Use function top_httphead to include headers in pages.

htdocs/admin/agenda_xcal.php

@@ -97,7 +97,7 @@
 print "<td>&nbsp;</td>";
 print "</tr>";
 
-print "<tr ".$bc[false].">";
+print '<tr class="oddeven">';
 print '<td class="fieldrequired">'.$langs->trans("PasswordTogetVCalExport")."</td>";
 print '<td><input required="required" type="text" class="flat" id="MAIN_AGENDA_XCAL_EXPORTKEY" name="MAIN_AGENDA_XCAL_EXPORTKEY" value="' . (GETPOST('MAIN_AGENDA_XCAL_EXPORTKEY','alpha')?GETPOST('MAIN_AGENDA_XCAL_EXPORTKEY','alpha'):$conf->global->MAIN_AGENDA_XCAL_EXPORTKEY) . '" size="40">';
 if (! empty($conf->use_javascript_ajax))
@@ -106,13 +106,13 @@
 print "<td>&nbsp;</td>";
 print "</tr>";
 
-print "<tr ".$bc[true].">";
+print '<tr class="oddeven">';
 print "<td>".$langs->trans("PastDelayVCalExport")."</td>";
 print "<td><input type=\"text\" class=\"flat\" name=\"MAIN_AGENDA_EXPORT_PAST_DELAY\" value=\"". (GETPOST('MAIN_AGENDA_EXPORT_PAST_DELAY','alpha')?GETPOST('MAIN_AGENDA_EXPORT_PAST_DELAY','alpha'):$conf->global->MAIN_AGENDA_EXPORT_PAST_DELAY) . "\" size=\"10\"> ".$langs->trans("days")."</td>";
 print "<td>&nbsp;</td>";
 print "</tr>";
 
-print "<tr ".$bc[false].">";
+print '<tr class="oddeven">';
 print "<td>".$langs->trans("UseACacheDelay")."</td>";
 print "<td><input type=\"text\" class=\"flat\" name=\"MAIN_AGENDA_EXPORT_CACHE\" value=\"". (GETPOST('MAIN_AGENDA_EXPORT_CACHE','alpha')?GETPOST('MAIN_AGENDA_EXPORT_CACHE','alpha'):$conf->global->MAIN_AGENDA_EXPORT_CACHE) . "\" size=\"10\"></td>";
 print "<td>&nbsp;</td>";
@@ -128,8 +128,8 @@
 print '<td width="25%">'.$langs->trans("Parameter")."</td>";
 print "<td>".$langs->trans("Value")."</td>";
 print "</tr>";
-print "<tr ".$bc[false].">";
-print '<td class="fieldrequired">'.$langs->trans("FixTZ")."</td>";
+print '<tr class="oddeven">';
+print '<td>'.$langs->trans("FixTZ")."</td>";
 print "<td>";
 print '<input class="flat" type="text" size="4" name="AGENDA_EXPORT_FIX_TZ" value="'.$conf->global->AGENDA_EXPORT_FIX_TZ.'">';
 print ' &nbsp; '.$langs->trans("FillThisOnlyIfRequired");

htdocs/cashdesk/affIndex.php

@@ -45,9 +45,6 @@
 
 $form = new Form($db);
 
-//header("Content-type: text/html; charset=UTF-8");
-//header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
 $arrayofjs=array();
 $arrayofcss=array('/cashdesk/css/style.css');
 

htdocs/cashdesk/facturation_dhtml.php

@@ -39,8 +39,7 @@
 require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/cashdesk/include/environnement.php';
 
-//header("Content-type: text/html; charset=UTF-8");
-header("Content-type: text/html; charset=".$conf->file->character_set_client);
+top_httphead('text/html');
 
 $search = GETPOST("code", "alpha");
 

htdocs/cashdesk/tpl/ticket.tpl.php

@@ -20,7 +20,8 @@
 
 $langs->load("main");
 $langs->load('cashdesk');
-header("Content-type: text/html; charset=".$conf->file->character_set_client);
+
+top_httphead('text/html');
 
 $facid=GETPOST('facid','int');
 $object=new Facture($db);

htdocs/core/ajax/check_notifications.php

@@ -24,6 +24,13 @@
 
 require '../../main.inc.php';
 
+
+/*
+ * View
+ */
+
+top_httphead('text/html');  // TODO Use a json mime type
+
 global $user, $db, $langs, $conf;
 
