Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix warning when using MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL

Browse Source
This commit is contained in:
Laurent Destailleur
2023-02-06 14:13:37 +01:00
parent 090c04b904
commit 22d3d9cef5
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/js/lib_notification.js.php
View File

@@ -102,7 +102,7 @@ function check_events() {
var newToken = 'notrequired'; var newToken = 'notrequired';
const allMeta = document.getElementsByTagName("meta"); const allMeta = document.getElementsByTagName("meta");
for (let i = 0; i < allMeta.length; i++) { for (let i = 0; i < allMeta.length; i++) {
if (allMeta[i].getAttribute("name") == 'anti-csrf-token') { if (allMeta[i].getAttribute("name") == 'anti-csrf-currenttoken') {
newToken = allMeta[i].getAttribute('content'); newToken = allMeta[i].getAttribute('content');
console.log("newToken in page = "+newToken); console.log("newToken in page = "+newToken);
} }

5
htdocs/main.inc.php
View File

@@ -501,7 +501,7 @@ if ((!empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_VE
// Creation of a token against CSRF vulnerabilities // Creation of a token against CSRF vulnerabilities
if (!defined('NOTOKENRENEWAL') && !defined('NOSESSION')) { if (!defined('NOTOKENRENEWAL') && !defined('NOSESSION')) {
// No token renewal on .css.php, .js.php and .json.php // No token renewal on .css.php, .js.php and .json.php (even if the NOTOKENRENEWAL was not provided)
if (!preg_match('/\.(css|js|json)\.php$/', $_SERVER["PHP_SELF"])) { if (!preg_match('/\.(css|js|json)\.php$/', $_SERVER["PHP_SELF"])) {
// Rolling token at each call ($_SESSION['token'] contains token of previous page) // Rolling token at each call ($_SESSION['token'] contains token of previous page)
if (isset($_SESSION['newtoken'])) { if (isset($_SESSION['newtoken'])) {
@@ -1561,7 +1561,8 @@ function top_htmlhead($head, $title = '', $disablejs = 0, $disablehead = 0, $arr
print '<meta name="robots" content="'.($disablenoindex ? 'index' : 'noindex').($disablenofollow ? ',follow' : ',nofollow').'">'."\n"; // Do not index print '<meta name="robots" content="'.($disablenoindex ? 'index' : 'noindex').($disablenofollow ? ',follow' : ',nofollow').'">'."\n"; // Do not index
print '<meta name="viewport" content="width=device-width, initial-scale=1.0">'."\n"; // Scale for mobile device print '<meta name="viewport" content="width=device-width, initial-scale=1.0">'."\n"; // Scale for mobile device
print '<meta name="author" content="Dolibarr Development Team">'."\n"; print '<meta name="author" content="Dolibarr Development Team">'."\n";
print '<meta name="anti-csrf-token" content="'.newToken().'">'."\n"; print '<meta name="anti-csrf-newtoken" content="'.newToken().'">'."\n";
print '<meta name="anti-csrf-currenttoken" content="'.currentToken().'">'."\n";
if (getDolGlobalInt('MAIN_FEATURES_LEVEL')) { if (getDolGlobalInt('MAIN_FEATURES_LEVEL')) {
print '<meta name="MAIN_FEATURES_LEVEL" content="'.getDolGlobalInt('MAIN_FEATURES_LEVEL').'">'."\n"; print '<meta name="MAIN_FEATURES_LEVEL" content="'.getDolGlobalInt('MAIN_FEATURES_LEVEL').'">'."\n";
} }