diff --git a/htdocs/core/class/conf.class.php b/htdocs/core/class/conf.class.php index 855b8aae2a9..7b00ade88e6 100644 --- a/htdocs/core/class/conf.class.php +++ b/htdocs/core/class/conf.class.php @@ -952,8 +952,8 @@ class Conf if (!isset($this->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) { // Value 1 makes CSRF check for all POST parameters only // Value 2 makes also CSRF check for GET requests with action = a sensitive requests like action=del, action=remove... - // Value 3 makes also CSRF check for all GET requests with a param action or massaction - $this->global->MAIN_SECURITY_CSRF_WITH_TOKEN = 2; + // Value 3 makes also CSRF check for all GET requests with a param action or massaction (except some sensitive values) + $this->global->MAIN_SECURITY_CSRF_WITH_TOKEN = 2; // TODO Switch value to 3 // Note: Set MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL=1 to have a renewal of token at each page call instead of each session (not recommended) } diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 4405d650aec..dc65c49d9a3 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -533,7 +533,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt( $sensitiveget = false; if ((GETPOSTISSET('massaction') || GETPOST('action', 'aZ09')) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 3) { // All GET actions and mass actions are processed as sensitive. - if (GETPOSTISSET('massaction') || !in_array(GETPOST('action', 'aZ09'), array('create', 'createsite', 'createcard', 'edit', 'editvalidator', 'file_manager', 'presend', 'presend_addmessage', 'preview', 'specimen'))) { // We exclude the case action='create' and action='file_manager' that are legitimate + if (GETPOSTISSET('massaction') || !in_array(GETPOST('action', 'aZ09'), array('create', 'createsite', 'createcard', 'edit', 'editvalidator', 'file_manager', 'presend', 'presend_addmessage', 'preview', 'specimen'))) { // We exclude some action that are legitimate $sensitiveget = true; } } elseif (getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 2) {