csrf token in all form

delcroip · Aug 3, 2022 · 082282e · 082282e
1 parent 203cff7
commit 082282e
Show file tree

Hide file tree

Showing 11 changed files with 41 additions and 20 deletions.
diff --git a/htdocs/timesheet/AttendanceEventAdmin.php b/htdocs/timesheet/AttendanceEventAdmin.php
@@ -515,6 +515,8 @@ function init_myfunc()
         dol_print_error($db);
     }
     print '</table>'."\n";
+    print '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>';
+
     print '</form>'."\n";
     // new button
    // print '<a href = "attendanceeventCard.php?action=create" class="butAction"role="button">'.$langs->trans('New');

diff --git a/htdocs/timesheet/ChangeLog.md b/htdocs/timesheet/ChangeLog.md
@@ -1,4 +1,8 @@
 # dolibarr_project_timesheet changelog
+4.5.6
+- fix csrf issue in other pages
+- fix box issue
+
 4.5.5
 - fix: pdf header with small pictures
 - misc: white logo

diff --git a/htdocs/timesheet/TimesheetProjectInvoice.php b/htdocs/timesheet/TimesheetProjectInvoice.php
@@ -25,6 +25,7 @@
 include 'core/lib/includeMain.lib.php';
 include 'core/lib/generic.lib.php';
 include 'core/lib/timesheet.lib.php';
+$token = getToken();
 require_once DOL_DOCUMENT_ROOT .'/core/lib/functions.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php';
@@ -105,6 +106,8 @@
             $Form .= '<input type = "hidden" name = "socid" value = "'.$socid.'">';
             $Form .= '<input type = "hidden" name = "invoicingMethod" value = "'.$mode.'">';
             $Form .= '<input type = "hidden" name = "ts2Invoice" value = "'.$ts2Invoice.'">';
+            $Form .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>';
+
             $resql = $db->query($sql);
             $num = 0;
             $resArray = array();
@@ -492,6 +495,7 @@
             //    $sqlTailWhere .= ' AND fk_socpeople = \''.$userid.'\' and t.fk_statut = \'1\'';
             //}
             $Form = '<form name = "settings" action="?step=2" method = "POST" >'."\n\t";
+            $Form .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>';
             $Form .= '<table class = "noborder" width = "100%">'."\n\t\t";
             $Form .= '<tr class = "liste_titre" width = "100%" ><th colspan = "2">'
                 .$langs->trans('generalInvoiceProjectParam').'</th></tr>';

diff --git a/htdocs/timesheet/TimesheetReportProject.php b/htdocs/timesheet/TimesheetReportProject.php
@@ -228,6 +228,9 @@
         <td></td>
         </tr>
         <tr >';
+$token = getToken();
+$form_output .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>';
+
 
 if($hidetab == 1){
         $form_output .='<td><select  name = "projectSelected">';
@@ -295,19 +298,19 @@
     .dol_print_date($dateStart, 'dayxcard').'&dateEnd='
     .dol_print_date($dateEnd, 'dayxcard').'&projectSelected='
     .$projectSelectedId.'&mode='.$mode.'&invoicabletaskOnly='.$invoicabletaskOnly
-    ."&hidetab=".$hidetab.'&ungroup='.$ungroup.'" >'.$langs->trans('TimesheetPDF').'</a>';
+    ."&hidetab=".$hidetab.'&ungroup='.$ungroup.'&token='.$token.'" >'.$langs->trans('TimesheetPDF').'</a>';
 if (!empty($querryRes) && $conf->global->MAIN_MODULE_EXPORT)$form_output .=
     '<a class = "butAction" href="?action=getExport&dateStart='
     .dol_print_date($dateStart, 'dayxcard').'&dateEnd='
     .dol_print_date($dateEnd, 'dayxcard').'&projectSelected='.$projectSelectedId
     .'&mode='.$mode.'&model='.$model.'&invoicabletaskOnly='.$invoicabletaskOnly
-    ."&hidetab=".$hidetab.'&ungroup='.$ungroup.'" >'.$langs->trans('Export').'</a>';
+    ."&hidetab=".$hidetab.'&ungroup='.$ungroup.'&token='.$token.'" >'.$langs->trans('Export').'</a>';
 if (!empty($querryRes))$form_output .=
     '<a class = "butAction" href="?action=reportproject&dateStart='
     .dol_print_date($dateStart, 'dayxcard').'&dateEnd='
     .dol_print_date($dateEnd, 'dayxcard').'&projectSelected='.$projectSelectedId
     .'&mode='.$mode.'&invoicabletaskOnly='.$invoicabletaskOnly
-    ."&hidetab=".$hidetab.'&ungroup='.$ungroup.'" >'.$langs->trans('Refresh').'</a>';
+    ."&hidetab=".$hidetab.'&ungroup='.$ungroup.'&token='.$token.'" >'.$langs->trans('Refresh').'</a>';
 $form_output .= '</form>';
 if (!($optioncss != '' && !empty($_POST['userSelected']))) echo $form_output;
 echo $querryRes;

