every dol_encode for securekey replaced with dol_hash (dol_encode kept for encoding ids

htdocs/eventorganization/class/conferenceorbooth.class.php

@@ -244,7 +244,7 @@ class ConferenceOrBooth extends ActionComm
 		$encodedid = dol_encode($id, $dolibarr_main_instance_unique_id);
 		$link_subscription = $dolibarr_main_url_root.'/public/eventorganization/attendee_subscription.php?id='.$encodedid;
 
-		$encodedsecurekey = dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY.$encodedid, $dolibarr_main_instance_unique_id);
+		$encodedsecurekey = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2);
 		$link_subscription .= '&securekey='.urlencode($encodedsecurekey);
 
 		$this->fields['pubregister'] = array('type'=>'url', 'label'=>$langs->trans("PublicAttendeeSubscriptionPage"), 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>1);

htdocs/eventorganization/conferenceorbooth_list.php

@@ -366,7 +366,7 @@ if ($projectid > 0) {
 	print '<tr><td>'.$langs->trans("RegisterPage").'</td><td>';
 	$encodedid = dol_encode($project->id, $dolibarr_main_instance_unique_id);
 	$linkregister = $dolibarr_main_url_root.'/public/project/index.php?id='.$encodedid;
-	$encodedsecurekey = dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY.$encodedid, $dolibarr_main_instance_unique_id);
+	$encodedsecurekey = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$project->id, 2);
 	$linkregister .= '&securekey='.urlencode($encodedsecurekey);
 	print '<a target="_blank" href="'.$linkregister.'">'.$linkregister.'</a>';
 	print '</td></tr>';

htdocs/langs/en_US/eventorganization.lang

@@ -105,8 +105,8 @@ ViewAndVote = View and vote for suggested events
 PublicAttendeeSubscriptionPage = Public link of registration to a conference
 MissingOrBadSecureKey = The security key is invalid or missing
 EvntOrgWelcomeMessage = This form allows you to register as a new participant to the conference 
-EvntOrgDuration = This conference starts on %s and ends on %s
-ConferenceAttendeeFee = Conference attendee fee for the event : '%s' occurring from %s to %s
+EvntOrgDuration = This conference starts on %s and ends on %s.
+ConferenceAttendeeFee = Conference attendee fee for the event : '%s' occurring from %s to %s.
 #
 # SubscriptionOk page
 #

htdocs/public/eventorganization/attendee_subscription.php

@@ -101,16 +101,13 @@ if ($resultproject < 0) {
 	$errmsg .= $project->error;
 }
 
-// Getting 'securekey'.'id' from Post and decoding it
-$encodedsecurekeyandid = GETPOST('securekey', 'alpha');
-$securekeyandid = dol_decode($encodedsecurekeyandid, $dolibarr_main_instance_unique_id);
 
-// Securekey decomposition into pure securekey and id added at the end
-$securekey = substr($securekeyandid, 0, strlen($securekeyandid)-strlen($encodedid));
-$idgotfromsecurekey = dol_decode(substr($securekeyandid, -strlen($encodedid), strlen($encodedid)), $dolibarr_main_instance_unique_id);
+// Getting 'securekey'.'id' from Post and decoding it
+$securekeyreceived = GETPOST('securekey', 'alpha');
+$securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2);
 
 // We check if the securekey collected is OK and if the id collected is the same than the id in the securekey
-if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY || $idgotfromsecurekey != $id) {
+if ($securekeytocompare != $securekeyreceived) {
 	print $langs->trans('MissingOrBadSecureKey');
 	exit;
 }
@@ -251,7 +248,9 @@ if (empty($reshook) && $action == 'add') {
 
 		// If the attendee has already paid
 		if ($confattendee->status == 1) {
-			$redirection = $dolibarr_main_url_root.'/public/eventorganization/subscriptionok.php?securekey='.dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY, $dolibarr_main_instance_unique_id);
+			$encodedid = dol_encode($id, $dolibarr_main_instance_unique_id);
+			$securekeyurl = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2);
+			$redirection = $dolibarr_main_url_root.'/public/eventorganization/subscriptionok.php?id='.$encodedid.'&securekey='.$securekeyurl;
 			Header("Location: ".$redirection);
 			exit;
 		}
@@ -435,7 +434,9 @@ if (empty($reshook) && $action == 'add') {
 				dol_syslog("Failed to send EMail to ".$sendto, LOG_ERR, 0, '_payment');
 			}
 
-			$redirection = $dolibarr_main_url_root.'/public/eventorganization/subscriptionok.php?securekey='.dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY, $dolibarr_main_instance_unique_id);
+			$encodedid = dol_encode($id, $dolibarr_main_instance_unique_id);
+			$securekeyurl = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2);
+			$redirection = $dolibarr_main_url_root.'/public/eventorganization/subscriptionok.php?id='.$encodedid.'&securekey='.$securekeyurl;
 			Header("Location: ".$redirection);
 			exit;
 		}
@@ -478,7 +479,7 @@ print '<input type="hidden" name="token" value="'.newToken().'" / >';
 print '<input type="hidden" name="entity" value="'.$entity.'" />';
 print '<input type="hidden" name="action" value="add" />';
 print '<input type="hidden" name="id" value="'.$encodedid.'" />';
-print '<input type="hidden" name="securekey" value="'.$encodedsecurekeyandid.'" />';
+print '<input type="hidden" name="securekey" value="'.$securekeyreceived.'" />';
 
 print '<br>';
 

htdocs/public/eventorganization/subscriptionok.php

@@ -65,8 +65,12 @@ $object = new stdClass(); // For triggers
 $error = 0;
 
 // Security check
-$securekey = dol_decode(GETPOST('securekey'), $dolibarr_main_instance_unique_id);
-if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY) {
+$encodedid = GETPOST("id");
+$id = dol_decode($encodedid, $dolibarr_main_instance_unique_id);
+$securekeyreceived = GETPOST("securekey");
+$securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2);
+
+if ($securekeyreceived != $securekeytocompare) {
 	print $langs->trans('MissingOrBadSecureKey');
 	exit;
 }