|
@@ -72,7 +72,7 @@ function realCharForNumericEntities($matches)
|
|
|
return chr((int) $newstringnumentity);
|
|
|
}
|
|
|
|
|
|
- return '&#'.$matches[1]; // Value will be unchanged because regex was /&#( )/
|
|
|
+ return '&#'.$matches[1]; // Value will be unchanged because regex was /&#( )/
|
|
|
}
|
|
|
|
|
|
/**
|
|
@@ -94,7 +94,7 @@ function testSqlAndScriptInject($val, $type)
|
|
|
do {
|
|
|
$oldval = $val;
|
|
|
$val = html_entity_decode($val, ENT_QUOTES | ENT_HTML5);
|
|
|
- $val = preg_replace_callback('/&#(x?[0-9][0-9a-f]+)/i', 'realCharForNumericEntities', $val); // Sometimes we have entities without the ; at end so html_entity_decode does not work but entities is still interpreted by browser.
|
|
|
+ $val = preg_replace_callback('/&#(x?[0-9][0-9a-f]+)/i', 'realCharForNumericEntities', $val); // Sometimes we have entities without the ; at end so html_entity_decode does not work but entities is still interpreted by browser.
|
|
|
} while ($oldval != $val);
|
|
|
//print "after decoding $val\n";
|
|
|
|
|
@@ -454,7 +454,7 @@ if (!defined('NOTOKENRENEWAL') && !defined('NOSESSION')) {
|
|
|
// Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
|
|
|
$token = dol_hash(uniqid(mt_rand(), false), 'md5'); // Generates a hash of a random number. We don't need a secured hash, just a changing random value.
|
|
|
$_SESSION['newtoken'] = $token;
|
|
|
- dol_syslog("NEW TOKEN generated by : " . $_SERVER['PHP_SELF'], LOG_DEBUG);
|
|
|
+ dol_syslog("NEW TOKEN generated by : ".$_SERVER['PHP_SELF'], LOG_DEBUG);
|
|
|
}
|
|
|
}
|
|
|
}
|
|
@@ -494,20 +494,20 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
|
|
|
// If token is not provided or empty, error (we are in case it is mandatory)
|
|
|
if (!GETPOST('token', 'alpha') || GETPOST('token', 'alpha') == 'notrequired') {
|
|
|
if (GETPOST('uploadform', 'int')) {
|
|
|
- dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused. File size too large.");
|
|
|
+ dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused. File size too large.");
|
|
|
$langs->loadLangs(array("errors", "install"));
|
|
|
print $langs->trans("ErrorFileSizeTooLarge").' ';
|
|
|
print $langs->trans("ErrorGoBackAndCorrectParameters");
|
|
|
die;
|
|
|
} else {
|
|
|
if (defined('CSRFCHECK_WITH_TOKEN')) {
|
|
|
- dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (CSRFCHECK_WITH_TOKEN protection) in main.inc.php. Token not provided.", LOG_WARNING);
|
|
|
+ dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (CSRFCHECK_WITH_TOKEN protection) in main.inc.php. Token not provided.", LOG_WARNING);
|
|
|
print "Access to a page that needs a token (constant CSRFCHECK_WITH_TOKEN is defined) is refused by CSRF protection in main.inc.php. Token not provided.\n";
|
|
|
} else {
|
|
|
- dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (POST method or GET with a sensible value for 'action' parameter) in main.inc.php. Token not provided.", LOG_WARNING);
|
|
|
+ dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (POST method or GET with a sensible value for 'action' parameter) in main.inc.php. Token not provided.", LOG_WARNING);
|
|
|
print "Access to this page this way (POST method or GET with a sensible value for 'action' parameter) is refused by CSRF protection in main.inc.php. Token not provided.\n";
|
|
|
print "If you access your server behind a proxy using url rewriting and the parameter is provided by caller, you might check that all HTTP header are propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file or MAIN_SECURITY_CSRF_WITH_TOKEN to 0";
|
|
|
- if (! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) {
|
|
|
+ if (!empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) {
|
|
|
print " instead of ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN;
|
|
|
}
|
|
|
print " into setup).\n";
|
|
@@ -520,7 +520,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
|
|
|
$sessiontokenforthisurl = (empty($_SESSION['token']) ? '' : $_SESSION['token']);
|
|
|
// TODO Get the sessiontokenforthisurl into the array of session token
|
|
|
if (GETPOSTISSET('token') && GETPOST('token') != 'notrequired' && GETPOST('token', 'alpha') != $sessiontokenforthisurl) {
|
|
|
- dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (invalid token), so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
|
|
|
+ dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (invalid token), so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
|
|
|
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
|
|
|
setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings');
|
|
|
//if ($conf->global->MAIN_FEATURES_LEVEL >= 1) setEventMessages('Unset POST and GET params by CSRF protection in main.inc.php (Token provided was not generated by the previous page).'."<br>\n".'$_SERVER[REQUEST_URI] = '.$_SERVER['REQUEST_URI'].' $_SERVER[REQUEST_METHOD] = '.$_SERVER['REQUEST_METHOD'].' GETPOST(token) = '.GETPOST('token', 'alpha').' $_SESSION[token] = '.$_SESSION['token'], null, 'warnings');
|
|
@@ -785,7 +785,7 @@ if (!defined('NOLOGIN')) {
|
|
|
// End test login / passwords
|
|
|
if (!$login || (in_array('ldap', $authmode) && empty($passwordtotest))) { // With LDAP we refused empty password because some LDAP are "opened" for anonymous access so connexion is a success.
