lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #22435 from hregis/fix_csrf_and_lost_parameter_value

Browse Source 
FIX CSRF + lost value of constant after use save button
This commit is contained in:
Laurent Destailleur 2022-09-28 20:08:04 +02:00 committed by GitHub
commit 8048322b65
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 101 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
htdocs/admin/ticket.php
View File

@ -81,6 +81,27 @@ if ($action == 'updateMask') {
dolibarr_del_const($db, 'TICKET_ADDON_PDF', $conf->entity);
}
}
} elseif (preg_match('/set_(.*)/', $action, $reg)) {
$code = $reg[1];
$value = GETPOSTISSET($code) ? GETPOST($code, 'int') : 1;
if ($code == 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS' && $conf->global->MAIN_FEATURES_LEVEL >= 2) {
$param_notification_also_main_addressemail = GETPOST('TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', 'alpha');
$res = dolibarr_set_const($db, 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', $param_notification_also_main_addressemail, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
}
} else {
$res = dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
}
}
} elseif (preg_match('/del_(.*)/', $action, $reg)) {
$code = $reg[1];
$res = dolibarr_del_const($db, $code, $conf->entity);
if (!($res > 0)) {
$error++;
}
} elseif ($action == 'setdoc') {
// Set default model
if (dolibarr_set_const($db, "TICKET_ADDON_PDF", $value, 'chaine', 0, '', $conf->entity)) {
@ -100,16 +121,25 @@ if ($action == 'updateMask') {
dolibarr_set_const($db, "TICKET_ADDON", $value, 'chaine', 0, '', $conf->entity);
} elseif ($action == 'setvarworkflow') {
$param_auto_read = GETPOST('TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND', 'alpha');
$res = dolibarr_set_const($db, 'TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND', $param_auto_read, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
}
// For compatibility when javascript is not enabled
if (empty($conf->use_javascript_ajax)) {
$param_auto_read = GETPOST('TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND', 'alpha');
$res = dolibarr_set_const($db, 'TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND', $param_auto_read, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
}
$param_auto_assign = GETPOST('TICKET_AUTO_ASSIGN_USER_CREATE', 'alpha');
$res = dolibarr_set_const($db, 'TICKET_AUTO_ASSIGN_USER_CREATE', $param_auto_assign, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
$param_auto_assign = GETPOST('TICKET_AUTO_ASSIGN_USER_CREATE', 'alpha');
$res = dolibarr_set_const($db, 'TICKET_AUTO_ASSIGN_USER_CREATE', $param_auto_assign, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
}
$param_auto_notify_close = GETPOST('TICKET_NOTIFY_AT_CLOSING', 'alpha');
$res = dolibarr_set_const($db, 'TICKET_NOTIFY_AT_CLOSING', $param_auto_notify_close, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
}
}
$param_limit_view = GETPOST('TICKET_LIMIT_VIEW_ASSIGNED_ONLY', 'alpha');
@ -137,12 +167,6 @@ if ($action == 'updateMask') {
if (!($res > 0)) {
$error++;
}
$param_auto_notify_close = GETPOST('TICKET_NOTIFY_AT_CLOSING', 'alpha');
$res = dolibarr_set_const($db, 'TICKET_NOTIFY_AT_CLOSING', $param_auto_notify_close, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
}
} elseif ($action == 'setvar') {
include_once DOL_DOCUMENT_ROOT."/core/lib/files.lib.php";
@ -191,7 +215,8 @@ if ($action == 'updateMask') {
$error++;
}
if ($conf->global->MAIN_FEATURES_LEVEL >= 2) {
// For compatibility when javascript is not enabled
if ($conf->global->MAIN_FEATURES_LEVEL >= 2 && empty($conf->use_javascript_ajax)) {
$param_notification_also_main_addressemail = GETPOST('TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', 'alpha');
$res = dolibarr_set_const($db, 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', $param_notification_also_main_addressemail, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {

