lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added security to suggestion page index.php (securekey and id encoded)

Browse Source
This commit is contained in:
Dorian Vabre 2021-04-26 10:15:28 +02:00
parent 7f9f67e7ef
commit 1b7854e698
1 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
htdocs/public/project/index.php
View File

@ -78,7 +78,23 @@ $langs->loadLangs(array("main", "other", "dict", "bills", "companies", "errors",
// No check on module enabled. Done later according to $validpaymentmethod
$action = GETPOST('action', 'aZ09');
$id = dol_decode(GETPOST('id'), $dolibarr_main_instance_unique_id);
$encodedid = GETPOST('id');
$id = dol_decode($encodedid, $dolibarr_main_instance_unique_id);
// Getting 'securekey'.'id' from Post and decoding it
$encodedsecurekeyandid = GETPOST('securekey', 'alpha');
$securekeyandid = dol_decode($encodedsecurekeyandid, $dolibarr_main_instance_unique_id);
// Securekey decomposition into pure securekey and id added at the end
$securekey = substr($securekeyandid, 0, strlen($securekeyandid)-strlen($encodedid));
$idgotfromsecurekey = dol_decode(substr($securekeyandid, -strlen($encodedid), strlen($encodedid)), $dolibarr_main_instance_unique_id);
// We check if the securekey collected is OK and if the id collected is the same than the id in the securekey
if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY || $idgotfromsecurekey != $id) {
print $langs->trans('MissingOrBadSecureKey');
exit;
}
// Define $urlwithroot
//$urlwithouturlroot=preg_replace('/'.preg_quote(DOL_URL_ROOT,'/').'$/i','',trim($dolibarr_main_url_root));
@ -113,15 +129,6 @@ $replacemainarea = (empty($conf->dol_hide_leftmenu) ? '<div>' : '').'<div>';
llxHeader($head, $langs->trans("PaymentForm"), '', '', 0, 0, '', '', '', 'onlinepaymentbody', $replacemainarea);
// Show sandbox warning
if ((empty($paymentmethod) || $paymentmethod == 'paypal') && !empty($conf->paypal->enabled) && (!empty($conf->global->PAYPAL_API_SANDBOX) || GETPOST('forcesandbox', 'int'))) { // We can force sand box with param 'forcesandbox'
dol_htmloutput_mesg($langs->trans('YouAreCurrentlyInSandboxMode', 'Paypal'), '', 'warning');
}
if ((empty($paymentmethod) || $paymentmethod == 'stripe') && !empty($conf->stripe->enabled) && (empty($conf->global->STRIPE_LIVE) || GETPOST('forcesandbox', 'int'))) {
dol_htmloutput_mesg($langs->trans('YouAreCurrentlyInSandboxMode', 'Stripe'), '', 'warning');
}
print '<span id="dolpaymentspan"></span>'."\n";
print '<div class="center">'."\n";
print '<form id="dolpaymentform" class="center" name="paymentform" action="'.$_SERVER["PHP_SELF"].'" method="POST">'."\n";