FIX Yogosha report 4456 (backport)

htdocs/conf/conf.php.example

@@ -217,10 +217,10 @@ $dolibarr_main_authentication='dolibarr';
 // 1 = Force redirect to https, until SCRIPT_URI start with https into response
 // 2 = Force redirect to https, until SERVER["HTTPS"] is 'on' into response
 // 'https://my.domain.com' = Force reditect to https using this domain name.
-// Warning: If you enable this parameter, your web server must be configured to
-// respond URL with https protocol.
-// According to your web server setup, some values may works and other not. Try
-// different values (1,2 or 'https://my.domain.com') if you experience problems.
+// Warning: If you enable this parameter, your web server must be configured to respond URL with https protocol.
+// According to your web server setup, some values may works and other not. Try different values (1,2 or 'https://my.domain.com') if you experience problems.
+// Even if a redirect to HTTPS is forced by the webserver, it is recommanded to set this value to another value than 0, so your session cookies will be
+// flagged as secured.
 // Default value: 0
 // Possible values: 0, 1, 2 or 'https://my.domain.com'
 // Examples:
@@ -231,12 +231,12 @@ $dolibarr_main_force_https='0';
 // dolibarr_main_prod
 // When this parameter is defined, all errors messages are not reported.
 // This feature exists for production usage to avoid to give any information to hackers.
-// Default value: 0
+// Default value: 1
 // Possible values: 0 or 1
 // Examples:
-// $dolibarr_main_prod='0';
+// $dolibarr_main_prod='1';
 //
-$dolibarr_main_prod='0';
+$dolibarr_main_prod='1';
 
 // $dolibarr_main_restrict_os_commands
 // To restrict commands you can execute by the backup feature, enter allowed command here.
@@ -258,8 +258,8 @@ $dolibarr_main_restrict_ip='';
 
 // dolibarr_nocsrfcheck
 // This parameter can be used to disable CSRF protection.
-// This might be required if you access Dolibarr behind a proxy that make
-// URL rewriting, to avoid false alarms.
+// This might be required if you access Dolibarr behind a proxy that make bad URL rewriting, to avoid false alarms.
+// In most cases, you should always keep this to 0.
 // Default value: 0
 // Possible values: 0 or 1
 // Examples:
@@ -267,6 +267,12 @@ $dolibarr_main_restrict_ip='';
 //
 $dolibarr_nocsrfcheck='0';
 
+// dolibarr_cron_allow_cli
+// If set to 1, you will be able to define some command line in the internal Job scheduler (cronjob) module.
+// Default value: '0'
+// Examples: '1'
+$dolibarr_cron_allow_cli='0';
+
 // dolibarr_mailing_limit_sendbyweb
 // Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level.
 // Default value: '25'

htdocs/cron/class/cronjob.class.php

@@ -1168,23 +1168,32 @@ class Cronjob extends CommonObject
 		// Run a command line
 		if ($this->jobtype=='command')
 		{
-			$outputdir = $conf->cron->dir_temp;
-			if (empty($outputdir)) $outputdir = $conf->cronjob->dir_temp;
+			global $dolibarr_cron_allow_cli;
 
-			if (! empty($outputdir))
-			{
-				dol_mkdir($outputdir);
-				$outputfile=$outputdir.'/cronjob.'.$userlogin.'.out';	// File used with popen method
+			if (empty($dolibarr_cron_allow_cli)) {
+				$langs->load("errors");
+				$this->error      = $langs->trans("FailedToExecutCommandJob");
+				$this->lastoutput = '';
+				$this->lastresult = $langs->trans("ErrorParameterMustBeEnabledToAllwoThisFeature", 'dolibarr_cron_allow_cli');
+			} else {
+				$outputdir = $conf->cron->dir_temp;
+				if (empty($outputdir)) $outputdir = $conf->cronjob->dir_temp;
 
-				// Execute a CLI
-				include_once DOL_DOCUMENT_ROOT.'/core/class/utils.class.php';
-				$utils = new Utils($this->db);
-				$arrayresult = $utils->executeCLI($this->command, $outputfile);
+				if (!empty($outputdir))
+				{
+					dol_mkdir($outputdir);
+					$outputfile = $outputdir.'/cronjob.'.$userlogin.'.out'; // File used with popen method
 
-				$retval = $arrayresult['result'];
-				$this->error      = $arrayresult['error'];
-				$this->lastoutput = $arrayresult['output'];
-				$this->lastresult = $arrayresult['result'];
+					// Execute a CLI
+					include_once DOL_DOCUMENT_ROOT.'/core/class/utils.class.php';
+					$utils = new Utils($this->db);
+					$arrayresult = $utils->executeCLI($this->command, $outputfile);
+
+					$retval = $arrayresult['result'];
+					$this->error      = $arrayresult['error'];
+					$this->lastoutput = $arrayresult['output'];
+					$this->lastresult = $arrayresult['result'];
+				}
 			}
 		}
 

htdocs/langs/en_US/errors.lang

@@ -218,6 +218,7 @@ ErrorVariableKeyForContentMustBeSet=Error, the constant with name %s (with text
 ErrorURLMustStartWithHttp=URL %s must start with http:// or https://
 ErrorNewRefIsAlreadyUsed=Error, the new reference is already used
 ErrorDeletePaymentLinkedToAClosedInvoiceNotPossible=Error, delete payment linked to a closed invoice is not possible.
+ErrorParameterMustBeEnabledToAllwoThisFeature=Error, parameter <b>%s</b> must be enabled into <b>conf/conf.php<b> to allow use of Command Line Interface by the internal job scheduler
 # Warnings
 WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup.
 WarningPasswordSetWithNoAccount=A password was set for this member. However, no user account was created. So this password is stored but can't be used to login to Dolibarr. It may be used by an external module/interface but if you don't need to define any login nor password for a member, you can disable option "Manage a login for each member" from Member module setup. If you need to manage a login but don't need any password, you can keep this field empty to avoid this warning. Note: Email can also be used as a login if the member is linked to a user.
@@ -242,4 +243,4 @@ WarningYourLoginWasModifiedPleaseLogin=Your login was modified. For security pur
 WarningAnEntryAlreadyExistForTransKey=An entry already exists for the translation key for this language
 WarningNumberOfRecipientIsRestrictedInMassAction=Warning, number of different recipient is limited to <b>%s</b> when using the mass actions on lists
 WarningDateOfLineMustBeInExpenseReportRange=Warning, the date of line is not in the range of the expense report
-WarningProjectClosed=Project is closed. You must re-open it first.
+WarningProjectClosed=Project is closed. You must re-open it first.