85
htdocs/admin/ticket_public.php
View File

@ -151,7 +151,8 @@ if ($action == 'setTICKET_ENABLE_PUBLIC_INTERFACE') {
$errors[] = $db->lasterror();
}
if ($conf->global->MAIN_FEATURES_LEVEL >= 2) {
// For compatibility when javascript is not enabled
if ($conf->global->MAIN_FEATURES_LEVEL >= 2 && empty($conf->use_javascript_ajax)) {
$param_notification_also_main_addressemail = GETPOST('TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', 'alpha');
$res = dolibarr_set_const($db, 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', $param_notification_also_main_addressemail, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
@ -162,32 +163,30 @@ if ($action == 'setTICKET_ENABLE_PUBLIC_INTERFACE') {
} elseif (preg_match('/set_(.*)/', $action, $reg)) {
$code = $reg[1];
$value = GETPOSTISSET($code) ? GETPOST($code, 'int') : 1;
$res = dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
$errors[] = $db->lasterror();
}
if (!$error) {
if ($code == 'TICKET_EMAIL_MUST_EXISTS') {
$res = dolibarr_del_const($db, 'TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST', $conf->entity);
if (!($res > 0)) {
$error++;
$errors[] = $db->lasterror();
}
} elseif ($code == 'TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST') {
$res = dolibarr_del_const($db, 'TICKET_EMAIL_MUST_EXISTS', $conf->entity);
if (!($res > 0)) {
$error++;
$errors[] = $db->lasterror();
}
// enable captcha by default
// TODO Add a visible option in this setup page for this
$res = dolibarr_set_const($db, 'MAIN_SECURITY_ENABLECAPTCHA_TICKET', 1, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
$errors[] = $db->lasterror();
if ($code == 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS' && $conf->global->MAIN_FEATURES_LEVEL >= 2) {
$param_notification_also_main_addressemail = GETPOST('TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', 'alpha');
$res = dolibarr_set_const($db, 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', $param_notification_also_main_addressemail, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
}
} else {
$res = dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity);
if (!($res > 0)) {
$error++;
}
if (!$error) {
if ($code == 'TICKET_EMAIL_MUST_EXISTS') {
$res = dolibarr_del_const($db, 'TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST', $conf->entity);
if (!($res > 0)) {
$error++;
$errors[] = $db->lasterror();
}
} elseif ($code == 'TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST') {
$res = dolibarr_del_const($db, 'TICKET_EMAIL_MUST_EXISTS', $conf->entity);
if (!($res > 0)) {
$error++;
$errors[] = $db->lasterror();
}
}
}
}
@ -272,13 +271,37 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) {
print '</td>';
print '</tr>';
// Enable Captcha code
print '<tr class="oddeven">';
print '<td>'.$langs->trans("TicketUseCaptchaCode").'</td>';
print '<td class="left">';
if (function_exists("imagecreatefrompng")) {
if (!empty($conf->use_javascript_ajax)) {
print ajax_constantonoff('MAIN_SECURITY_ENABLECAPTCHA_TICKET');
} else {
if (empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA_TICKET)) {
print '<a href="'.$_SERVER['PHP_SELF'].'?action=set_MAIN_SECURITY_ENABLECAPTCHA_TICKET&token='.newToken().'">'.img_picto($langs->trans("Disabled"), 'off').'</a>';
} else {
print '<a href="'.$_SERVER['PHP_SELF'].'?action=del_MAIN_SECURITY_ENABLECAPTCHA_TICKET&token='.newToken().'">'.img_picto($langs->trans("Enabled"), 'on').'</a>';
}
}
} else {
$desc = $form->textwithpicto('', $langs->transnoentities("EnableGDLibraryDesc"), 1, 'warning');
print $desc;
}
print '</td>';
print '<td class="center width75">';
print $form->textwithpicto('', $langs->trans("TicketUseCaptchaCodeHelp"), 1, 'help');
print '</td>';
print '</tr>';
// Check if email exists
print '<tr class="oddeven"><td>'.$langs->trans("TicketsEmailMustExist").'</td>';
print '<td class="left">';
if (empty(getDolGlobalInt('TICKET_EMAIL_MUST_EXISTS'))) {
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=set_TICKET_EMAIL_MUST_EXISTS">' . img_picto($langs->trans('Disabled'), 'switch_off') . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=set_TICKET_EMAIL_MUST_EXISTS&token='.newToken().'">' . img_picto($langs->trans('Disabled'), 'switch_off') . '</a>';
} else {
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=del_TICKET_EMAIL_MUST_EXISTS">' . img_picto($langs->trans('Enabled'), 'switch_on') . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=del_TICKET_EMAIL_MUST_EXISTS&token='.newToken().'">' . img_picto($langs->trans('Enabled'), 'switch_on') . '</a>';
}
print '</td>';
print '<td class="center width75">';
@ -290,9 +313,9 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) {
print '<tr class="oddeven"><td>'.$langs->trans("TicketCreateThirdPartyWithContactIfNotExist").'</td>';
print '<td class="left">';
if (empty(getDolGlobalInt('TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST'))) {
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=set_TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST">' . img_picto($langs->trans('Disabled'), 'switch_off') . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=set_TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST&token='.newToken().'">' . img_picto($langs->trans('Disabled'), 'switch_off') . '</a>';
} else {
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=del_TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST">' . img_picto($langs->trans('Enabled'), 'switch_on') . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=del_TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST&token='.newToken().'">' . img_picto($langs->trans('Enabled'), 'switch_on') . '</a>';
}
print '</td>';
print '<td class="center width75">';

