lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #16371 from frederic34/patch-2

Browse Source 
add log for token reclaimed
This commit is contained in:
Laurent Destailleur 2021-02-22 14:22:44 +01:00 committed by GitHub
commit 2346d8e12d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
htdocs/main.inc.php
View File

@ -416,14 +416,16 @@ if ((!empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_VE
} }
// Creation of a token against CSRF vulnerabilities // Creation of a token against CSRF vulnerabilities
if (!defined('NOTOKENRENEWAL')) if (!defined('NOTOKENRENEWAL')) {
{
// Rolling token at each call ($_SESSION['token'] contains token of previous page) // Rolling token at each call ($_SESSION['token'] contains token of previous page)
if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken']; if (isset($_SESSION['newtoken'])) {
$_SESSION['token'] = $_SESSION['newtoken'];
}
// Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = newToken(); // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = newToken();
$token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number $token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number
$_SESSION['newtoken'] = $token; $_SESSION['newtoken'] = $token;
dol_syslog("NEW TOKEN reclaimed by : " . $_SERVER['PHP_SELF'], LOG_DEBUG);
} }
//dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha').' '.$_SESSION['token']); //dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha').' '.$_SESSION['token']);
@ -457,8 +459,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
} }
} }
if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $_SESSION['token']) if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $_SESSION['token']) {
{
dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused due to invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING); dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused due to invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers. //print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings'); setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings');