diff --git a/htdocs/admin/agenda_xcal.php b/htdocs/admin/agenda_xcal.php index 0e66125ba7c..1895eb5b15d 100644 --- a/htdocs/admin/agenda_xcal.php +++ b/htdocs/admin/agenda_xcal.php @@ -97,7 +97,7 @@ print "".$langs->trans("Value").""; print " "; print ""; -print ""; +print ''; print ''.$langs->trans("PasswordTogetVCalExport").""; print ''; if (! empty($conf->use_javascript_ajax)) @@ -106,13 +106,13 @@ print ''; print " "; print ""; -print ""; +print ''; print "".$langs->trans("PastDelayVCalExport").""; print "global->MAIN_AGENDA_EXPORT_PAST_DELAY) . "\" size=\"10\"> ".$langs->trans("days").""; print " "; print ""; -print ""; +print ''; print "".$langs->trans("UseACacheDelay").""; print "global->MAIN_AGENDA_EXPORT_CACHE) . "\" size=\"10\">"; print " "; @@ -128,8 +128,8 @@ print ''; print ''.$langs->trans("Parameter").""; print "".$langs->trans("Value").""; print ""; -print ""; -print ''.$langs->trans("FixTZ").""; +print ''; +print ''.$langs->trans("FixTZ").""; print ""; print ''; print '   '.$langs->trans("FillThisOnlyIfRequired"); diff --git a/htdocs/cashdesk/affIndex.php b/htdocs/cashdesk/affIndex.php index 6b1d13f719f..b5432b94eec 100644 --- a/htdocs/cashdesk/affIndex.php +++ b/htdocs/cashdesk/affIndex.php @@ -45,9 +45,6 @@ $langs->load("cashdesk"); $form = new Form($db); -//header("Content-type: text/html; charset=UTF-8"); -//header("Content-type: text/html; charset=".$conf->file->character_set_client); - $arrayofjs=array(); $arrayofcss=array('/cashdesk/css/style.css'); diff --git a/htdocs/cashdesk/facturation_dhtml.php b/htdocs/cashdesk/facturation_dhtml.php index 8d4ebf8af31..3046644c35e 100644 --- a/htdocs/cashdesk/facturation_dhtml.php +++ b/htdocs/cashdesk/facturation_dhtml.php @@ -39,8 +39,7 @@ if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/cashdesk/include/environnement.php'; -//header("Content-type: text/html; charset=UTF-8"); -header("Content-type: text/html; charset=".$conf->file->character_set_client); +top_httphead('text/html'); $search = GETPOST("code", "alpha"); diff --git a/htdocs/cashdesk/tpl/ticket.tpl.php b/htdocs/cashdesk/tpl/ticket.tpl.php index 40be470c429..82b84ba3b56 100644 --- a/htdocs/cashdesk/tpl/ticket.tpl.php +++ b/htdocs/cashdesk/tpl/ticket.tpl.php @@ -20,7 +20,8 @@ include_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php'; $langs->load("main"); $langs->load('cashdesk'); -header("Content-type: text/html; charset=".$conf->file->character_set_client); + +top_httphead('text/html'); $facid=GETPOST('facid','int'); $object=new Facture($db); diff --git a/htdocs/core/ajax/check_notifications.php b/htdocs/core/ajax/check_notifications.php index fa3edd7a4be..332626fbabd 100644 --- a/htdocs/core/ajax/check_notifications.php +++ b/htdocs/core/ajax/check_notifications.php @@ -24,6 +24,13 @@ if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); require '../../main.inc.php'; + +/* + * View + */ + +top_httphead('text/html'); // TODO Use a json mime type + global $user, $db, $langs, $conf; $time = (int) GETPOST('time'); // Use the time parameter that is always increased by time_update, even if call is late diff --git a/htdocs/core/antispamimage.php b/htdocs/core/antispamimage.php index a16844dd715..816763eeaf5 100644 --- a/htdocs/core/antispamimage.php +++ b/htdocs/core/antispamimage.php @@ -58,7 +58,8 @@ if (empty($img)) exit; } -header("Content-type: image/png"); +// Define mime type +top_httphead('image/png'); $background_color = imagecolorallocate($img, 250, 250, 250); $ecriture_color = imagecolorallocate($img, 0, 0, 0); diff --git a/htdocs/core/js/datepicker.js.php b/htdocs/core/js/datepicker.js.php index 02666409fc3..50c140f6f82 100644 --- a/htdocs/core/js/datepicker.js.php +++ b/htdocs/core/js/datepicker.js.php @@ -37,7 +37,7 @@ session_cache_limiter(FALSE); require_once '../../main.inc.php'; // Define