From df37827eb7910736ec70708a5a144e8d5568cae7 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Fri, 15 May 2009 12:13:23 +0000
Subject: [PATCH] =?UTF-8?q?Todo:=20faille=20CSRF=20--=20creation=20d'un=20?=
 =?UTF-8?q?jeton=20al=E9atoire=20pour=20valider=20les=20requetes=20POST?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 htdocs/admin/const.php | 11 ++++++++++-
 htdocs/main.inc.php    |  5 +++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php
index e4f0ea50c48..0a1889e2179 100644
--- a/htdocs/admin/const.php
+++ b/htdocs/admin/const.php
@@ -30,10 +30,16 @@ require_once(DOL_DOCUMENT_ROOT."/lib/admin.lib.php");
 
 $langs->load("admin");
 
-//Todo protection faille CSRF !!!
+//Todo: protection faille CSRF !!!
 if (! empty($_SERVER['HTTP_REFERER']) && !eregi(DOL_MAIN_URL_ROOT, $_SERVER['HTTP_REFERER']))
 accessforbidden();
 
+//Todo: Verification de la presence et de la validite du jeton précédent
+if (isset($_POST['token']) && isset($_SESSION['oldtoken']))
+{
+	if ($_POST['token'] != $_SESSION['oldtoken']) accessforbidden();
+}
+
 if (!$user->admin)
 accessforbidden();
 
@@ -141,6 +147,9 @@ if ($result)
 		print '<input type="hidden" name="action" value="update">';
 		print '<input type="hidden" name="rowid" value="'.$obj->rowid.'">';
 		print '<input type="hidden" name="constname" value="'.$obj->name.'">';
+		
+		// Ajout du nouveau jeton dans les requetes POST
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 		print "<tr $bc[$var] class=value><td>$obj->name</td>\n";
 
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 65c05d4051a..b089ec30951 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -168,6 +168,11 @@ session_name($sessionname);
 session_start();
 dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".(isset($_SESSION["dol_login"])?$_SESSION["dol_login"]:'').", ".ini_get("session.gc_maxlifetime"));
 
+//Todo: Creation d'un jeton contre les failles CSRF
+$token = md5(uniqid(rand(),TRUE)); // Genere un hash d'un nombre aleatoire
+$_SESSION['oldtoken'] = $_SESSION['newtoken']; // roulement des jetons car créé à chaque appel
+$_SESSION['newtoken'] = $token;
+
 // Retrieve the entity in login form or in the cookie.
 // This must be after the init of session (session_start) or this create serious pb of corrupted session.
 /*