<?php
 		if (filter_var($conf->global->TAKEPOS_PRINT_SERVER, FILTER_VALIDATE_URL) == true) {
 			echo "url: '".$conf->global->TAKEPOS_PRINT_SERVER."/printer/drawer.php',";
@@ -717,10 +718,11 @@ function OpenDrawer(){
 }
 
 function DolibarrOpenDrawer() {
-	console.log("DolibarrOpenDrawer call ajax url /takepos/ajax/ajax.php?action=opendrawer&term=<?php print $_SESSION["takeposterminal"] ?>");
+	console.log("DolibarrOpenDrawer call ajax url /takepos/ajax/ajax.php?action=opendrawer&term=<?php print urlencode($_SESSION["takeposterminal"]); ?>");
 	$.ajax({
 		type: "GET",
-		url: "<?php print dol_buildpath('/takepos/ajax/ajax.php', 1).'?action=opendrawer&term='.$_SESSION["takeposterminal"]; ?>",
+		data: { token: '<?php echo currentToken(); ?>' },
+		url: "<?php print DOL_URL_ROOT.'/takepos/ajax/ajax.php?action=opendrawer&term='.urlencode($_SESSION["takeposterminal"]); ?>",
 	});
 }
 
@@ -777,6 +779,7 @@ function WeighingScale(){
 	console.log("Weighing Scale");
 	$.ajax({
 		type: "POST",
+		data: { token: 'notrequired' },
 		url: '<?php print $conf->global->TAKEPOS_PRINT_SERVER; ?>/scale/index.php',
 	})
 	.done(function( editnumber ) {

+ 3 - 2
htdocs/takepos/invoice.php

@@ -1000,7 +1000,7 @@ function TakeposPrinting(id){
 
 function TakeposConnector(id){
 	console.log("TakeposConnector" + id);
-	$.get("ajax/ajax.php?action=printinvoiceticket&term=<?php echo $_SESSION["takeposterminal"]; ?>&id="+id, function(data, status){
+	$.get("<?php echo DOL_URL_ROOT; ?>/takepos/ajax/ajax.php?action=printinvoiceticket&term=<?php echo urlencode($_SESSION["takeposterminal"]); ?>&id="+id+"&token=<?php echo currentToken(); ?>", function(data, status) {
 		$.ajax({
 			type: "POST",
 			url: '<?php print $conf->global->TAKEPOS_PRINT_SERVER; ?>/printer/index.php',
@@ -1013,7 +1013,8 @@ function DolibarrTakeposPrinting(id) {
 	console.log("DolibarrTakeposPrinting Printing invoice ticket " + id)
 	$.ajax({
 		type: "GET",
-		url: "<?php print DOL_URL_ROOT.'/takepos/ajax/ajax.php?action=printinvoiceticket&term='.$_SESSION["takeposterminal"].'&id='; ?>" + id,
+		data: { token: '<?php echo currentToken(); ?>' },
+		url: "<?php print DOL_URL_ROOT.'/takepos/ajax/ajax.php?action=printinvoiceticket&term='.urlencode($_SESSION["takeposterminal"]).'&id='; ?>" + id,
 	});
 }
 

+ 4 - 1
htdocs/takepos/pay.php

@@ -236,7 +236,10 @@ if ($conf->global->TAKEPOS_NUMPAD == 0) {
 		window.open('sumupmerchant://pay/1.0?affiliate-key=<?php echo $conf->global->TAKEPOS_SUMUP_AFFILIATE ?>&app-id=<?php echo $conf->global->TAKEPOS_SUMUP_APPID ?>&total=' + amountpayed + '&currency=EUR&title=' + invoiceid + '&callback=<?php echo DOL_MAIN_URL_ROOT ?>/takepos/smpcb.php');
 
 		var loop = window.setInterval(function () {
-			$.ajax('<?php echo DOL_URL_ROOT ?>/takepos/smpcb.php?status').done(function (data) {
+			$.ajax({
+				method: 'POST',
+				data: { token: '<?php echo currentToken(); ?>' },
+				url: '<?php echo DOL_URL_ROOT ?>/takepos/smpcb.php?status' }).done(function (data) {
 				console.log(data);
 				if (data === "SUCCESS") {
 					parent.$("#poslines").load("invoice.php?place=<?php echo $place; ?>&action=valid&pay=CB&amount=" + amountpayed + "&invoiceid=" + invoiceid, function () {

+ 2 - 1
htdocs/takepos/send.php

@@ -97,7 +97,8 @@ top_htmlhead($head, $title, $disablejs, $disablehead, $arrayofjs, $arrayofcss);
 function SendMail() {
 	$.ajax({
 		type: "GET",
-		url: "<?php print dol_buildpath('/takepos/send.php', 1).'?action=send&facid='.$facid.'&email='; ?>" + $("#email"). val(),
+		data: { token: '<?php echo currentToken(); ?>' },
+		url: "<?php print DOL_URL_ROOT.'/takepos/send.php?action=send&facid='.$facid.'&email='; ?>" + $("#email"). val(),
 	});
 	parent.$.colorbox.close();
 }