 $time = (int) GETPOST('time');    // Use the time parameter that is always increased by time_update, even if call is late

htdocs/core/antispamimage.php

@@ -58,7 +58,8 @@
     exit;
 }
 
-header("Content-type: image/png");
+// Define mime type
+top_httphead('image/png');
 
 $background_color = imagecolorallocate($img, 250, 250, 250);
 $ecriture_color = imagecolorallocate($img, 0, 0, 0);

htdocs/core/js/datepicker.js.php

@@ -37,7 +37,7 @@
 require_once '../../main.inc.php';
 
 // Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');

htdocs/core/js/lib_head.js.php

@@ -39,7 +39,7 @@
 require_once '../../main.inc.php';
 
 // Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');

htdocs/core/js/lib_notification.js.php

@@ -33,21 +33,22 @@
 {
     global $langs, $conf;
 
-    // Define javascript type
-    header('Content-type: text/javascript; charset=UTF-8');
-
+    top_httphead('text/javascript; charset=UTF-8');
+
     $nowtime = time();
     //$nowtimeprevious = floor($nowtime / 60) * 60;   // auto_check_events_not_before is rounded to previous minute
 
     // TODO Try to make a solution with only a javascript timer that is easier. Difficulty is to avoid notification twice when.
+    /* session already started into main
     session_cache_limiter(FALSE);
     header('Cache-Control: no-cache');
-    session_start();
+    session_set_cookie_params(0, '/', null, false, true);   // Add tag httponly on session cookie
+    session_start();*/
     if (! isset($_SESSION['auto_check_events_not_before'])) 
     {
         print 'console.log("_SESSION[auto_check_events_not_before] is not set");'."\n";
         // Round to eliminate the seconds
-        $_SESSION['auto_check_events_not_before'] = $nowtime;   // auto_check_events_not_before is rounded to previous minute
+        $_SESSION['auto_check_events_not_before'] = $nowtime;
     }
     print 'var nowtime = ' . $nowtime . ';' . "\n";
     print 'var login = \'' . $_SESSION['dol_login'] . '\';' . "\n";

htdocs/core/js/select2_locale.js.php

@@ -37,7 +37,7 @@
 require_once '../../main.inc.php';
 
 // Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');

htdocs/core/js/timepicker.js.php

@@ -37,7 +37,7 @@
 require_once '../../main.inc.php';
 
 // Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');

htdocs/core/lib/functions.lib.php

@@ -400,11 +400,11 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
 
 
 /**
- *  Return a prefix to use for this Dolibarr instance for session or cookie names.
+ *  Return a prefix to use for this Dolibarr instance, for session/cookie names or email id.
  *  This prefix is unique for instance and avoid conflict between multi-instances,
- *  even when having two instances with one root dir or two instances in virtual servers
+ *  even when having two instances with one root dir or two instances in virtual servers.
  *
- *  @param  string  $mode       '' or 'email'              
+ *  @param  string  $mode       '' (prefix for session name) or 'email' (prefix for email id)              
  *  @return	string      		A calculated prefix
  */
 function dol_getprefix($mode='')

htdocs/document.php

@@ -170,9 +170,9 @@ function llxFooter() { }
 }
 
 // Permissions are ok and file found, so we return it
+top_httphead($type);
 header('Content-Description: File Transfer');
 if ($encoding)   header('Content-Encoding: '.$encoding);
-if ($type)       header('Content-Type: '.$type.(preg_match('/text/',$type)?'; charset="'.$conf->file->character_set_client:''));
 // Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, atachment=need user action to open)
 if ($attachment) header('Content-Disposition: attachment; filename="'.$filename.'"');
 else header('Content-Disposition: inline; filename="'.$filename.'"');

htdocs/install/inc.php

@@ -384,7 +384,8 @@ function pHeader($subtitle,$next,$action='set',$param='',$forcejqueryurl='',$css
 