2
htdocs/core/class/html.formticket.class.php
View File

@ -426,7 +426,7 @@ class FormTicket
$doleditor->Create();
print '</td></tr>';
if ($public && !empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA)) {
if ($public && !empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA_TICKET)) {
require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
print '<tr><td class="titlefield"><label for="email"><span class="fieldrequired">'.$langs->trans("SecurityCode").'</span></label></td><td>';
print '<span class="span-icon-security inline-block">';

3
htdocs/core/modules/modTicket.class.php
View File

@ -117,7 +117,8 @@ class modTicket extends DolibarrModules
9 => array('TICKET_NOTIFICATION_EMAIL_FROM', 'chaine', getDolGlobalString('MAIN_MAIL_EMAIL_FROM'), 'Email to use by default as sender for messages sent from Dolibarr', 0),
10 => array('TICKET_MESSAGE_MAIL_INTRO', 'chaine', $langs->trans('TicketMessageMailIntroText'), 'Introduction text of ticket replies sent from Dolibarr', 0),
11 => array('TICKET_MESSAGE_MAIL_SIGNATURE', 'chaine', $default_signature, 'Signature to use by default for messages sent from Dolibarr', 0),
12 => array('MAIN_EMAILCOLLECTOR_MAIL_WITHOUT_HEADER', 'chaine', "1", 'Disable the rendering of headers in tickets', 0)
12 => array('MAIN_EMAILCOLLECTOR_MAIL_WITHOUT_HEADER', 'chaine', "1", 'Disable the rendering of headers in tickets', 0),
13 => array('MAIN_SECURITY_ENABLECAPTCHA_TICKET', 'chaine', getDolGlobalInt('MAIN_SECURITY_ENABLECAPTCHA_TICKET'), 'Enable captcha code by default', 0)
);

2
htdocs/langs/en_US/ticket.lang
View File

@ -149,6 +149,8 @@ TicketsAutoNotifyCloseHelp=When closing a ticket, you will be proposed to send a
TicketWrongContact=Provided contact is not part of current ticket contacts. Email not sent.
TicketChooseProductCategory=Product category for ticket support
TicketChooseProductCategoryHelp=Select the product category of ticket support. This will be used to automatically link a contract to a ticket.
TicketUseCaptchaCode=Use graphical code (CAPTCHA) when creating a ticket
TicketUseCaptchaCodeHelp=Adds CAPTCHA verification when creating a new ticket.
#
# Index & list page

2
htdocs/public/ticket/create_ticket.php
View File

@ -218,7 +218,7 @@ if (empty($reshook)) {
}
// Check Captcha code if is enabled
if (!empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA) || !empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA_TICKET)) {
if (!empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA_TICKET)) {
$sessionkey = 'dol_antispam_value';
$ok = (array_key_exists($sessionkey, $_SESSION) === true && (strtolower($_SESSION[$sessionkey]) === strtolower(GETPOST('code', 'restricthtml'))));
if (!$ok) {