From 72131110e789d51f7b656b54e8296fbbd93a846a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 31 Aug 2021 18:03:37 +0200 Subject: [PATCH] Fix protect public pages --- htdocs/public/cron/cron_run_jobs_by_url.php | 4 +++ htdocs/public/cron/index.html | 0 htdocs/public/cron/index.php | 27 +++++++++++++++++++++ htdocs/public/index.php | 4 +-- htdocs/public/notice.php | 10 ++++---- htdocs/public/ticket/create_ticket.php | 4 +++ htdocs/public/ticket/index.php | 4 +++ htdocs/public/ticket/list.php | 3 +++ htdocs/public/ticket/view.php | 4 +++ 9 files changed, 53 insertions(+), 7 deletions(-) delete mode 100644 htdocs/public/cron/index.html create mode 100644 htdocs/public/cron/index.php diff --git a/htdocs/public/cron/cron_run_jobs_by_url.php b/htdocs/public/cron/cron_run_jobs_by_url.php index 133c5d1b18a..9369a9d78a7 100644 --- a/htdocs/public/cron/cron_run_jobs_by_url.php +++ b/htdocs/public/cron/cron_run_jobs_by_url.php @@ -67,6 +67,10 @@ global $langs, $conf; // Language Management $langs->loadLangs(array("admin", "cron", "dict")); +// Security check +if (empty($conf->cron->enabled)) { + accessforbidden('', 0, 0, 1); +} diff --git a/htdocs/public/cron/index.html b/htdocs/public/cron/index.html deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/htdocs/public/cron/index.php b/htdocs/public/cron/index.php new file mode 100644 index 00000000000..a62d2d1ba68 --- /dev/null +++ b/htdocs/public/cron/index.php @@ -0,0 +1,27 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +/** + * \file htdocs/public/cron/index.php + * \ingroup core + * \brief A redirect page to an error + */ + +require '../../master.inc.php'; + +header("Location: ".DOL_URL_ROOT.'/public/error-404.php'); +exit; diff --git a/htdocs/public/index.php b/htdocs/public/index.php index a9de01f35ca..6e80d99430f 100644 --- a/htdocs/public/index.php +++ b/htdocs/public/index.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2009-2021 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -18,7 +18,7 @@ /** * \file htdocs/public/index.php * \ingroup core - * \brief A redirect page to an error + * \brief A redirect page to an error page */ require '../master.inc.php'; diff --git a/htdocs/public/notice.php b/htdocs/public/notice.php index c41bf81bea4..d5ac4070ff0 100644 --- a/htdocs/public/notice.php +++ b/htdocs/public/notice.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2016-2021 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -17,10 +17,10 @@ /** * \file htdocs/public/notice.php - * \brief Dolibarr page to show a notice. - * Default notice is a message to say network connection is off or show another message. - * You can also call this page with URL: - * /public/notice.php?lang=xx_XX&transkey=translation_key (key must be inside file main.lang, error.lang or other.lang) + * \brief Dolibarr public page to show a notice. + * Default notice is a message to say network connection is off. Some parameters can be used to show another message. + * You can call this page with URL: + * /public/notice.php?lang=xx_XX&transkey=translation_key (key must be inside file main.lang, error.lang or other.lang) * /public/notice.php?transphrase=url_encoded_sentence_to_show */ diff --git a/htdocs/public/ticket/create_ticket.php b/htdocs/public/ticket/create_ticket.php index b911e7480d3..70f652ebc05 100644 --- a/htdocs/public/ticket/create_ticket.php +++ b/htdocs/public/ticket/create_ticket.php @@ -75,6 +75,10 @@ $extrafields = new ExtraFields($db); $extrafields->fetch_name_optionals_label($object->table_element); +if (empty($conf->ticket->enabled)) { + accessforbidden('', 0, 0, 1); +} + /* * Actions diff --git a/htdocs/public/ticket/index.php b/htdocs/public/ticket/index.php index 31ee838f6f5..6abeb5f8b12 100644 --- a/htdocs/public/ticket/index.php +++ b/htdocs/public/ticket/index.php @@ -61,6 +61,10 @@ $langs->loadLangs(array('companies', 'other', 'ticket', 'errors')); $track_id = GETPOST('track_id', 'alpha'); $action = GETPOST('action', 'aZ09'); +if (empty($conf->ticket->enabled)) { + accessforbidden('', 0, 0, 1); +} + /* * View diff --git a/htdocs/public/ticket/list.php b/htdocs/public/ticket/list.php index 3df9d33eb4a..db5f5d8d754 100644 --- a/htdocs/public/ticket/list.php +++ b/htdocs/public/ticket/list.php @@ -70,6 +70,9 @@ if (isset($_SESSION['email_customer'])) { $object = new Ticket($db); +if (empty($conf->ticket->enabled)) { + accessforbidden('', 0, 0, 1); +} diff --git a/htdocs/public/ticket/view.php b/htdocs/public/ticket/view.php index 1270ad6c0fa..b914ed0631e 100644 --- a/htdocs/public/ticket/view.php +++ b/htdocs/public/ticket/view.php @@ -68,6 +68,10 @@ if (isset($_SESSION['email_customer'])) { $object = new ActionsTicket($db); +if (empty($conf->ticket->enabled)) { + accessforbidden('', 0, 0, 1); +} + /* * Actions