From d73aac6e4e77935b9e86719d1acd8849f9bf1bdb Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Fri, 15 May 2009 12:48:13 +0000
Subject: [PATCH] =?UTF-8?q?Fix:=20creation=20et=20verification=20d'un=20je?=
 =?UTF-8?q?ton=20al=E9atoire=20afin=20de=20valider=20une=20requete=20POST,?=
 =?UTF-8?q?=20voici=20la=20ligne=20=E0=20ajouter=20dans=20une=20requete=20?=
 =?UTF-8?q?POST=20print=20'<input=20type=3D"hidden"=20name=3D"token"=20val?=
 =?UTF-8?q?ue=3D"'.$=5FSESSION['newtoken'].'">';?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 htdocs/admin/const.php |  6 ------
 htdocs/main.inc.php    | 10 ++++++++--
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php
index 0a1889e2179..72fb1ebc09b 100644
--- a/htdocs/admin/const.php
+++ b/htdocs/admin/const.php
@@ -34,12 +34,6 @@ $langs->load("admin");
 if (! empty($_SERVER['HTTP_REFERER']) && !eregi(DOL_MAIN_URL_ROOT, $_SERVER['HTTP_REFERER']))
 accessforbidden();
 
-//Todo: Verification de la presence et de la validite du jeton précédent
-if (isset($_POST['token']) && isset($_SESSION['oldtoken']))
-{
-	if ($_POST['token'] != $_SESSION['oldtoken']) accessforbidden();
-}
-
 if (!$user->admin)
 accessforbidden();
 
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index b089ec30951..a26a7b79cf5 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -168,11 +168,17 @@ session_name($sessionname);
 session_start();
 dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".(isset($_SESSION["dol_login"])?$_SESSION["dol_login"]:'').", ".ini_get("session.gc_maxlifetime"));
 
-//Todo: Creation d'un jeton contre les failles CSRF
+// Creation d'un jeton contre les failles CSRF
 $token = md5(uniqid(rand(),TRUE)); // Genere un hash d'un nombre aleatoire
-$_SESSION['oldtoken'] = $_SESSION['newtoken']; // roulement des jetons car créé à chaque appel
+$_SESSION['oldtoken'] = $_SESSION['newtoken']; // roulement des jetons car cree a chaque appel
 $_SESSION['newtoken'] = $token;
 
+// Verification de la presence et de la validite du jeton
+if (isset($_POST['token']) && isset($_SESSION['oldtoken']))
+{
+	if ($_POST['token'] != $_SESSION['oldtoken']) unset($_POST);
+}
+
 // Retrieve the entity in login form or in the cookie.
 // This must be after the init of session (session_start) or this create serious pb of corrupted session.
 /*