diff --git a/README.md b/README.md
index 834cc09236e..2cfe4138d62 100644
--- a/README.md
+++ b/README.md
@@ -81,7 +81,7 @@ If you don't have time to install it yourself, you can try some commercial 'read
Dolibarr supports upgrading, usually without the need for any (commercial) support (depending on if you use any commercial extensions). It supports upgrading all the way from any version after 2.8 without breakage. This is unique in the ERP ecosystem and a benefit our users highly appreciate!
-- At first make a backup of your Dolibarr files & than [see](https://wiki.dolibarr.org/index.php/Installation_-_Upgrade#Upgrade_Dolibarr)
+- At first make a backup of your Dolibarr files & then [see](https://wiki.dolibarr.org/index.php/Installation_-_Upgrade#Upgrade_Dolibarr)
- Check that your installed PHP version is supported by the new version [see PHP support](./doc/phpmatrix.md).
- Overwrite all old files from 'dolibarr' directory with files provided into the new version's package.
- At first next access, Dolibarr will redirect you to the "install/" page to follow the upgrade process.
diff --git a/SECURITY.md b/SECURITY.md
index 4c7fbaa8fd5..61f4a392db8 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,11 +4,11 @@ This file contains some policies about the security reports on Dolibarr ERP CRM
## Supported Versions for security reports
-| Version | Supported |
-| ---------- | ------------------ |
-| <= 14.0.1 | :x: |
-| >= 14.0.2+ | :white_check_mark: |
-
+| Version | Supported |
+| ---------- | ---------------------- |
+| <= 14.0.1 | :x: |
+| >= 14.0.2+ | :white_check_mark: except CSRF attacks|
+| >= develop | :white_check_mark: |
## Reporting a Vulnerability
@@ -54,7 +54,7 @@ ONLY vulnerabilities discovered, when the following setup on test platform is us
* $dolibarr_main_prod must be set to 1 into conf.php
* $dolibarr_nocsrfcheck must be kept to the value 0 into conf.php (this is the default value)
* $dolibarr_main_force_https must be set to something else than 0.
-* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 1 into backoffice menu Home - Setup - Other (this protection should be set to 1 soon by default)
+* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 2 into backoffice menu Home - Setup - Other (this protection should be set to 2 soon by default)
* The module DebugBar and ModuleBuilder must NOT be enabled (by default, these modules are not enabled. They are developer tools)
* ONLY security reports on modules provided by default and with the "stable" status are valid (troubles into "experimental", "developement" or external modules are not valid vulnerabilities).
* The root of web server must link to htdocs and the documents directory must be outside of the web server root (this is the default when using the default installer but may differs with external installer).
@@ -90,9 +90,8 @@ Scope is the web application (back office) and the APIs.
* Clickjacking/UI redressing
* Physical or social engineering attempts or issues that require physical access to a victim’s computer/device
* Presence of autocomplete attribute on web forms
-* Vulnerabilities affecting outdated browsers or platforms
+* Vulnerabilities affecting outdated browsers or platforms, or vulnerabilities inside browsers themself.
* Logout and other instances of low-severity Cross-Site Request Forgery
-* Missing cookie flags
* Missing security-related HTTP headers which do not lead directly to a vulnerability
* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
* Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
diff --git a/dev/tools/github_authors_peryear.sh b/dev/tools/github_authors_and_commits_peryear.sh
similarity index 100%
rename from dev/tools/github_authors_peryear.sh
rename to dev/tools/github_authors_and_commits_peryear.sh
diff --git a/htdocs/accountancy/admin/card.php b/htdocs/accountancy/admin/card.php
index 86efee3a04a..cd48526e62b 100644
--- a/htdocs/accountancy/admin/card.php
+++ b/htdocs/accountancy/admin/card.php
@@ -61,7 +61,7 @@ $object = new AccountingAccount($db);
*/
if (GETPOST('cancel', 'alpha')) {
- $urltogo = $backtopage ? $backtopage : dol_buildpath('/accountancy/admin/account.php', 1);
+ $urltogo = $backtopage ? $backtopage : DOL_URL_ROOT.'/accountancy/admin/account.php';
header("Location: ".$urltogo);
exit;
}
@@ -121,7 +121,7 @@ if ($action == 'add' && $user->rights->accounting->chartofaccount) {
}
if (!$error) {
setEventMessages("RecordCreatedSuccessfully", null, 'mesgs');
- $urltogo = $backtopage ? $backtopage : dol_buildpath('/accountancy/admin/account.php', 1);
+ $urltogo = $backtopage ? $backtopage : DOL_URL_ROOT.'/accountancy/admin/account.php';
header("Location: " . $urltogo);
exit;
}
diff --git a/htdocs/accountancy/admin/categories_list.php b/htdocs/accountancy/admin/categories_list.php
index 4be890de7d5..cb931f550d8 100644
--- a/htdocs/accountancy/admin/categories_list.php
+++ b/htdocs/accountancy/admin/categories_list.php
@@ -820,7 +820,7 @@ if ($resql) {
if ($iserasable) {
print '