From 4e3e2a23bccf219ee9ebefab66d655d597846bb4 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 18 Mar 2021 21:22:50 +0100 Subject: [PATCH] More complete fix for #yogosha5644 --- htdocs/main.inc.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 199601f1385..f6376a650b7 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -428,17 +428,16 @@ if (!defined('NOTOKENRENEWAL')) { } //dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha').' '.$_SESSION['token']); -//$dolibarr_nocsrfcheck=1; -// Check token -if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) - || defined('CSRFCHECK_WITH_TOKEN')) { // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set into page + +// Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set into page +if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) || defined('CSRFCHECK_WITH_TOKEN')) { // Check all cases that need a token (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions) if ( $_SERVER['REQUEST_METHOD'] == 'POST' || ((GETPOSTISSET('actionlogin') || GETPOSTISSET('action') || GETPOSTISSET('massaction')) && defined('CSRFCHECK_WITH_TOKEN')) || in_array(GETPOST('action', 'aZ09'), array('add', 'addtimespent', 'update', 'install', 'delete', 'deletefilter', 'deleteoperation', 'deleteprof', 'deletepayment', 'confirm_create_user', 'confirm_create_thirdparty', 'confirm_reject_check')) ) { - if (!GETPOSTISSET('token')) { + if (!GETPOST('token', 'alpha')) { // If token is not provided or empty if (GETPOST('uploadform', 'int')) { dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused. File size too large."); $langs->loadLangs(array("errors", "install"));