From 678c3bdb76c09db995401176c3b9a7de7ec0d1ed Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Feb 2022 18:07:10 +0100 Subject: [PATCH] Fix switch to login page --- htdocs/main.inc.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 3f8da14338b..46315f2d688 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -533,7 +533,10 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt( dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (invalid token), so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING); //print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers. setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings'); - if (isset($_POST['id'])) $savid = ((int) $_POST['id']); + $savid = null; + if (isset($_POST['id'])) { + $savid = ((int) $_POST['id']); + } unset($_POST); //unset($_POST['action']); unset($_POST['massaction']); //unset($_POST['confirm']); unset($_POST['confirmmassaction']); @@ -541,7 +544,10 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt( unset($_GET['action']); unset($_GET['confirmmassaction']); unset($_GET['massaction']); - if (isset($savid)) $_POST['id'] = ((int) $savid); + unset($_GET['token']); // TODO Make a redirect if we have a token in url to remove it ? + if (isset($savid)) { + $_POST['id'] = ((int) $savid); + } } // Note: There is another CSRF protection into the filefunc.inc.php