javascript type -header('Content-type: text/javascript; charset=UTF-8'); +top_httphead('text/javascript; charset=UTF-8'); // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access. if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate'); else header('Cache-Control: no-cache'); diff --git a/htdocs/core/js/lib_head.js.php b/htdocs/core/js/lib_head.js.php index 8909f446812..e604f3281f9 100644 --- a/htdocs/core/js/lib_head.js.php +++ b/htdocs/core/js/lib_head.js.php @@ -39,7 +39,7 @@ session_cache_limiter(FALSE); require_once '../../main.inc.php'; // Define javascript type -header('Content-type: text/javascript; charset=UTF-8'); +top_httphead('text/javascript; charset=UTF-8'); // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access. if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate'); else header('Cache-Control: no-cache'); diff --git a/htdocs/core/js/lib_notification.js.php b/htdocs/core/js/lib_notification.js.php index a3b90a35db6..b640f4cc81b 100644 --- a/htdocs/core/js/lib_notification.js.php +++ b/htdocs/core/js/lib_notification.js.php @@ -33,21 +33,22 @@ if (! ($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root . '/' || $_SERVER['H { global $langs, $conf; - // Define javascript type - header('Content-type: text/javascript; charset=UTF-8'); - + top_httphead('text/javascript; charset=UTF-8'); + $nowtime = time(); //$nowtimeprevious = floor($nowtime / 60) * 60; // auto_check_events_not_before is rounded to previous minute // TODO Try to make a solution with only a javascript timer that is easier. Difficulty is to avoid notification twice when. + /* session already started into main session_cache_limiter(FALSE); header('Cache-Control: no-cache'); - session_start(); + session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie + session_start();*/ if (! isset($_SESSION['auto_check_events_not_before'])) { print 'console.log("_SESSION[auto_check_events_not_before] is not set");'."\n"; // Round to eliminate the seconds - $_SESSION['auto_check_events_not_before'] = $nowtime; // auto_check_events_not_before is rounded to previous minute + $_SESSION['auto_check_events_not_before'] = $nowtime; } print 'var nowtime = ' . $nowtime . ';' . "\n"; print 'var login = \'' . $_SESSION['dol_login'] . '\';' . "\n"; diff --git a/htdocs/core/js/select2_locale.js.php b/htdocs/core/js/select2_locale.js.php index 31c6a91bc74..aa62b5a0ec1 100644 --- a/htdocs/core/js/select2_locale.js.php +++ b/htdocs/core/js/select2_locale.js.php @@ -37,7 +37,7 @@ session_cache_limiter(FALSE); require_once '../../main.inc.php'; // Define javascript type -header('Content-type: text/javascript; charset=UTF-8'); +top_httphead('text/javascript; charset=UTF-8'); // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access. if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate'); else header('Cache-Control: no-cache'); diff --git a/htdocs/core/js/timepicker.js.php b/htdocs/core/js/timepicker.js.php index cc33a5a3933..8342ac9e3ac 100644 --- a/htdocs/core/js/timepicker.js.php +++ b/htdocs/core/js/timepicker.js.php @@ -37,7 +37,7 @@ session_cache_limiter(FALSE); require_once '../../main.inc.php'; // Define javascript type -header('Content-type: text/javascript; charset=UTF-8'); +top_httphead('text/javascript; charset=UTF-8'); // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access. if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate'); else header('Cache-Control: no-cache'); diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index e3c6cb7d5cd..8dbc705c5b2 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -400,11 +400,11 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL) /** - * Return a prefix to use for this Dolibarr instance for session or cookie names. + * Return a prefix to use for this Dolibarr instance, for