From 0e96093def5f337bc559f0451a1fd599bc733ee4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?= Date: Sun, 21 Feb 2021 21:51:26 +0100 Subject: [PATCH 1/2] add log for token reclaimed --- htdocs/main.inc.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 15dfc85c8d2..c0d19648ab3 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -416,14 +416,16 @@ if ((!empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_VE } // Creation of a token against CSRF vulnerabilities -if (!defined('NOTOKENRENEWAL')) -{ +if (!defined('NOTOKENRENEWAL')) { // Rolling token at each call ($_SESSION['token'] contains token of previous page) - if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken']; + if (isset($_SESSION['newtoken'])) { + $_SESSION['token'] = $_SESSION['newtoken']; + } // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken'] $token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number $_SESSION['newtoken'] = $token; + dol_syslog("NEW TOKEN reclaimed by : " . $_SERVER['PHP_SELF'], LOG_INFO); } //dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha').' '.$_SESSION['token']); From 1971f5197325a7b20002507199183a2950014517 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?= Date: Mon, 22 Feb 2021 11:24:21 +0100 Subject: [PATCH 2/2] Update main.inc.php --- htdocs/main.inc.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index c0d19648ab3..85a02aa1467 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -425,7 +425,7 @@ if (!defined('NOTOKENRENEWAL')) { // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken'] $token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number $_SESSION['newtoken'] = $token; - dol_syslog("NEW TOKEN reclaimed by : " . $_SERVER['PHP_SELF'], LOG_INFO); + dol_syslog("NEW TOKEN reclaimed by : " . $_SERVER['PHP_SELF'], LOG_DEBUG); } //dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha').' '.$_SESSION['token']); @@ -459,8 +459,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl } } - if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $_SESSION['token']) - { + if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $_SESSION['token']) { dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused due to invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING); //print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers. setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings');