From c71488e58bb3beddd2b3c161a6f770e85ce8111e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 29 May 2017 15:09:13 +0200 Subject: [PATCH 1/3] Removed deprecated code --- htdocs/core/lib/security2.lib.php | 1 - htdocs/core/lib/usergroups.lib.php | 1 - htdocs/main.inc.php | 7 ++++--- htdocs/user/passwordforgotten.php | 1 - 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index b6b8d4ddd72..3f41e74b7f6 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -156,7 +156,6 @@ function dol_loginfunction($langs,$conf,$mysoc) // Note: $conf->css looks like '/theme/eldy/style.css.php' $conf->css = "/theme/".(GETPOST('theme','alpha')?GETPOST('theme','alpha'):$conf->theme)."/style.css.php"; - //$themepath=dol_buildpath((empty($conf->global->MAIN_FORCETHEMEDIR)?'':$conf->global->MAIN_FORCETHEMEDIR).$conf->css,1); $themepath=dol_buildpath($conf->css,1); if (! empty($conf->modules_parts['theme'])) // Using this feature slow down application { diff --git a/htdocs/core/lib/usergroups.lib.php b/htdocs/core/lib/usergroups.lib.php index 3086e7d264a..1c919237f44 100644 --- a/htdocs/core/lib/usergroups.lib.php +++ b/htdocs/core/lib/usergroups.lib.php @@ -326,7 +326,6 @@ function show_theme($fuser,$edit=0,$foruserprofile=false) $formother = new FormOther($db); - //$dirthemes=array(empty($conf->global->MAIN_FORCETHEMEDIR)?'/theme':$conf->global->MAIN_FORCETHEMEDIR.'/theme'); $dirthemes=array('/theme'); if (! empty($conf->modules_parts['theme'])) // Using this feature slow down application { diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index da9e65f47ce..730c2caba4a 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -1005,8 +1005,10 @@ function top_httphead($contenttype='text/html') if ($contenttype == 'text/html' ) header("Content-Type: text/html; charset=".$conf->file->character_set_client); else header("Content-Type: ".$contenttype); - header("X-Content-Type-Options: nosniff"); - header("X-Frame-Options: SAMEORIGIN"); + // Security options + header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) + header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) + // TODO Content-Security-Policy // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1. /*if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { @@ -1121,7 +1123,6 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs print ''."\n"; // Output style sheets (optioncss='print' or ''). Note: $conf->css looks like '/theme/eldy/style.css.php' - //$themepath=dol_buildpath((empty($conf->global->MAIN_FORCETHEMEDIR)?'':$conf->global->MAIN_FORCETHEMEDIR).$conf->css,1); $themepath=dol_buildpath($conf->css,1); $themesubdir=''; if (! empty($conf->modules_parts['theme'])) // This slow down diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php index 6530a4f8536..0e906fe0738 100644 --- a/htdocs/user/passwordforgotten.php +++ b/htdocs/user/passwordforgotten.php @@ -173,7 +173,6 @@ else // Note: $conf->css looks like '/theme/eldy/style.css.php' $conf->css = "/theme/".(GETPOST('theme','alpha')?GETPOST('theme','alpha'):$conf->theme)."/style.css.php"; -//$themepath=dol_buildpath((empty($conf->global->MAIN_FORCETHEMEDIR)?'':$conf->global->MAIN_FORCETHEMEDIR).$conf->css,1); $themepath=dol_buildpath($conf->css,1); if (! empty($conf->modules_parts['theme'])) // This slow down { From 400b3320aa60ecd2255278fe66555febaeeb8cad Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 29 May 2017 15:20:50 +0200 Subject: [PATCH 2/3] NEW Introduction option MAIN_HTTP_CONTENT_SECURITY_POLICY --- htdocs/main.inc.