탐색 도움말
로그인
iProspective
/
dolibarr
3
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
소스 검색

SEC: Add action confirm_... as sensitive to need a CSRF token

Laurent Destailleur 1 년 전
부모
2aee9fc5a9
커밋
955439a673
1개의 변경된 파일4개의 추가작업 그리고 4개의 파일을 삭제
분할 보기 변경상태 보기
  1. 4 4
      htdocs/main.inc.php

+ 4 - 4
htdocs/main.inc.php
파일 보기 

@@ -529,14 +529,14 @@ if (!defined('NOTOKENRENEWAL') && !defined('NOSESSION')) {
 
 	}
 
 }
 
 
-//dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha'));
 
+//dol_syslog("CSRF info: ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha'));
 
 
 // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set into page
 
 if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN')) || defined('CSRFCHECK_WITH_TOKEN')) {
 
 	// Array of action code where CSRFCHECK with token will be forced (so token must be provided on url request)
 
 	$sensitiveget = false;
 
 	if ((GETPOSTISSET('massaction') || GETPOST('action', 'aZ09')) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 3) {
 
-		// All GET actions and mass actions are processed as sensitive.
 
+		// All GET actions (except the listed exception) and mass actions are processed as sensitive.
 
 		if (GETPOSTISSET('massaction') || !in_array(GETPOST('action', 'aZ09'), array('create', 'createsite', 'createcard', 'edit', 'editvalidator', 'file_manager', 'presend', 'presend_addmessage', 'preview', 'specimen'))) {	// We exclude some action that are legitimate
 
 			$sensitiveget = true;
 
 		}
 
@@ -551,8 +551,8 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
 
 		if (in_array(GETPOST('action', 'aZ09'), $arrayofactiontoforcetokencheck)) {
 
 			$sensitiveget = true;
 
 		}
 
-		// We also match for value with just a simple string that must match
 
-		if (preg_match('/^(add|classify|close|confirm|copy|del|disable|enable|remove|set|unset|update|save|sepa)/', GETPOST('action', 'aZ09'))) {
 
+		// We also need a valid token for actions matching one of these values
 
+		if (preg_match('/^(confirm_)?(add|classify|close|confirm|copy|del|disable|enable|remove|set|unset|update|save)/', GETPOST('action', 'aZ09'))) {
 
 			$sensitiveget = true;
 
 		}
 
 	}