lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #21794 from hregis/fix_multicompany_security

Browse Source 
FIX security for Multicompany
This commit is contained in:
Laurent Destailleur 2022-08-18 22:24:51 +02:00 committed by GitHub
commit 2e36533a2a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 3 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/ajax/onlineSign.php
View File

@ -73,7 +73,7 @@ if ($type == 'proposal') {
$securekeyseed = getDolGlobalString('PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN');
}
if (!dol_verifyHash($securekeyseed.$type.$ref, $SECUREKEY, '0')) {
if (!dol_verifyHash($securekeyseed.$type.$ref.(empty($conf->multicompany->enabled) ? '' : $entity), $SECUREKEY, '0')) {
http_response_code(403);
print 'Bad value for securitykey. Value provided '.dol_escape_htmltag($SECUREKEY).' does not match expected value for ref='.dol_escape_htmltag($ref);
exit(-1);

2
htdocs/core/lib/signature.lib.php
View File

@ -91,7 +91,7 @@ function getOnlineSignatureUrl($mode, $type, $ref = '', $localorexternal = 1)
if ($mode == 1) {
$out .= "hash('".$securekeyseed."' + '".$type."' + proposal_ref)";
} else {
$out .= '&securekey='.dol_hash($securekeyseed.$type.$ref, '0');
$out .= '&securekey='.dol_hash($securekeyseed.$type.$ref.(empty($conf->multicompany->enabled) ? '' : $object->entity), '0');
}
/*
if ($mode == 1) {

6
htdocs/public/onlinesign/newonlinesign.php
View File

@ -139,7 +139,7 @@ if ($source == 'proposal') {
$securekeyseed = $conf->global->PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN;
}
if (!dol_verifyHash($securekeyseed.$type.$ref, $SECUREKEY, '0')) {
if (!dol_verifyHash($securekeyseed.$type.$ref.(empty($conf->multicompany->enabled) ? '' : $entity), $SECUREKEY, '0')) {
http_response_code(403);
print 'Bad value for securitykey. Value provided '.dol_escape_htmltag($SECUREKEY).' does not match expected value for ref='.dol_escape_htmltag($ref);
exit(-1);
@ -292,7 +292,6 @@ if ($source == 'proposal') {
$result = $object->fetch_thirdparty($object->socid);
// Creditor
print '<tr class="CTableRow2"><td class="CTableRow2">'.$langs->trans("Creditor");
print '</td><td class="CTableRow2">';
print img_picto('', 'company', 'class="pictofixedwidth"');
@ -301,7 +300,6 @@ if ($source == 'proposal') {
print '</td></tr>'."\n";
// Debitor
print '<tr class="CTableRow2"><td class="CTableRow2">'.$langs->trans("ThirdParty");
print '</td><td class="CTableRow2">';
print img_picto('', 'company', 'class="pictofixedwidth"');
@ -309,14 +307,12 @@ if ($source == 'proposal') {
print '</td></tr>'."\n";
// Amount
print '<tr class="CTableRow2"><td class="CTableRow2">'.$langs->trans("Amount");
print '</td><td class="CTableRow2">';
print '<b>'.price($object->total_ttc, 0, $langs, 1, -1, -1, $conf->currency).'</b>';
print '</td></tr>'."\n";
// Object
$text = '<b>'.$langs->trans("SignatureProposalRef", $object->ref).'</b>';
print '<tr class="CTableRow2"><td class="CTableRow2">'.$langs->trans("Designation");
print '</td><td class="CTableRow2">'.$text;