diff --git a/htdocs/compta/facture/fiche-rec.php b/htdocs/compta/facture/fiche-rec.php index 39f913fbf76..25cf3f45fb1 100644 --- a/htdocs/compta/facture/fiche-rec.php +++ b/htdocs/compta/facture/fiche-rec.php @@ -776,7 +776,7 @@ if (empty($reshook)) $array_options = $extrafieldsline->getOptionalsFromPost($object->table_element_line); $objectline = new FactureLigneRec($db); - if ($objectline->fetch(GETPOST('lineid'))) + if ($objectline->fetch(GETPOST('lineid', 'int'))) { $objectline->array_options=$array_options; $result=$objectline->insertExtraFields(); @@ -786,6 +786,8 @@ if (empty($reshook)) } } + $position = ($objectline->rang >= 0 ? $objectline->rang : 0); + // Unset extrafield if (is_array($extralabelsline)) { @@ -797,8 +799,8 @@ if (empty($reshook)) } // Define special_code for special lines - $special_code=GETPOST('special_code'); - if (! GETPOST('qty')) $special_code=3; + $special_code=GETPOST('special_code', 'int'); + if (! GETPOST('qty', 'alpha')) $special_code=3; /*$line = new FactureLigne($db); $line->fetch(GETPOST('lineid')); @@ -834,11 +836,11 @@ if (empty($reshook)) $error ++; } } else { - $type = GETPOST('type'); + $type = GETPOST('type', 'int'); $label = (GETPOST('product_label') ? GETPOST('product_label') : ''); // Check parameters - if (GETPOST('type') < 0) { + if (GETPOST('type', 'int') < 0) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Type")), null, 'errors'); $error ++; } @@ -870,7 +872,7 @@ if (empty($reshook)) 0, 0, $type, - 0, + $position, $special_code, $label, GETPOST('units'), diff --git a/htdocs/core/tpl/ajaxrow.tpl.php b/htdocs/core/tpl/ajaxrow.tpl.php index 8971dc2a919..0b92df1e519 100644 --- a/htdocs/core/tpl/ajaxrow.tpl.php +++ b/htdocs/core/tpl/ajaxrow.tpl.php @@ -66,13 +66,15 @@ $(document).ready(function(){ var fk_element = ""; var element_id = ""; var filepath = ""; + var token = ""; // We use old 'token' and not 'newtoken' for Ajax call because the ajax page has the NOTOKENRENEWAL constant set. $.post("/core/ajax/row.php", { roworder: roworder, table_element_line: table_element_line, fk_element: fk_element, element_id: element_id, - filepath: filepath + filepath: filepath, + token: token }, function() { console.log("tableDND end of ajax call"); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 6f51078fc8c..b9069c382ce 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -252,6 +252,7 @@ if (isset($_SERVER["HTTP_USER_AGENT"])) if ($conf->browser->layout == 'phone') $conf->dol_no_mouse_hover=1; } + // Force HTTPS if required ($conf->file->main_force_https is 0/1 or https dolibarr root url) // $_SERVER["HTTPS"] is 'on' when link is https, otherwise $_SERVER["HTTPS"] is empty or 'off' if (! empty($conf->file->main_force_https) && (empty($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != 'on')) @@ -359,6 +360,7 @@ if ((! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf-> { if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOSTISSET('token')) // Note, offender can still send request by GET { + dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused by CSRFCHECK_WITH_TOKEN protection. Token not provided."); print "Access by POST method refused by CSRF protection in main.inc.php. Token not provided.\n"; print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file or MAIN_SECURITY_CSRF_WITH_TOKEN to 0 into setup).\n"; die; @@ -368,9 +370,9 @@ if ((! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf-> //{ if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $_SESSION['token']) { - dol_syslog("Invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING); + dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused due to invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING); //print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers. - if ($conf->global->MAIN_FEATURES_LEVEL>1) setEventMessages('Unset POST by CSRF protection in main.inc.php.', null, 'warnings'); + if ($conf->global->MAIN_FEATURES_LEVEL>1) setEventMessages('Unset POST by CSRF protection in main.inc.php.'."
\n".'$_SERVER[REQUEST_URI] = '.$_SERVER['REQUEST_URI'].' $_SERVER[REQUEST_METHOD] = '.$_SERVER['REQUEST_METHOD'].' GETPOST(token) = '.GETPOST('token', 'alpha').' $_SESSION[token] = '.$_SESSION['token'], null, 'warnings'); unset($_POST); unset($_GET['confirm']); } diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index 3a207088c37..725a5176a20 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -741,7 +741,7 @@ if (empty($reshook)) { require_once DOL_DOCUMENT_ROOT .'/core/lib/files.lib.php'; // the dir dirname($newfile) is directory of logo, so we should have only one file at once into index, so we delete indexes for the dir - deleteFilesIntoDatabaseIndex(dirname($newfile), '', '', 'uploaded', 1); + deleteFilesIntoDatabaseIndex(dirname($newfile), '', ''); // now we index the uploaded logo file addFileIntoDatabaseIndex(dirname($newfile), basename($newfile), '', 'uploaded', 1); }