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 730c2caba4a..26f455131cd 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -1008,7 +1008,15 @@ function top_httphead($contenttype='text/html') // Security options header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) - // TODO Content-Security-Policy + if (! empty($conf->global->MAIN_HTTP_CONTENT_SECURITY_POLICY)) + { + // For example, to restrict script, object, frames or img to some domains + // script-src https://api.google.com https://anotherhost.com; object-src https://youtube.com; child-src https://youtube.com; img-src: https://static.example.com + // For example, to restrict everything to one domain, except object, ... + // default-src https://cdn.example.net; object-src 'none' + header("Content-Security-Policy: ".$conf->global->MAIN_HTTP_CONTENT_SECURITY_POLICY); + } + // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1. /*if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { From 59ab9a442199d1907543c833c76f9c57fc4b8171 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 29 May 2017 15:25:37 +0200 Subject: [PATCH 3/3] FIX #6850 --- htdocs/admin/bank.php | 2 +- htdocs/admin/bank_extrafields.php | 2 +- htdocs/admin/chequereceipts.php | 5 +++-- htdocs/admin/commande.php | 1 + htdocs/admin/contract.php | 1 + htdocs/admin/expedition.php | 1 + htdocs/admin/expensereport.php | 1 + htdocs/admin/facture.php | 1 + htdocs/admin/fichinter.php | 1 + htdocs/admin/livraison.php | 1 + htdocs/admin/propal.php | 1 + htdocs/admin/supplier_invoice.php | 1 + htdocs/admin/supplier_order.php | 1 + htdocs/admin/supplier_proposal.php | 1 + 14 files changed, 16 insertions(+), 4 deletions(-) diff --git a/htdocs/admin/bank.php b/htdocs/admin/bank.php index 8ed1e3cd9ac..afe60acff2e 100644 --- a/htdocs/admin/bank.php +++ b/htdocs/admin/bank.php @@ -166,7 +166,7 @@ $linkback=''.$langs->trans("BackToM print load_fiche_titre($langs->trans("BankSetupModule"),$linkback,'title_setup'); $head = bank_admin_prepare_head(null); -dol_fiche_head($head, 'general', $langs->trans("BankSetupModule"), 0, 'account'); +dol_fiche_head($head, 'general', $langs->trans("BankSetupModule"), -1, 'account'); $var=true; diff --git a/htdocs/admin/bank_extrafields.php b/htdocs/admin/bank_extrafields.php index 2d03c51e34d..794483350f1 100644 --- a/htdocs/admin/bank_extrafields.php +++ b/htdocs/admin/bank_extrafields.php @@ -71,7 +71,7 @@ print load_fiche_titre($langs->trans("BankSetupModule"),$linkback,'title_setup') $head = bank_admin_prepare_head(null); -dol_fiche_head($head, 'attributes', $langs->trans("BankSetupModule"), 0, 'account'); +dol_fiche_head($head, 'attributes', $langs->trans("BankSetupModule"), -1, 'account'); require DOL_DOCUMENT_ROOT.'/core/tpl/admin_extrafields_view.tpl.php'; diff --git a/htdocs/admin/chequereceipts.php b/htdocs/admin/chequereceipts.php index fd1da0c328b..bc55eb4b9f6 100644 --- a/htdocs/admin/chequereceipts.php +++ b/htdocs/admin/chequereceipts.php @@ -27,6 +27,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/bank.lib.php'; require_once DOL_DOCUMENT_ROOT.'/compta/paiement/cheque/class/remisecheque.class.php'; @@ -71,7 +72,7 @@ if ($action == 'updateMask') if ($action == 'setmod') { - dolibarr_set_const($db, "CHEQUERECEIPTS_ADDON",$value,'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "CHEQUERECEIPTS_ADDON",$value, 'chaine', 0, '', $conf->entity); } if ($action == 'set_BANK_CHEQUERECEIPT_FREE_TEXT') @@ -105,7 +106,7 @@ $linkback=''.$langs->trans("BackToM print load_fiche_titre($langs->trans("BankSetupModule"),$linkback,'title_setup'); $head = bank_admin_prepare_head(null); -dol_fiche_head($head, 'checkreceipts', $langs->trans("BankSetupModule"), 0, 'account'); +dol_fiche_head($head, 'checkreceipts', $langs->trans("BankSetupModule"), -1, 'account'); /* * Numbering module diff --git a/htdocs/admin/commande.php b/htdocs/admin/commande.php index a4680f4d16e..d60144a3492 100644 --- a/htdocs/admin/commande.php +++ b/htdocs/admin/commande.php @@ -32,6 +32,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/commande/class/commande.