lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CSRF

Browse Source
This commit is contained in:
Laurent Destailleur 2022-09-21 14:08:39 +02:00
parent c524a3ddc7
commit 3790551fad
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/main.inc.php
View File

@ -518,7 +518,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
$sensitiveget = false; $sensitiveget = false;
if ((GETPOSTISSET('massaction') || GETPOST('action', 'aZ09')) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 3) { if ((GETPOSTISSET('massaction') || GETPOST('action', 'aZ09')) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 3) {
// All GET actions and mass actions are processed as sensitive. // All GET actions and mass actions are processed as sensitive.
if (GETPOSTISSET('massaction') || !in_array(GETPOST('action', 'aZ09'), array('create', 'createsite', 'file_manager', 'presend', 'presend_addmessage'))) { // We exclude the case action='create' and action='file_manager' that are legitimate if (GETPOSTISSET('massaction') || !in_array(GETPOST('action', 'aZ09'), array('create', 'createsite', 'edit', 'file_manager', 'presend', 'presend_addmessage'))) { // We exclude the case action='create' and action='file_manager' that are legitimate
$sensitiveget = true; $sensitiveget = true;
} }
} elseif (getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 2) { } elseif (getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 2) {