lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CSRF for GET

Browse Source
This commit is contained in:
Laurent Destailleur 2021-03-29 22:51:36 +02:00
parent ce5bea7b34
commit 6e331fd45f
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/main.inc.php
View File

@ -438,7 +438,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
'confirm_create_user', 'confirm_create_thirdparty', 'confirm_purge', 'confirm_reject_check',
'delete', 'deletefilter', 'deleteoperation', 'deleteprof', 'deletepayment', 'disable',
'doprev', 'donext', 'dvprev', 'dvnext',
'enable'
'enable', 'setpricelevel'
);
$sensitiveget = false;
if (in_array(GETPOST('action', 'aZ09'), $arrayofactiontoforcetokencheck)) {

6
htdocs/societe/class/societe.class.php
View File

@ -2285,8 +2285,8 @@ class Societe extends CommonObject
$now = dol_now();
$sql = "UPDATE ".MAIN_DB_PREFIX."societe";
$sql .= " SET price_level = '".$this->db->escape($price_level)."'";
$sql .= " WHERE rowid = ".$this->id;
$sql .= " SET price_level = ".((int) $price_level);
$sql .= " WHERE rowid = ".((int) $this->id);
if (!$this->db->query($sql)) {
dol_print_error($this->db);
@ -2295,7 +2295,7 @@ class Societe extends CommonObject
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_prices";
$sql .= " (datec, fk_soc, price_level, fk_user_author)";
$sql .= " VALUES ('".$this->db->idate($now)."', ".$this->id.", '".$this->db->escape($price_level)."', ".$user->id.")";
$sql .= " VALUES ('".$this->db->idate($now)."', ".$this->id.", ".((int) $price_level).", ".$user->id.")";
if (!$this->db->query($sql)) {
dol_print_error($this->db);