lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX ajax call for line positioning when CSRFCHECK_WITH_TOKEN is on

Browse Source
This commit is contained in:
Laurent Destailleur 2019-07-21 16:00:32 +02:00
parent 904e399293
commit 932530bd37
2 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/tpl/ajaxrow.tpl.php
View File

@ -66,13 +66,15 @@ $(document).ready(function(){
var fk_element = "<?php echo $fk_element; ?>";
var element_id = "<?php echo $id; ?>";
var filepath = "<?php echo urlencode($filepath); ?>";
var token = "<?php echo $_SESSION["token"]; ?>"; // We use old 'token' and not 'newtoken' for such ajax call because the ajax page has the NOTOKENRENEWAL constant set.
$.post("<?php echo DOL_URL_ROOT; ?>/core/ajax/row.php",
{
roworder: roworder,
table_element_line: table_element_line,
fk_element: fk_element,
element_id: element_id,
filepath: filepath
filepath: filepath,
token: token
},
function() {
console.log("tableDND end of ajax call");

6
htdocs/main.inc.php
View File

@ -273,6 +273,7 @@ if (isset($_SERVER["HTTP_USER_AGENT"]))
if ($conf->browser->layout == 'phone') $conf->dol_no_mouse_hover=1;
}
// Force HTTPS if required ($conf->file->main_force_https is 0/1 or https dolibarr root url)
// $_SERVER["HTTPS"] is 'on' when link is https, otherwise $_SERVER["HTTPS"] is empty or 'off'
if (! empty($conf->file->main_force_https) && (empty($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != 'on'))
@ -380,6 +381,7 @@ if ((! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->
{
if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOSTISSET('token')) // Note, offender can still send request by GET
{
dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused by CSRFCHECK_WITH_TOKEN protection. Token not provided.");
print "Access by POST method refused by CSRF protection in main.inc.php. Token not provided.\n";
print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file or MAIN_SECURITY_CSRF_WITH_TOKEN to 0 into setup).\n";
die;
@ -389,9 +391,9 @@ if ((! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->
//{
if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $_SESSION['token'])
{
dol_syslog("Invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused due to invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
if ($conf->global->MAIN_FEATURES_LEVEL>1) setEventMessages('Unset POST by CSRF protection in main.inc.php.', null, 'warnings');
if ($conf->global->MAIN_FEATURES_LEVEL>1) setEventMessages('Unset POST by CSRF protection in main.inc.php.'."<br>\n".'$_SERVER[REQUEST_URI] = '.$_SERVER['REQUEST_URI'].' $_SERVER[REQUEST_METHOD] = '.$_SERVER['REQUEST_METHOD'].' GETPOST(token) = '.GETPOST('token', 'alpha').' $_SESSION[token] = '.$_SESSION['token'], null, 'warnings');
unset($_POST);
unset($_GET['confirm']);
}