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/order.lib.php'; diff --git a/htdocs/admin/contract.php b/htdocs/admin/contract.php index 37c0b9bccde..4c0a9572761 100644 --- a/htdocs/admin/contract.php +++ b/htdocs/admin/contract.php @@ -24,6 +24,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/contrat/class/contrat.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/contract.lib.php'; diff --git a/htdocs/admin/expedition.php b/htdocs/admin/expedition.php index d31b788a1ab..3c89960ede6 100644 --- a/htdocs/admin/expedition.php +++ b/htdocs/admin/expedition.php @@ -30,6 +30,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/expedition.lib.php'; require_once DOL_DOCUMENT_ROOT.'/expedition/class/expedition.class.php'; diff --git a/htdocs/admin/expensereport.php b/htdocs/admin/expensereport.php index b8626827595..eefe5747abd 100644 --- a/htdocs/admin/expensereport.php +++ b/htdocs/admin/expensereport.php @@ -30,6 +30,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/expensereport.lib.php'; require_once DOL_DOCUMENT_ROOT.'/expensereport/class/expensereport.class.php'; diff --git a/htdocs/admin/facture.php b/htdocs/admin/facture.php index d89c9711e3f..77230dc3f68 100644 --- a/htdocs/admin/facture.php +++ b/htdocs/admin/facture.php @@ -29,6 +29,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/invoice.lib.php'; require_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php'; diff --git a/htdocs/admin/fichinter.php b/htdocs/admin/fichinter.php index d99fd9456d9..3ce82ce59cb 100644 --- a/htdocs/admin/fichinter.php +++ b/htdocs/admin/fichinter.php @@ -30,6 +30,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/fichinter.lib.php'; require_once DOL_DOCUMENT_ROOT.'/fichinter/class/fichinter.class.php'; diff --git a/htdocs/admin/livraison.php b/htdocs/admin/livraison.php index 143c54ec24d..74081266f43 100644 --- a/htdocs/admin/livraison.php +++ b/htdocs/admin/livraison.php @@ -30,6 +30,7 @@ */ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/expedition.lib.php'; require_once DOL_DOCUMENT_ROOT.'/livraison/class/livraison.class.php'; diff --git a/htdocs/admin/propal.php b/htdocs/admin/propal.php index 6a9884e263c..7c8413a28a6 100644 --- a/htdocs/admin/propal.php +++ b/htdocs/admin/propal.php @@ -30,6 +30,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/propal.lib.php'; $langs->load("admin"); diff --git a/htdocs/admin/supplier_invoice.php b/htdocs/admin/supplier_invoice.php index de128184d18..d408657ac8c 100644 --- a/htdocs/admin/supplier_invoice.php +++ b/htdocs/admin/supplier_invoice.php @@ -29,6 +29,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/fourn.lib.php'; require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.class.php'; require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.facture.class.php'; diff --git a/htdocs/admin/supplier_order.php b/htdocs/admin/supplier_order.php index 030a507ce20..acce3a38c7c 100644 --- a/htdocs/admin/supplier_order.php +++ b/htdocs/admin/supplier_order.php @@ -29,6 +29,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/fourn.lib.php'; require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.class.php'; require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.commande.class.php'; diff --git a/htdocs/admin/supplier_proposal.php b/htdocs/admin/supplier_proposal.php index 8fc0c4877c8..8a8d2a181a4 100644 --- a/htdocs/admin/supplier_proposal.php +++ b/htdocs/admin/supplier_proposal.php @@ -25,6 +25,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/pdf.lib.php'; require_once DOL_DOCUMENT_ROOT.'/supplier_proposal/class/supplier_proposal.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/supplier_proposal.lib.php'; $langs->load("admin");