     // We force the content charset
     header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+    header("X-Content-Type-Options: nosniff");
+
     print '<!DOCTYPE HTML>'."\n";
     print '<html>'."\n";
     print '<head>'."\n";

htdocs/main.inc.php

@@ -197,6 +197,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
 $sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
 if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]);
 session_name($sessionname);
+session_set_cookie_params(0, '/', null, false, true);   // Add tag httponly on session cookie
 session_start();
 if (ini_get('register_globals'))    // Deprecated in 5.3 and removed in 5.4. To solve bug in using $_SESSION
 {
@@ -528,6 +529,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
             dol_syslog('User not found, connexion refused');
             session_destroy();
             session_name($sessionname);
+            session_set_cookie_params(0, '/', null, false, true);   // Add tag httponly on session cookie
             session_start();    // Fixing the bug of register_globals here is useless since session is empty
 
             if ($resultFetchUser == 0)
@@ -586,6 +588,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
             dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING);
             session_destroy();
             session_name($sessionname);
+            session_set_cookie_params(0, '/', null, false, true);   // Add tag httponly on session cookie
             session_start();    // Fixing the bug of register_globals here is useless since session is empty
 
             if ($resultFetchUser == 0)
@@ -967,19 +970,22 @@ function llxHeader($head='', $title='', $help_url='', $target='', $disablejs=0,
 /**
  *  Show HTTP header
  *
+ *  @param  string  $contenttype    Content type. For example, 'text/html'
  *  @return	void
  */
-function top_httphead()
+function top_httphead($contenttype='text/html')
 {
     global $conf;
 
-    //header("Content-type: text/html; charset=UTF-8");
-    header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+    if ($contenttype == 'text/html' ) header("Content-Type: text/html; charset=".$conf->file->character_set_client);
+    else header("Content-Type: ".$contenttype);
+    header("X-Content-Type-Options: nosniff");
+    header("X-Frame-Options: SAMEORIGIN");
+
     // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1.
-    if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) {
+    /*if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) {
         ob_start("ob_gzhandler");
-    }
+    }*/
 }
 
 /**

htdocs/paybox/lib/paybox.lib.php

@@ -36,7 +36,8 @@ function llxHeaderPaybox($title, $head = "")
 	global $user, $conf, $langs;
 
 	header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+	header("X-Content-Type-Options: nosniff");
+
 	print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">';
 	//print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" http://www.w3.org/TR/1999/REC-html401-19991224/strict.dtd>';
 	print "\n";
@@ -171,7 +172,8 @@ function print_paybox_redirect($PRICE,$CURRENCY,$EMAIL,$urlok,$urlko,$TAG)
     dol_syslog("PBX_TYPEPAIEMENT: $PBX_TYPEPAIEMENT", LOG_DEBUG);
 
     header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+    header("X-Content-Type-Options: nosniff");
+
     print '<html>'."\n";
     print '<head>'."\n";
     print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=".$conf->file->character_set_client."\">\n";

htdocs/paypal/lib/paypal.lib.php

@@ -35,7 +35,8 @@ function llxHeaderPaypal($title, $head = "")
 	global $user, $conf, $langs;
 
 	header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+	header("X-Content-Type-Options: nosniff");
+
 	$appli='Dolibarr';
 	if (!empty($conf->global->MAIN_APPLICATION_TITLE)) $appli=$conf->global->MAIN_APPLICATION_TITLE;
 

htdocs/projet/jsgantt_language.js.php

@@ -34,8 +34,8 @@
 
 require_once __DIR__.'/../main.inc.php';
 
-// Define css type
-header('Content-type: text/javascript');
+// Define mime type
+top_httphead('text/javascript');
 
 global $langs;
 ?>

htdocs/support/inc.php

@@ -207,7 +207,8 @@ function pHeader($soutitre,$next,$action='none')
 
 	// On force contenu dans format sortie
 	header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+	header("X-Content-Type-Options: nosniff");
+
 	print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">'."\n";
 	print '<html manifest="'.DOL_URL_ROOT.'/cache.manifest">'."\n";
 	print '<head>'."\n";

htdocs/theme/eldy/style.css.php

@@ -45,7 +45,7 @@
 
 
 // Define css type
-header('Content-type: text/css');
+top_httphead('text/css');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');

htdocs/theme/md/style.css.php

@@ -46,7 +46,7 @@
 
 
 // Define css type
-header('Content-type: text/css');
+top_httphead('text/css');
 // Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
 if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
 else header('Cache-Control: no-cache');

htdocs/viewimage.php

@@ -191,13 +191,13 @@ function llxFooter() { }
     // Les drois sont ok et fichier trouve
     if ($type)
     {
+        top_httphead($type);
         header('Content-Disposition: inline; filename="'.basename($original_file).'"');
-        header('Content-type: '.$type);
     }
     else
     {
+        top_httphead('image/png');
         header('Content-Disposition: inline; filename="'.basename($original_file).'"');
-        header('Content-type: image/png');
     }
 
     $original_file_osencoded=dol_osencode($original_file);