session/cookie names or email id. * This prefix is unique for instance and avoid conflict between multi-instances, - * even when having two instances with one root dir or two instances in virtual servers + * even when having two instances with one root dir or two instances in virtual servers. * - * @param string $mode '' or 'email' + * @param string $mode '' (prefix for session name) or 'email' (prefix for email id) * @return string A calculated prefix */ function dol_getprefix($mode='') diff --git a/htdocs/document.php b/htdocs/document.php index 02eb7193675..4e4f18826ef 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -170,9 +170,9 @@ if (! file_exists($original_file_osencoded)) } // Permissions are ok and file found, so we return it +top_httphead($type); header('Content-Description: File Transfer'); if ($encoding) header('Content-Encoding: '.$encoding); -if ($type) header('Content-Type: '.$type.(preg_match('/text/',$type)?'; charset="'.$conf->file->character_set_client:'')); // Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, atachment=need user action to open) if ($attachment) header('Content-Disposition: attachment; filename="'.$filename.'"'); else header('Content-Disposition: inline; filename="'.$filename.'"'); diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php index 840fa709ddf..6da4125a56c 100644 --- a/htdocs/install/inc.php +++ b/htdocs/install/inc.php @@ -384,7 +384,8 @@ function pHeader($subtitle,$next,$action='set',$param='',$forcejqueryurl='',$css // We force the content charset header("Content-type: text/html; charset=".$conf->file->character_set_client); - + header("X-Content-Type-Options: nosniff"); + print ''."\n"; print ''."\n"; print ''."\n"; diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index ab92df9ca12..11dccf47ade 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -197,6 +197,7 @@ $sessionname='DOLSESSID_'.$prefix; $sessiontimeout='DOLSESSTIMEOUT_'.$prefix; if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]); session_name($sessionname); +session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie session_start(); if (ini_get('register_globals')) // Deprecated in 5.3 and removed in 5.4. To solve bug in using $_SESSION { @@ -528,6 +529,7 @@ if (! defined('NOLOGIN')) dol_syslog('User not found, connexion refused'); session_destroy(); session_name($sessionname); + session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie session_start(); // Fixing the bug of register_globals here is useless since session is empty if ($resultFetchUser == 0) @@ -586,6 +588,7 @@ if (! defined('NOLOGIN')) dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING); session_destroy(); session_name($sessionname); + session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie session_start(); // Fixing the bug of register_globals here is useless since session is empty if ($resultFetchUser == 0) @@ -967,19 +970,22 @@ if (! function_exists("llxHeader")) /** * Show HTTP header * + * @param string $contenttype Content type. For example, 'text/html' * @return void */ -function top_httphead() +function top_httphead($contenttype='text/html') { global $conf; - //header("Content-type: text/html; charset=UTF-8"); - header("Content-type: text/html; charset=".$conf->file->character_set_client); - + if ($contenttype == 'text/html' ) header("Content-Type: text/html; charset=".$conf->file->character_set_client); + else header("Content-Type: ".$contenttype); + header("X-Content-Type-Options: nosniff"); + header("X-Frame-Options: SAMEORIGIN"); + // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1. - if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { + /*if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { ob_start("ob_gzhandler"); - } + }*/ } /** diff --git a/htdocs/paybox/lib/paybox.lib.php b/htdocs/paybox/lib/paybox.lib.php index 922679bcb86..ca5fd6a71ad 100644 --- a/htdocs/paybox/lib/paybox.lib.php +++ b/htdocs/paybox/lib/paybox.lib.php @@ -36,7 +36,8 @@ function llxHeaderPaybox($title, $head = "") global $user, $conf, $langs; header("Content-type: text/html; charset=".