Use function top_httphead to include headers in pages.

2017-05-09 21:01:37 +02:00 · 2017-05-09 21:01:37 +02:00 · b8b91db007
commit b8b91db007
parent 39b4549813
22 changed files with 59 additions and 42 deletions
--- a/htdocs/admin/agenda_xcal.php
+++ b/htdocs/admin/agenda_xcal.php
@ -97,7 +97,7 @@ print "<td>".$langs->trans("Value")."</td>";
 print "<td>&nbsp;</td>";
 print "</tr>";

-print "<tr ".$bc[false].">";
+print '<tr class="oddeven">';
 print '<td class="fieldrequired">'.$langs->trans("PasswordTogetVCalExport")."</td>";
 print '<td><input required="required" type="text" class="flat" id="MAIN_AGENDA_XCAL_EXPORTKEY" name="MAIN_AGENDA_XCAL_EXPORTKEY" value="' . (GETPOST('MAIN_AGENDA_XCAL_EXPORTKEY','alpha')?GETPOST('MAIN_AGENDA_XCAL_EXPORTKEY','alpha'):$conf->global->MAIN_AGENDA_XCAL_EXPORTKEY) . '" size="40">';
 if (! empty($conf->use_javascript_ajax))
@ -106,13 +106,13 @@ print '</td>';
 print "<td>&nbsp;</td>";
 print "</tr>";

-print "<tr ".$bc[true].">";
+print '<tr class="oddeven">';
 print "<td>".$langs->trans("PastDelayVCalExport")."</td>";
 print "<td><input type=\"text\" class=\"flat\" name=\"MAIN_AGENDA_EXPORT_PAST_DELAY\" value=\"". (GETPOST('MAIN_AGENDA_EXPORT_PAST_DELAY','alpha')?GETPOST('MAIN_AGENDA_EXPORT_PAST_DELAY','alpha'):$conf->global->MAIN_AGENDA_EXPORT_PAST_DELAY) . "\" size=\"10\"> ".$langs->trans("days")."</td>";
 print "<td>&nbsp;</td>";
 print "</tr>";

-print "<tr ".$bc[false].">";
+print '<tr class="oddeven">';
 print "<td>".$langs->trans("UseACacheDelay")."</td>";
 print "<td><input type=\"text\" class=\"flat\" name=\"MAIN_AGENDA_EXPORT_CACHE\" value=\"". (GETPOST('MAIN_AGENDA_EXPORT_CACHE','alpha')?GETPOST('MAIN_AGENDA_EXPORT_CACHE','alpha'):$conf->global->MAIN_AGENDA_EXPORT_CACHE) . "\" size=\"10\"></td>";
 print "<td>&nbsp;</td>";
@ -128,8 +128,8 @@ print '<tr class="liste_titre">';
 print '<td width="25%">'.$langs->trans("Parameter")."</td>";
 print "<td>".$langs->trans("Value")."</td>";
 print "</tr>";
-print "<tr ".$bc[false].">";
-print '<td class="fieldrequired">'.$langs->trans("FixTZ")."</td>";
+print '<tr class="oddeven">';
+print '<td>'.$langs->trans("FixTZ")."</td>";
 print "<td>";
 print '<input class="flat" type="text" size="4" name="AGENDA_EXPORT_FIX_TZ" value="'.$conf->global->AGENDA_EXPORT_FIX_TZ.'">';
 print ' &nbsp; '.$langs->trans("FillThisOnlyIfRequired");
--- a/htdocs/cashdesk/affIndex.php
+++ b/htdocs/cashdesk/affIndex.php
@ -45,9 +45,6 @@ $langs->load("cashdesk");

 $form = new Form($db);

-//header("Content-type: text/html; charset=UTF-8");
-//header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
 $arrayofjs=array();
 $arrayofcss=array('/cashdesk/css/style.css');

--- a/htdocs/cashdesk/facturation_dhtml.php
+++ b/htdocs/cashdesk/facturation_dhtml.php
@ -39,8 +39,7 @@ if (! defined('NOREQUIREAJAX'))  define('NOREQUIREAJAX','1');
 require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/cashdesk/include/environnement.php';

-//header("Content-type: text/html; charset=UTF-8");
-header("Content-type: text/html; charset=".$conf->file->character_set_client);
+top_httphead('text/html');

 $search = GETPOST("code", "alpha");

--- a/htdocs/cashdesk/tpl/ticket.tpl.php
+++ b/htdocs/cashdesk/tpl/ticket.tpl.php
@ -20,7 +20,8 @@ include_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php';

 $langs->load("main");
 $langs->load('cashdesk');
-header("Content-type: text/html; charset=".$conf->file->character_set_client);
+
+top_httphead('text/html');

 $facid=GETPOST('facid','int');
 $object=new Facture($db);
--- a/htdocs/core/ajax/check_notifications.php
+++ b/htdocs/core/ajax/check_notifications.php
@ -24,6 +24,13 @@ if (! defined('NOREQUIRESOC'))   define('NOREQUIRESOC','1');

 require '../../main.inc.php';

