From 8e1ffa51444b87368915aea3aed81599fa01198a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 19 Mar 2020 10:52:07 +0100
Subject: [PATCH] Fix management of token

---
 htdocs/compta/accounting-files.php | 12 +++++++++---
 htdocs/core/lib/functions.lib.php  | 13 ++++++++++++-
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/htdocs/compta/accounting-files.php b/htdocs/compta/accounting-files.php
index af18b834edf..cb2c3d2fdff 100644
--- a/htdocs/compta/accounting-files.php
+++ b/htdocs/compta/accounting-files.php
@@ -16,11 +16,17 @@
  * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <https://www.gnu.org/licenses/>.
  */
-/**
+
+ /**
  *  \file       htdocs/compta/accounting-files.php
  *  \ingroup    compta
  *  \brief      Page to show portoflio and files of a thirdparty and download it
  */
+
+if ($_GET['action'] == 'dl' || $_POST['action'] == 'dl') {	// To not replace token when downloading file
+	if (! defined('NOTOKENRENEWAL'))           define('NOTOKENRENEWAL','1');
+}
+
 require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
@@ -106,7 +112,7 @@ $error = 0;
 
 $filesarray = array();
 $result = false;
-if (($action == "searchfiles" || $action == "dl")) {
+if (($action == 'searchfiles' || $action == 'dl')) {
 	if (empty($date_start))
 	{
 		setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("DateStart")), null, 'errors');
@@ -459,7 +465,7 @@ if (!empty($date_start) && !empty($date_stop))
     $param .= '&date_stopyear='.GETPOST('date_stopyear', 'int');
 
     print '<form name="dl" action="?action=dl" method="POST" >'."\n";
-    print '<input type="hidden" name="token" value="'.newToken().'">';
+    print '<input type="hidden" name="token" value="'.currentToken().'">';
 
     echo dol_print_date($date_start, 'day')." - ".dol_print_date($date_stop, 'day');
 
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 9842a3d59e0..6976b5fec40 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -8574,7 +8574,8 @@ function isAFileWithExecutableContent($filename)
 }
 
 /**
- * Return new session token
+ * Return the value of token currently saved into session with name 'newtoken'.
+ * This token must be send by any POST as it will be used by next page for comparison with value in session.
  *
  * @return  string
  */
@@ -8582,3 +8583,13 @@ function newToken()
 {
 	return $_SESSION['newtoken'];
 }
+
+/**
+ * Return the value of token currently saved into session with name 'token'.
+ *
+ * @return  string
+ */
+function currentToken()
+{
+	return $_SESSION['token'];
+}