$conf->file->character_set_client); - + header("X-Content-Type-Options: nosniff"); + print ''; //print ''; print "\n"; @@ -171,7 +172,8 @@ function print_paybox_redirect($PRICE,$CURRENCY,$EMAIL,$urlok,$urlko,$TAG) dol_syslog("PBX_TYPEPAIEMENT: $PBX_TYPEPAIEMENT", LOG_DEBUG); header("Content-type: text/html; charset=".$conf->file->character_set_client); - + header("X-Content-Type-Options: nosniff"); + print ''."\n"; print ''."\n"; print "\n"; diff --git a/htdocs/paypal/lib/paypal.lib.php b/htdocs/paypal/lib/paypal.lib.php index 4c1cb588f1f..b1be8f56647 100644 --- a/htdocs/paypal/lib/paypal.lib.php +++ b/htdocs/paypal/lib/paypal.lib.php @@ -35,7 +35,8 @@ function llxHeaderPaypal($title, $head = "") global $user, $conf, $langs; header("Content-type: text/html; charset=".$conf->file->character_set_client); - + header("X-Content-Type-Options: nosniff"); + $appli='Dolibarr'; if (!empty($conf->global->MAIN_APPLICATION_TITLE)) $appli=$conf->global->MAIN_APPLICATION_TITLE; diff --git a/htdocs/projet/jsgantt_language.js.php b/htdocs/projet/jsgantt_language.js.php index f6b5799bda0..7aafd97fb45 100644 --- a/htdocs/projet/jsgantt_language.js.php +++ b/htdocs/projet/jsgantt_language.js.php @@ -34,8 +34,8 @@ if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); require_once __DIR__.'/../main.inc.php'; -// Define css type -header('Content-type: text/javascript'); +// Define mime type +top_httphead('text/javascript'); global $langs; ?> diff --git a/htdocs/support/inc.php b/htdocs/support/inc.php index 869dace222d..16aa40b246d 100644 --- a/htdocs/support/inc.php +++ b/htdocs/support/inc.php @@ -207,7 +207,8 @@ function pHeader($soutitre,$next,$action='none') // On force contenu dans format sortie header("Content-type: text/html; charset=".$conf->file->character_set_client); - + header("X-Content-Type-Options: nosniff"); + print ''."\n"; print ''."\n"; print ''."\n"; diff --git a/htdocs/theme/eldy/style.css.php b/htdocs/theme/eldy/style.css.php index 9de83c3bd97..f923413da4c 100644 --- a/htdocs/theme/eldy/style.css.php +++ b/htdocs/theme/eldy/style.css.php @@ -45,7 +45,7 @@ if (empty($user->id) && ! empty($_SESSION['dol_login'])) $user->fetch('',$_SESSI // Define css type -header('Content-type: text/css'); +top_httphead('text/css'); // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access. if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate'); else header('Cache-Control: no-cache'); diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php index e6809a2c574..3bd33b07225 100644 --- a/htdocs/theme/md/style.css.php +++ b/htdocs/theme/md/style.css.php @@ -46,7 +46,7 @@ if (empty($user->id) && ! empty($_SESSION['dol_login'])) $user->fetch('',$_SESSI // Define css type -header('Content-type: text/css'); +top_httphead('text/css'); // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access. if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate'); else header('Cache-Control: no-cache'); diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php index f69c7e4e4aa..4f1ef007f1f 100644 --- a/htdocs/viewimage.php +++ b/htdocs/viewimage.php @@ -191,13 +191,13 @@ else // Open and return file // Les drois sont ok et fichier trouve if ($type) { + top_httphead($type); header('Content-Disposition: inline; filename="'.basename($original_file).'"'); - header('Content-type: '.$type); } else { + top_httphead('image/png'); header('Content-Disposition: inline; filename="'.basename($original_file).'"'); - header('Content-type: image/png'); } $original_file_osencoded=dol_osencode($original_file);