From 820ab1a110471126a8ea33718fe409f03d7e5b9a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 16 Jan 2021 13:03:34 +0100 Subject: [PATCH 1/2] Better error message --- htdocs/main.inc.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 5c3fd8ee46b..85f5d775929 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -412,7 +412,7 @@ if (!defined('NOTOKENRENEWAL')) //$dolibarr_nocsrfcheck=1; // Check token if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) - || defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set + || defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set into page { // Check all cases that need a token (all POST actions, all actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set, all sensitive GET actions) if ($_SERVER['REQUEST_METHOD'] == 'POST' || @@ -428,8 +428,12 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl die; } else { dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused by CSRFCHECK_WITH_TOKEN protection. Token not provided."); - print "Access to this page this way (POST method or page with CSRFCHECK_WITH_TOKEN on or having a sensible value for action parameter) is refused by CSRF protection in main.inc.php. Token not provided.\n"; - print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file or MAIN_SECURITY_CSRF_WITH_TOKEN to 0 into setup).\n"; + if (defined('CSRFCHECK_WITH_TOKEN')) { + print "Access to a page that needs a token (constant CSRFCHECK_WITH_TOKEN is defined) is refused by CSRF protection in main.inc.php. Token not provided.\n"; + } else { + print "Access to this page this way (POST method or GET with a sensible value for 'action' parameter) is refused by CSRF protection in main.inc.php. Token not provided.\n"; + print "If you access your server behind a proxy using url rewriting and the parameter is provided by caller, you might check that all HTTP header are propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file or MAIN_SECURITY_CSRF_WITH_TOKEN to 0 into setup).\n"; + } die; } } From b3d7783a297207ff8b0b517702f1f757bc1cfb11 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 16 Jan 2021 13:41:27 +0100 Subject: [PATCH 2/2] Fix multicompany compatibility of preview of file in email form --- htdocs/core/class/html.formmail.class.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/htdocs/core/class/html.formmail.class.php b/htdocs/core/class/html.formmail.class.php index 1edcabf36a5..24e36cfecc2 100644 --- a/htdocs/core/class/html.formmail.class.php +++ b/htdocs/core/class/html.formmail.class.php @@ -859,9 +859,16 @@ class FormMail extends Form { foreach ($listofpaths as $key => $val) { + $relativepathtofile = substr($val, (strlen(DOL_DATA_ROOT) - strlen($val))); + if ($conf->entity > 1) { + $relativepathtofile = str_replace($conf->entity.'/', '', $relativepathtofile); + } + // Try to extract data from full path + $formfile_params = array(); + preg_match('#^(/)(\w+)(/)(.+)$#', $relativepathtofile, $formfile_params); + $out .= '
'; // Preview of attachment - preg_match('#^(/)(\w+)(/)(.+)$#', substr($val, (strlen(DOL_DATA_ROOT) - strlen($val))), $formfile_params); $out .= img_mime($listofnames[$key]).' '.$listofnames[$key]; $out .= $formfile->showPreview(array(), $formfile_params[2], $formfile_params[4]); if (!$this->withfilereadonly)