+
+/*
+ * View
+ */
+
+top_httphead('text/html');  // TODO Use a json mime type
+
 global $user, $db, $langs, $conf;

 $time = (int) GETPOST('time');    // Use the time parameter that is always increased by time_update, even if call is late
--- a/htdocs/core/antispamimage.php
+++ b/htdocs/core/antispamimage.php
@ -58,7 +58,8 @@ if (empty($img))
    exit;
 }

-header("Content-type: image/png");
+// Define mime type
+top_httphead('image/png');

 $background_color = imagecolorallocate($img, 250, 250, 250);
 $ecriture_color = imagecolorallocate($img, 0, 0, 0);
--- a/htdocs/core/js/datepicker.js.php
+++ b/htdocs/core/js/datepicker.js.php
@ -37,7 +37,7 @@ session_cache_limiter(FALSE);
 require_once '../../main.inc.php';

 // Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');
--- a/htdocs/core/js/lib_head.js.php
+++ b/htdocs/core/js/lib_head.js.php
@ -39,7 +39,7 @@ session_cache_limiter(FALSE);
 require_once '../../main.inc.php';

 // Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');
--- a/htdocs/core/js/lib_notification.js.php
+++ b/htdocs/core/js/lib_notification.js.php
@ -33,21 +33,22 @@ if (! ($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root . '/' || $_SERVER['H
 {
    global $langs, $conf;

-    // Define javascript type
-    header('Content-type: text/javascript; charset=UTF-8');
-
+    top_httphead('text/javascript; charset=UTF-8');
+    
    $nowtime = time();
    //$nowtimeprevious = floor($nowtime / 60) * 60;   // auto_check_events_not_before is rounded to previous minute

    // TODO Try to make a solution with only a javascript timer that is easier. Difficulty is to avoid notification twice when.
+    /* session already started into main
    session_cache_limiter(FALSE);
    header('Cache-Control: no-cache');
-    session_start();
+    session_set_cookie_params(0, '/', null, false, true);   // Add tag httponly on session cookie
+    session_start();*/
    if (! isset($_SESSION['auto_check_events_not_before'])) 
    {
        print 'console.log("_SESSION[auto_check_events_not_before] is not set");'."\n";
        // Round to eliminate the seconds
-        $_SESSION['auto_check_events_not_before'] = $nowtime;   // auto_check_events_not_before is rounded to previous minute
+        $_SESSION['auto_check_events_not_before'] = $nowtime;
    }
    print 'var nowtime = ' . $nowtime . ';' . "\n";
    print 'var login = \'' . $_SESSION['dol_login'] . '\';' . "\n";
--- a/htdocs/core/js/select2_locale.js.php
+++ b/htdocs/core/js/select2_locale.js.php
@ -37,7 +37,7 @@ session_cache_limiter(FALSE);
 require_once '../../main.inc.php';

 // Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');
--- a/htdocs/core/js/timepicker.js.php
+++ b/htdocs/core/js/timepicker.js.php
@ -37,7 +37,7 @@ session_cache_limiter(FALSE);
 require_once '../../main.inc.php';

 // Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@ -400,11 +400,11 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)


 /**
- *  Return a prefix to use for this Dolibarr instance for session or cookie names.
+ *  Return a prefix to use for this Dolibarr instance, for session/cookie names or email id.
 *  This prefix is unique for instance and avoid conflict between multi-instances,
- *  even when having two instances with one root dir or two instances in virtual servers
+ *  even when having two instances with one root dir or two instances in virtual servers.
 *
- *  @param  string  $mode       '' or 'email'              
+ *  @param  string  $mode       '' (prefix for session name) or 'email' (prefix for email id)              
 *  @return	string      		A calculated prefix
 */
 function dol_getprefix($mode='')
--- a/htdocs/document.php
+++ b/htdocs/document.php
@ -170,9 +170,9 @@ if (! file_exists($original_file_osencoded))
 }

 // Permissions are ok and file found, so we return it
+top_httphead($type);
 header('Content-Description: File Transfer');
 if ($encoding)   header('Content-Encoding: '.$encoding);
-if ($type)       header('Content-Type: '.$type.(preg_match('/text/',$type)?'; charset="'.$conf->file->character_set_client:''));
 // Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, atachment=need user action to open)
 if ($attachment) header('Content-Disposition: attachment; filename="'.$filename.'"');
 else header('Content-Disposition: inline; filename="'.$filename.'"');
--- a/htdocs/install/inc.php
+++ b/htdocs/install/inc.php
@ -384,7 +384,8 @@ function pHeader($subtitle,$next,$action='set',$param='',$forcejqueryurl='',$css

