lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX security for Multicompany

Browse Source
This commit is contained in:
Regis Houssin 2022-08-18 17:02:20 +02:00
parent 5de76e27b9
commit 293ad34ca8
3 changed files with 3 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/ajax/onlineSign.php
View File

@ -73,7 +73,7 @@ if ($type == 'proposal') {
$securekeyseed = getDolGlobalString('PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN');
}
if (!dol_verifyHash($securekeyseed.$type.$ref, $SECUREKEY, '0')) {
if (!dol_verifyHash($securekeyseed.$type.$ref.(empty($conf->multicompany->enabled) ? '' : $entity), $SECUREKEY, '0')) {
http_response_code(403);
print 'Bad value for securitykey. Value provided '.dol_escape_htmltag($SECUREKEY).' does not match expected value for ref='.dol_escape_htmltag($ref);
exit(-1);

2
htdocs/core/lib/signature.lib.php
View File

@ -91,7 +91,7 @@ function getOnlineSignatureUrl($mode, $type, $ref = '', $localorexternal = 1)
if ($mode == 1) {
$out .= "hash('".$securekeyseed."' + '".$type."' + proposal_ref)";
} else {
$out .= '&securekey='.dol_hash($securekeyseed.$type.$ref, '0');
$out .= '&securekey='.dol_hash($securekeyseed.$type.$ref.(empty($conf->multicompany->enabled) ? '' : $object->entity), '0');
}
/*
if ($mode == 1) {

6
htdocs/public/onlinesign/newonlinesign.php
View File

@ -139,7 +139,7 @@ if ($source == 'proposal') {
$securekeyseed = $conf->global->PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN;
}
if (!dol_verifyHash($securekeyseed.$type.$ref, $SECUREKEY, '0')) {
if (!dol_verifyHash($securekeyseed.$type.$ref.(empty($conf->multicompany->enabled) ? '' : $entity), $SECUREKEY, '0')) {
http_response_code(403);
print 'Bad value for securitykey. Value provided '.dol_escape_htmltag($SECUREKEY).' does not match expected value for ref='.dol_escape_htmltag($ref);
exit(-1);
@ -292,7 +292,6 @@ if ($source == 'proposal') {
$result = $object->fetch_thirdparty($object->socid);
// Creditor
print '<tr class="CTableRow2"><td class="CTableRow2">'.$langs->trans("Creditor");
print '</td><td class="CTableRow2">';
print img_picto('', 'company', 'class="pictofixedwidth"');
@ -301,7 +300,6 @@ if ($source == 'proposal') {
print '</td></tr>'."\n";
// Debitor
print '<tr class="CTableRow2"><td class="CTableRow2">'.$langs->trans("ThirdParty");
print '</td><td class="CTableRow2">';
print img_picto('', 'company', 'class="pictofixedwidth"');
@ -309,14 +307,12 @@ if ($source == 'proposal') {
print '</td></tr>'."\n";
// Amount
print '<tr class="CTableRow2"><td class="CTableRow2">'.$langs->trans("Amount");
print '</td><td class="CTableRow2">';
print '<b>'.price($object->total_ttc, 0, $langs, 1, -1, -1, $conf->currency).'</b>';
print '</td></tr>'."\n";
// Object
$text = '<b>'.$langs->trans("SignatureProposalRef", $object->ref).'</b>';
print '<tr class="CTableRow2"><td class="CTableRow2">'.$langs->trans("Designation");
print '</td><td class="CTableRow2">'.$text;