lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '13.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	htdocs/core/class/html.formmail.class.php
This commit is contained in:
Laurent Destailleur 2021-01-16 13:45:34 +01:00
commit 4864808e4d
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
htdocs/core/class/html.formmail.class.php
View File

@ -855,9 +855,16 @@ class FormMail extends Form
$out .= '</script>'."\n";
if (count($listofpaths)) {
foreach ($listofpaths as $key => $val) {
$relativepathtofile = substr($val, (strlen(DOL_DATA_ROOT) - strlen($val)));
if ($conf->entity > 1) {
$relativepathtofile = str_replace($conf->entity.'/', '', $relativepathtofile);
}
// Try to extract data from full path
$formfile_params = array();
preg_match('#^(/)(\w+)(/)(.+)$#', $relativepathtofile, $formfile_params);
$out .= '<div id="attachfile_'.$key.'">';
// Preview of attachment
preg_match('#^(/)(\w+)(/)(.+)$#', substr($val, (strlen(DOL_DATA_ROOT) - strlen($val))), $formfile_params);
$out .= img_mime($listofnames[$key]).' '.$listofnames[$key];
$out .= $formfile->showPreview(array(), $formfile_params[2], $formfile_params[4]);
if (!$this->withfilereadonly) {

10
htdocs/main.inc.php
View File

@ -412,7 +412,7 @@ if (!defined('NOTOKENRENEWAL'))
//$dolibarr_nocsrfcheck=1;
// Check token
if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN))
|| defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set
|| defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set into page
{
// Check all cases that need a token (all POST actions, all actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set, all sensitive GET actions)
if ($_SERVER['REQUEST_METHOD'] == 'POST' ||
@ -428,8 +428,12 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
die;
} else {
dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused by CSRFCHECK_WITH_TOKEN protection. Token not provided.");
print "Access to this page this way (POST method or page with CSRFCHECK_WITH_TOKEN on or having a sensible value for action parameter) is refused by CSRF protection in main.inc.php. Token not provided.\n";
print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file or MAIN_SECURITY_CSRF_WITH_TOKEN to 0 into setup).\n";
if (defined('CSRFCHECK_WITH_TOKEN')) {
print "Access to a page that needs a token (constant CSRFCHECK_WITH_TOKEN is defined) is refused by CSRF protection in main.inc.php. Token not provided.\n";
} else {
print "Access to this page this way (POST method or GET with a sensible value for 'action' parameter) is refused by CSRF protection in main.inc.php. Token not provided.\n";
print "If you access your server behind a proxy using url rewriting and the parameter is provided by caller, you might check that all HTTP header are propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file or MAIN_SECURITY_CSRF_WITH_TOKEN to 0 into setup).\n";
}
die;
}
}