Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

🐛 Use Cancel-Button results in Ajax-Unauthorized Response#701

Open
Hotade1702 wants to merge1 commit intoCombodo:develop
base:develop
Choose a base branch
Loading
fromHotade1702:Hotade1702-patch-1

Conversation

Hotade1702
Copy link

Base information

QuestionAnswer
Related to a SourceForge thead / Another PR / Combodo ticket?no
Type of change?Bug fix

Symptom (bug) / Objective (enhancement)

When calling "cancel button" in edit or creation dialog the ajax request responded with unauthorized 401. This results in login mask when using IIS with Windows Authentication. You can continue to use itop without enter credentials, but it appears everytime canceling a edit/new mask. The reason is the Transaction_id validation in ajax.render.php failed. After changing the ReadPostedParam Parameter "sSanitizationFilter" from default "parameter" to "transaction_id" the validation is true and itop is handleling everything fine.

Reproduction procedure (bug)

  1. On iTop 3.2.0
  2. With PHP 8.1.30
  3. IIS and Windows Authentication (The Bug also happend everywhere else but you will only see it in the developer console of the browser that the ajax-result answers 401)
  4. First go and add a new Object (Server as example) or edit any existing cmdb object or ticket
  5. Then do cancel this dialog
  6. Finally, see that a login mask appears, which can be canceled and you can continue to use itop.

Cause (bug)

The reason is when unloading the new object page or edit page the unload function calls a function where the transaction_id verification failed.

Proposed solution (bug and enhancement)

Editing one line in ajax.render.php for header and transaction_id check from using the default parameters of ReadPostedParam to specific parameter "transaction_id" as sSanitizationFilter

Checklist before requesting a review

  • [x ] I have performed a self-review of my code
  • [x ] I have tested all changes I made on an iTop instance
  • [x ] no unit test, because only one line changed with existing functions
  • [ x] Is the PR clear and detailed enough so anyone can understand digging in the code?

Checklist of things to do before PR is ready to merge

When calling cancel button in edit or creation dialog the ajax request responded with unauthorized 401. This results in login mask when using IIS with Windows Authentication. You can continue to use itop without enter credentials, but it appears everytime canceling a edit mask. The reason is the Transaction_id validation in ajax.render.php failed. After changing the ReadPostedParam Parameter "sSanitizationFilter" from default "parameter" to "transaction_id" the validation is true and itop is handleling everything fine.
@jf-cbdjf-cbd added the bugSomething isn't working labelFeb 28, 2025
@jf-cbd
Copy link
Contributor

Hello, thanks for your contribution :)
We'll add the filter you suggest, as it is appropriated and can only be a good thing !
But we couldn't reproduce your problem (with iTop 3.2.0 and PHP 8.1.30, on an Ubuntu server, looking for error in the developer console), and it may be good to know why the transaction_id verification failed.
May you please give use some screenshots and more info to reproduce your problem ?

@Hotade1702
Copy link
Author

hi, i logged both to the error_log in php, when sending without the filter its doesnt result in a transaction id:
[07-Mar-2025 16:55:39 Europe/Paris] with_transactionidfilter: DANB81.tmp
[07-Mar-2025 16:55:39 Europe/Paris] without_transactionidfilter:
In the developer log in browser you can only see it when you have a look in the Network tab:
image

When cancel a dialog without transactionfilter i get this in myphp log with php 8.1.30 (im not shure if version is really relevant) on IIS:
[07-Mar-2025 16:57:04 Europe/Paris] PHP Warning: Undefined variable $sReferer in D:\itop-dev\pages\ajax.render.php on line 72

which is: IssueLog::Error("Unprotected ajax call : $sTransactionId", LogChannels::SECURITY, ['referer' => $sReferer]); (should be 2-3 line higher in your code because i added some lines for debugging (error_log...)

and on IIS with windows-authentication "on" resulting in this popup:
Unbenannt

@jf-cbd
Copy link
Contributor

jf-cbd commentedMar 14, 2025
edited
Loading

Hello, thanks for your info.
We think we have found the reason of the bug thanks to it and your fix, could you help us to confirm it ?
When the error occurs, does your $sTransactionId contain a dot, e.g. "xxx.tmp" ?

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugSomething isn't working
Projects
Status: First review needed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2 participants
@Hotade1702@jf-cbd
[8]ページ先頭
©2009-2025 Movatter.jp