|
|
|
// No data to test login, so we show the login page.
|
|
|
- dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." - action=".GETPOST('action', 'aZ09')." - actionlogin=".GETPOST('actionlogin', 'aZ09')." - showing the login form and exit", LOG_INFO);
|
|
|
+ dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." - action=".GETPOST('action', 'aZ09')." - actionlogin=".GETPOST('actionlogin', 'aZ09')." - showing the login form and exit", LOG_INFO);
|
|
|
if (defined('NOREDIRECTBYMAINTOLOGIN')) {
|
|
|
return 'ERROR_NOT_LOGGED';
|
|
|
} else {
|
|
@@ -1176,7 +1176,7 @@ if (!defined('NOLOGIN')) {
|
|
|
$user->getrights();
|
|
|
}
|
|
|
|
|
|
-dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'aZ09').', massaction='.GETPOST('massaction', 'aZ09').(defined('NOTOKENRENEWAL') ? ' NOTOKENRENEWAL='.constant('NOTOKENRENEWAL') : ''), LOG_NOTICE);
|
|
|
+dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'aZ09').', massaction='.GETPOST('massaction', 'aZ09').(defined('NOTOKENRENEWAL') ? ' NOTOKENRENEWAL='.constant('NOTOKENRENEWAL') : ''), LOG_NOTICE);
|
|
|
//Another call for easy debugg
|
|
|
//dol_syslog("Access to ".$_SERVER["PHP_SELF"].' '.$_SERVER["HTTP_REFERER"].' GET='.join(',',array_keys($_GET)).'->'.join(',',$_GET).' POST:'.join(',',array_keys($_POST)).'->'.join(',',$_POST));
|
|
|
|
|
@@ -2281,7 +2281,7 @@ function top_menu_quickadd()
|
|
|
<!-- Thirdparty link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/societe/card.php?action=create" title="'.$langs->trans("MenuNewThirdParty").'">
|
|
|
- '. img_picto('', 'object_company') .'<br>'. $langs->trans("ThirdParty") .'</a>
|
|
|
+ '. img_picto('', 'object_company').'<br>'.$langs->trans("ThirdParty").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2292,7 +2292,7 @@ function top_menu_quickadd()
|
|
|
<!-- Contact link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/contact/card.php?action=create" title="'.$langs->trans("NewContactAddress").'">
|
|
|
- '. img_picto('', 'object_contact') .'<br>'. $langs->trans("Contact") .'</a>
|
|
|
+ '. img_picto('', 'object_contact').'<br>'.$langs->trans("Contact").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2303,7 +2303,7 @@ function top_menu_quickadd()
|
|
|
<!-- Propal link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/comm/propal/card.php?action=create" title="'.$langs->trans("NewPropal").'">
|
|
|
- '. img_picto('', 'object_propal') .'<br>'. $langs->trans("Proposal") .'</a>
|
|
|
+ '. img_picto('', 'object_propal').'<br>'.$langs->trans("Proposal").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2314,7 +2314,7 @@ function top_menu_quickadd()
|
|
|
<!-- Order link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/commande/card.php?action=create" title="'.$langs->trans("NewOrder").'">
|
|
|
- '. img_picto('', 'object_order') .'<br>'. $langs->trans("Order") .'</a>
|
|
|
+ '. img_picto('', 'object_order').'<br>'.$langs->trans("Order").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2325,7 +2325,7 @@ function top_menu_quickadd()
|
|
|
<!-- Invoice link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/compta/facture/card.php?action=create" title="'.$langs->trans("NewBill").'">
|
|
|
- '. img_picto('', 'object_bill') .'<br>'. $langs->trans("Bill") .'</a>
|
|
|
+ '. img_picto('', 'object_bill').'<br>'.$langs->trans("Bill").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2336,7 +2336,7 @@ function top_menu_quickadd()
|
|
|
<!-- Contract link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/compta/facture/card.php?action=create" title="'.$langs->trans("NewContractSubscription").'">
|
|
|
- '. img_picto('', 'object_contract') .'<br>'. $langs->trans("Contract") .'</a>
|
|
|
+ '. img_picto('', 'object_contract').'<br>'.$langs->trans("Contract").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2347,7 +2347,7 @@ function top_menu_quickadd()
|
|
|
<!-- Supplier proposal link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/supplier_proposal/card.php?action=create" title="'.$langs->trans("NewAskPrice").'">
|
|
|
- '. img_picto('', 'object_propal') .'<br>'. $langs->trans("AskPrice") .'</a>
|
|
|
