lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security improvement by adding id to securekey before encryption

Browse Source
This commit is contained in:
Dorian Vabre 2021-04-13 10:40:33 +02:00
parent 7644174c4a
commit caeb357aab
2 changed files with 25 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
htdocs/eventorganization/conferenceorbooth_card.php
View File

@ -494,10 +494,15 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
//unset($object->fields['fk_project']); // Hide field already shown in banner
//unset($object->fields['fk_soc']); // Hide field already shown in banner
global $dolibarr_main_url_root;
$link_subscription = $dolibarr_main_url_root.'/public/eventorganization/attendee_subscription.php?id=';
$key = 'DV3PH';
$link_subscription .= dol_encode($id, $key);
$link_subscription .= '&securekey='.urlencode($conf->global->EVENTORGANIZATION_SECUREKEY);
$keyforid = 'DV3PH';
$encodedid = dol_encode($id, $keyforid);
$link_subscription = $dolibarr_main_url_root.'/public/eventorganization/attendee_subscription.php?id='.$encodedid;
$keyforsecurekey = 'CGLOO';
$encodedsecurekey = dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY.$id, $keyforsecurekey);
$link_subscription .= '&securekey='.urlencode($encodedsecurekey);
$object->fields['pubregister'] = array('type'=>'url', 'label'=>$langs->trans("PublicAttendeeSubscriptionPage"), 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>1);
$object->pubregister = $link_subscription;
$keyforbreak='pubregister';

21
htdocs/public/eventorganization/attendee_subscription.php
View File

@ -75,13 +75,24 @@ $error = 0;
$backtopage = GETPOST('backtopage', 'alpha');
$action = GETPOST('action', 'aZ09');
$key = 'DV3PH';
$id = dol_decode(GETPOST('id'), $key);
$email = GETPOST("email");
// Securekey check
$securekey = GETPOST('securekey', 'alpha');
if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY) {
// Getting id from Post and decoding it
$encodedid = GETPOST('id');
$keyforid = 'DV3PH';
$id = dol_decode($encodedid, $keyforid);
// Getting 'securekey'.'id' from Post and decoding it
$encodedsecurekeyandid = GETPOST('securekey', 'alpha');
$keyforsecurekey = 'CGLOO';
$securekeyandid = dol_decode($encodedsecurekeyandid, $keyforsecurekey);
// Securekey decomposition into pure securekey and id added at the end
$securekey = substr($securekeyandid, 0, strlen($securekeyandid)-strlen($id));
$idgotfromsecurekey = substr($securekeyandid, -strlen($id), strlen($id));
// We check if the securekey collected is OK and if the id collected is the same than the id in the securekey
if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY || $idgotfromsecurekey != $id) {
print $langs->trans('MissingOrBadSecureKey');
exit;
}