lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security changes: encryption is now with instead of hard coded keys

Browse Source
This commit is contained in:
Dorian Vabre 2021-04-13 11:57:36 +02:00
parent 149aa8e81b
commit 14e64f4a33
2 changed files with 6 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/eventorganization/conferenceorbooth_card.php
View File

@ -495,12 +495,10 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
//unset($object->fields['fk_soc']); // Hide field already shown in banner //unset($object->fields['fk_soc']); // Hide field already shown in banner
global $dolibarr_main_url_root; global $dolibarr_main_url_root;
$keyforid = 'DV3PH'; $encodedid = dol_encode($id, $dolibarr_main_instance_unique_id);
$encodedid = dol_encode($id, $keyforid);
$link_subscription = $dolibarr_main_url_root.'/public/eventorganization/attendee_subscription.php?id='.$encodedid; $link_subscription = $dolibarr_main_url_root.'/public/eventorganization/attendee_subscription.php?id='.$encodedid;
$keyforsecurekey = 'CGLOO'; $encodedsecurekey = dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY.$encodedid, $dolibarr_main_instance_unique_id);
$encodedsecurekey = dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY.$id, $keyforsecurekey);
$link_subscription .= '&securekey='.urlencode($encodedsecurekey); $link_subscription .= '&securekey='.urlencode($encodedsecurekey);
$object->fields['pubregister'] = array('type'=>'url', 'label'=>$langs->trans("PublicAttendeeSubscriptionPage"), 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>1); $object->fields['pubregister'] = array('type'=>'url', 'label'=>$langs->trans("PublicAttendeeSubscriptionPage"), 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>1);

10
htdocs/public/eventorganization/attendee_subscription.php
View File

@ -79,17 +79,15 @@ $email = GETPOST("email");
// Getting id from Post and decoding it // Getting id from Post and decoding it
$encodedid = GETPOST('id'); $encodedid = GETPOST('id');
$keyforid = 'DV3PH'; $id = dol_decode($encodedid, $dolibarr_main_instance_unique_id);
$id = dol_decode($encodedid, $keyforid);
// Getting 'securekey'.'id' from Post and decoding it // Getting 'securekey'.'id' from Post and decoding it
$encodedsecurekeyandid = GETPOST('securekey', 'alpha'); $encodedsecurekeyandid = GETPOST('securekey', 'alpha');
$keyforsecurekey = 'CGLOO'; $securekeyandid = dol_decode($encodedsecurekeyandid, $dolibarr_main_instance_unique_id);
$securekeyandid = dol_decode($encodedsecurekeyandid, $keyforsecurekey);
// Securekey decomposition into pure securekey and id added at the end // Securekey decomposition into pure securekey and id added at the end
$securekey = substr($securekeyandid, 0, strlen($securekeyandid)-strlen($id)); $securekey = substr($securekeyandid, 0, strlen($securekeyandid)-strlen($encodedid));
$idgotfromsecurekey = substr($securekeyandid, -strlen($id), strlen($id)); $idgotfromsecurekey = dol_decode(substr($securekeyandid, -strlen($encodedid), strlen($encodedid)),$dolibarr_main_instance_unique_id);
// We check if the securekey collected is OK and if the id collected is the same than the id in the securekey // We check if the securekey collected is OK and if the id collected is the same than the id in the securekey
if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY || $idgotfromsecurekey != $id) { if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY || $idgotfromsecurekey != $id) {