+ '. img_picto('', 'object_propal').'<br>'.$langs->trans("AskPrice").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2358,7 +2358,7 @@ function top_menu_quickadd()
|
|
|
<!-- Supplier order link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/fourn/commande/card.php?action=create" title="'.$langs->trans("NewSupplierOrderShort").'">
|
|
|
- '. img_picto('', 'object_order') .'<br>'. $langs->trans("SupplierOrder") .'</a>
|
|
|
+ '. img_picto('', 'object_order').'<br>'.$langs->trans("SupplierOrder").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2369,7 +2369,7 @@ function top_menu_quickadd()
|
|
|
<!-- Supplier invoice link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/fourn/facture/card.php?action=create" title="'.$langs->trans("NewBill").'">
|
|
|
- '. img_picto('', 'object_bill') .'<br>'. $langs->trans("SupplierBill") .'</a>
|
|
|
+ '. img_picto('', 'object_bill').'<br>'.$langs->trans("SupplierBill").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2380,7 +2380,7 @@ function top_menu_quickadd()
|
|
|
<!-- Product link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/product/card.php?action=create&type=0" title="'.$langs->trans("NewProduct").'">
|
|
|
- '. img_picto('', 'object_product') .'<br>'. $langs->trans("Product") .'</a>
|
|
|
+ '. img_picto('', 'object_product').'<br>'.$langs->trans("Product").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2391,7 +2391,7 @@ function top_menu_quickadd()
|
|
|
<!-- Service link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/product/card.php?action=create&type=1" title="'.$langs->trans("NewService").'">
|
|
|
- '. img_picto('', 'object_service') .'<br>'. $langs->trans("Service") .'</a>
|
|
|
+ '. img_picto('', 'object_service').'<br>'.$langs->trans("Service").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2402,7 +2402,7 @@ function top_menu_quickadd()
|
|
|
<!-- Expense report link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/expensereport/card.php?action=create&fk_user_author='.$user->id.'" title="'.$langs->trans("AddTrip").'">
|
|
|
- '. img_picto('', 'object_trip') .'<br>'. $langs->trans("ExpenseReport") .'</a>
|
|
|
+ '. img_picto('', 'object_trip').'<br>'.$langs->trans("ExpenseReport").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2413,7 +2413,7 @@ function top_menu_quickadd()
|
|
|
<!-- Holiday link -->
|
|
|
<div class="quickaddblock center">
|
|
|
<a class="quickadddropdown-icon-link" href="'.DOL_URL_ROOT.'/holiday/card.php?action=create&fuserid='.$user->id.'" title="'.$langs->trans("AddCP").'">
|
|
|
- '. img_picto('', 'object_holiday') .'<br>'. $langs->trans("Holidays") .'</a>
|
|
|
+ '. img_picto('', 'object_holiday').'<br>'.$langs->trans("Holidays").'</a>
|
|
|
</div>
|
|
|
';
|
|
|
}
|
|
@@ -2858,12 +2858,12 @@ function left_menu($menu_array_before, $helppagename = '', $notused = '', $menu_
|
|
|
$bugbaseurl .= urlencode("[*Short description*]\n");
|
|
|
$bugbaseurl .= urlencode("\n");
|
|
|
$bugbaseurl .= urlencode("## Environment\n");
|
|
|
- $bugbaseurl .= urlencode("- **Version**: " . DOL_VERSION . "\n");
|
|
|
- $bugbaseurl .= urlencode("- **OS**: " . php_uname('s') . "\n");
|
|
|
- $bugbaseurl .= urlencode("- **Web server**: " . $_SERVER["SERVER_SOFTWARE"] . "\n");
|
|
|
- $bugbaseurl .= urlencode("- **PHP**: " . php_sapi_name() . ' ' . phpversion() . "\n");
|
|
|
- $bugbaseurl .= urlencode("- **Database**: " . $db::LABEL . ' ' . $db->getVersion() . "\n");
|
|
|
- $bugbaseurl .= urlencode("- **URL(s)**: " . $_SERVER["REQUEST_URI"] . "\n");
|
|
|
+ $bugbaseurl .= urlencode("- **Version**: ".DOL_VERSION."\n");
|
|
|
+ $bugbaseurl .= urlencode("- **OS**: ".php_uname('s')."\n");
|
|
|
+ $bugbaseurl .= urlencode("- **Web server**: ".$_SERVER["SERVER_SOFTWARE"]."\n");
|
|
|
+ $bugbaseurl .= urlencode("- **PHP**: ".php_sapi_name().' '.phpversion()."\n");
|
|
|
+ $bugbaseurl .= urlencode("- **Database**: ".$db::LABEL.' '.$db->getVersion()."\n");
|
|
|
+ $bugbaseurl .= urlencode("- **URL(s)**: ".$_SERVER["REQUEST_URI"]."\n");
|
|
|
$bugbaseurl .= urlencode("\n");
|
|
|
$bugbaseurl .= urlencode("## Expected and actual behavior\n");
|
|
|
$bugbaseurl .= urlencode("[*Verbose description*]\n");
|