    // We force the content charset
    header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+    header("X-Content-Type-Options: nosniff");
+    
    print '<!DOCTYPE HTML>'."\n";
    print '<html>'."\n";
    print '<head>'."\n";
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@ -197,6 +197,7 @@ $sessionname='DOLSESSID_'.$prefix;
 $sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
 if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]);
 session_name($sessionname);
+session_set_cookie_params(0, '/', null, false, true);   // Add tag httponly on session cookie
 session_start();
 if (ini_get('register_globals'))    // Deprecated in 5.3 and removed in 5.4. To solve bug in using $_SESSION
 {
@ -528,6 +529,7 @@ if (! defined('NOLOGIN'))
            dol_syslog('User not found, connexion refused');
            session_destroy();
            session_name($sessionname);
+            session_set_cookie_params(0, '/', null, false, true);   // Add tag httponly on session cookie
            session_start();    // Fixing the bug of register_globals here is useless since session is empty

            if ($resultFetchUser == 0)
@ -586,6 +588,7 @@ if (! defined('NOLOGIN'))
            dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING);
            session_destroy();
            session_name($sessionname);
+            session_set_cookie_params(0, '/', null, false, true);   // Add tag httponly on session cookie
            session_start();    // Fixing the bug of register_globals here is useless since session is empty

            if ($resultFetchUser == 0)
@ -967,19 +970,22 @@ if (! function_exists("llxHeader"))
 /**
 *  Show HTTP header
 *
+ *  @param  string  $contenttype    Content type. For example, 'text/html'
 *  @return	void
 */
-function top_httphead()
+function top_httphead($contenttype='text/html')
 {
    global $conf;

-    //header("Content-type: text/html; charset=UTF-8");
-    header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+    if ($contenttype == 'text/html' ) header("Content-Type: text/html; charset=".$conf->file->character_set_client);
+    else header("Content-Type: ".$contenttype);
+    header("X-Content-Type-Options: nosniff");
+    header("X-Frame-Options: SAMEORIGIN");
+    
    // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1.
-    if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) {
+    /*if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) {
        ob_start("ob_gzhandler");
-    }
+    }*/
 }

 /**
--- a/htdocs/paybox/lib/paybox.lib.php
+++ b/htdocs/paybox/lib/paybox.lib.php
@ -36,7 +36,8 @@ function llxHeaderPaybox($title, $head = "")
 	global $user, $conf, $langs;

 	header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+	header("X-Content-Type-Options: nosniff");
+	
 	print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">';
 	//print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" http://www.w3.org/TR/1999/REC-html401-19991224/strict.dtd>';
 	print "\n";
@ -171,7 +172,8 @@ function print_paybox_redirect($PRICE,$CURRENCY,$EMAIL,$urlok,$urlko,$TAG)
    dol_syslog("PBX_TYPEPAIEMENT: $PBX_TYPEPAIEMENT", LOG_DEBUG);

    header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+    header("X-Content-Type-Options: nosniff");
+    
    print '<html>'."\n";
    print '<head>'."\n";
    print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=".$conf->file->character_set_client."\">\n";
--- a/htdocs/paypal/lib/paypal.lib.php
+++ b/htdocs/paypal/lib/paypal.lib.php
@ -35,7 +35,8 @@ function llxHeaderPaypal($title, $head = "")
 	global $user, $conf, $langs;

 	header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+	header("X-Content-Type-Options: nosniff");
+	
 	$appli='Dolibarr';
 	if (!empty($conf->global->MAIN_APPLICATION_TITLE)) $appli=$conf->global->MAIN_APPLICATION_TITLE;

--- a/htdocs/projet/jsgantt_language.js.php
+++ b/htdocs/projet/jsgantt_language.js.php
@ -34,8 +34,8 @@ if (! defined('NOREQUIREAJAX'))   define('NOREQUIREAJAX','1');

 require_once __DIR__.'/../main.inc.php';

-// Define css type
-header('Content-type: text/javascript');
+// Define mime type
+top_httphead('text/javascript');

 global $langs;
 ?>
--- a/htdocs/support/inc.php
+++ b/htdocs/support/inc.php
@ -207,7 +207,8 @@ function pHeader($soutitre,$next,$action='none')

 	// On force contenu dans format sortie
 	header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+	header("X-Content-Type-Options: nosniff");
+	
 	print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">'."\n";
 	print '<html manifest="'.DOL_URL_ROOT.'/cache.manifest">'."\n";
 	print '<head>'."\n";
--- a/htdocs/theme/eldy/style.css.php
+++ b/htdocs/theme/eldy/style.css.php
@ -45,7 +45,7 @@ if (empty($user->id) && ! empty($_SESSION['dol_login'])) $user->fetch('',$_SESSI


 // Define css type
-header('Content-type: text/css');
+top_httphead('text/css');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');
--- a/htdocs/theme/md/style.css.php
+++ b/htdocs/theme/md/style.css.php
@ -46,7 +46,7 @@ if (empty($user->id) && ! empty($_SESSION['dol_login'])) $user->fetch('',$_SESSI


 // Define css type
-header('Content-type: text/css');
+top_httphead('text/css');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@ -191,13 +191,13 @@ else					// Open and return file
    // Les drois sont ok et fichier trouve
    if ($type)
    {
+        top_httphead($type);
        header('Content-Disposition: inline; filename="'.basename($original_file).'"');
-        header('Content-type: '.$type);
    }
    else
    {
+        top_httphead('image/png');
        header('Content-Disposition: inline; filename="'.basename($original_file).'"');
-        header('Content-type: image/png');
    }

    $original_file_osencoded=dol_osencode($original_file);