NotificationsYou must be signed in to change notification settings
Fork254
Star947

Commit0ee1818

committed

N°7732 - CSRF protection generating error when cancelling the creation of an object

N°7741 - PDF export on impact analysis not working

1 parenta4a1fa4 commit0ee1818Copy full SHA for 0ee1818

File tree

3 files changed

+17

-9

lines changed

3 files changed

+17

-9

lines changed

`‎core/displayablegraph.class.inc.php`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1496,6 +1496,7 @@ function DisplayGraph(WebPage $oP, $sRelation, ApplicationContext $oAppContext,`
`1496`	`1496`	`'excluded' =>$aExcludedByClass,`
`1497`	`1497`	`'grouping_threshold' =>$iGroupingThreshold,`
`1498`	`1498`	`'export_as_pdf' =>array('url' =>$sExportAsPdfURL,'label' => Dict::S('UI:Relation:ExportAsPDF')),`
	`1499`	`+'transaction_id' => utils::GetNewTransactionId(),`
`1499`	`1500`	`'export_as_attachment' =>array('url' =>$sExportAsDocumentURL,'label' => Dict::S('UI:Relation:ExportAsAttachment'),'obj_class' =>$sObjClass,'obj_key' =>$iObjKey),`
`1500`	`1501`	`'drill_down' =>array('url' =>$sDrillDownURL,'label' => Dict::S('UI:Relation:DrillDown')),`
`1501`	`1502`	`'labels' =>array(`

`‎js/simple_graph.js`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ $(function()`
`19`	`19`	`sources:{},`
`20`	`20`	`excluded:{},`
`21`	`21`	`export_as_pdf:null,`
	`22`	`+transaction_id:null,`
`22`	`23`	`page_format:{label:'Page Format:',values:{A3:'A3',A4:'A4',Letter:'Letter'},'default':'A4'},`
`23`	`24`	`page_orientation:{label:'Page Orientation:',values:{P:'Portait',L:'Landscape'},'default':'L'},`
`24`	`25`	`labels:{`
`@@ -590,6 +591,7 @@ $(function()`
`590`	`591`	`varsHtmlForm='<div id="GraphExportDlg'+this.element.attr('id')+'"><form id="graph_'+this.element.attr('id')+'_export_dlg" target="_blank" action="'+sSubmitUrl+'" method="post">';`
`591`	`592`	`sHtmlForm+='<input type="hidden" name="g" value="'+this.options.grouping_threshold+'">';`
`592`	`593`	`sHtmlForm+='<input type="hidden" name="context_key" value="'+this.options.context_key+'">';`
	`594`	`+sHtmlForm+='<input type="hidden" name="transaction_id" value="'+this.options.transaction_id+'">';`
`593`	`595`	`$('#'+sId+'_contexts').multiselect('getChecked').each(function(){`
`594`	`596`	`sHtmlForm+='<input type="hidden" name="contexts['+$(this).val()+']" value="'+me.options.additional_contexts[$(this).val()].oql+'">';`
`595`	`597`	`});`

`‎pages/ajax.render.php`

Lines changed: 14 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -32,15 +32,6 @@`
`32`	`32`	`require_once(APPROOT.'/application/startup.inc.php');`
`33`	`33`	`require_once(APPROOT.'/application/user.preferences.class.inc.php');`
`34`	`34`
`35`		`-// check if header contains X-Combodo-Ajax for POST request (CSRF protection for ajax calls)`
`36`		`-if (!isset($_SERVER['HTTP_X_COMBODO_AJAX']) &&$_SERVER['REQUEST_METHOD'] !=='GET') {`
`37`		`-$sReferer =$_SERVER['HTTP_REFERER'];`
`38`		`-$sErrorMsg ='Unauthorized access. Please see https://www.itophub.io/wiki/page?id=3_2_0:release:developer#checking_for_the_presence_of_specific_header_in_the_post_to_enhance_protection_against_csrf_attacks';`
`39`		`-IssueLog::Error("Unprotected ajax call :$sErrorMsg", LogChannels::SECURITY, ['referer' =>$sReferer]);`
`40`		`-header('HTTP/1.1 401 Unauthorized');`
`41`		`-die($sErrorMsg);`
`42`		`-}`
`43`		`-`
`44`	`35`	`IssueLog::Trace('----- Request:'.utils::GetRequestUri(), LogChannels::WEB_REQUEST);`
`45`	`36`	`$oKPI =newExecutionKPI();`
`46`	`37`	`$oKPI->ComputeAndReport('Data model loaded');`
`@@ -67,6 +58,20 @@`
`67`	`58`	`break;`
`68`	`59`	`}`
`69`	`60`	`LoginWebPage::DoLoginEx($sRequestedPortalId,false);`
	`61`	`+`
	`62`	`+// check if header contains X-Combodo-Ajax for POST request (CSRF protection for ajax calls)`
	`63`	`+// check must be performed after DoLoginEx to be logged in and to be able to check the token (based on the transaction id)`
	`64`	`+if (!isset($_SERVER['HTTP_X_COMBODO_AJAX']) &&$_SERVER['REQUEST_METHOD'] !=='GET') {`
	`65`	`+$sTransactionId = utils::ReadPostedParam("transaction_id");`
	`66`	`+if (!utils::IsTransactionValid($sTransactionId,false)) {// if a form is submitted without header but contains a token... should be exceptional`
	`67`	`+$sReferer =$_SERVER['HTTP_REFERER'];`
	`68`	`+$sErrorMsg ='Unauthorized access. Please see https://www.itophub.io/wiki/page?id=3_2_0:release:developer#checking_for_the_presence_of_specific_header_in_the_post_to_enhance_protection_against_csrf_attacks';`
	`69`	`+IssueLog::Error("Unprotected ajax call :$sErrorMsg", LogChannels::SECURITY, ['referer' =>$sReferer]);`
	`70`	`+header('HTTP/1.1 401 Unauthorized');`
	`71`	`+die($sErrorMsg);`
	`72`	`+}`
	`73`	`+}`
	`74`	`+`
`70`	`75`	`$oKPI->ComputeAndReport('User login');`
`71`	`76`
`72`	`77`	`// N°2780 Fix ContextTag for console`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0ee1818

File tree

3 files changed

3 files changed

`‎core/displayablegraph.class.inc.php`

`‎js/simple_graph.js`

`‎pages/ajax.render.php`

0 commit comments