diff --git a/htdocs/timesheet/TimesheetReportUser.php b/htdocs/timesheet/TimesheetReportUser.php
@@ -163,6 +163,9 @@
         <tr >
         <td>
         ';
+$token = getToken();
+$form_output .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>';
+
 if($admin){
     $form_output .= $form->select_dolusers($userIdSelected, 'userSelected');
 
@@ -237,7 +240,7 @@
         .'&invoicabletaskOnly=' . $invoicabletaskOnly 
         .'&ungroup=' . $ungroup 
         .'&showAll=' . $show_all 
-        . '" >' . $langs->trans( 'Export' ) . '</a>';
+        . '&token='.$token.'" >' . $langs->trans( 'Export' ) . '</a>';
 }
 if ( ! empty( $querryRes ) ) {
 	$form_output .= '<a class = "butAction" href="?action=getpdf&dateStart=' 
@@ -248,7 +251,7 @@
     . '&invoicabletaskOnly='  . $invoicabletaskOnly 
     . '&ungroup=' . $ungroup 
     . '&showAll=' . $show_all 
-    . '" >' . $langs->trans( 'PDF' ) . '</a>';
+    . '&token='.$token.'" >' . $langs->trans( 'PDF' ) . '</a>';
 }
 $form_output .= '</div></div></form>';
 

diff --git a/htdocs/timesheet/TimesheetTeamApproval.php b/htdocs/timesheet/TimesheetTeamApproval.php
@@ -365,6 +365,8 @@ function getHTMLNavigation($optioncss, $selectList, $current = 0)
     }
     $Nav .= "</th>\n\t\t<th>\n\t\t\t";
     $Nav .= '<form name = "goTo" action="?action=goTo" method = "POST" >'."\n\t\t\t";
+    $Nav .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>';
+
     $Nav .= $langs->trans("GoTo").': '.$htmlSelect."\n\t\t\t";;
     $Nav .= '<input type = "submit" value = "Go" /></form>'."\n\t\t</th>\n\t\t<th>\n\t\t\t";
     if ($current<count($selectList)) {

diff --git a/htdocs/timesheet/TimesheetUserTasksAdmin.php b/htdocs/timesheet/TimesheetUserTasksAdmin.php
@@ -556,6 +556,7 @@ function init_myfunc()
             //print_barre_liste function defined in /core/lib/function.lib.php, possible to add a picto
             print_barre_liste($langs->trans("Timesheetuser"), $page, $PHP_SELF, $param, $sortfield, $sortorder, '', $num, $nbtotalofrecords);
             print '<form method = "POST" action = "'.$_SERVER["PHP_SELF"].'">';
+            print '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>';
             print '<table class = "liste" style = "border-collapse:separate;" width = "100%">'."\n";
             //TITLE
             print '<tr class = "liste_titre">';

diff --git a/htdocs/timesheet/admin/timesheetsetup.php b/htdocs/timesheet/admin/timesheetsetup.php
@@ -360,6 +360,8 @@ function null2int($var, $int = 0)
 print load_fiche_titre( $langs->trans( "GeneralOption" ), '', '' );
 
 echo '<form name="settings" action="?action=save" method="POST">';
+$token = getToken();
+echo '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>';
 echo '<table class="noborder" width = "100%">';
 echo '<tr class="liste_titre" width = "100%" ><th width = "200px">'.$langs->trans("Name").'</th><th>';
 echo $langs->trans("Description").'</th><th>'.$langs->trans("Value")."</th></tr>";

diff --git a/htdocs/timesheet/class/AttendanceEvent.class.php b/htdocs/timesheet/class/AttendanceEvent.class.php
@@ -758,6 +758,9 @@ public function getHTMLGetOtherUserTs($idsList, $selected, $admin)
          $HTML .= $form->select_dolusers($selected, 'userid');
     }
     $HTML .= '<input type = "submit" value = "'.$langs->trans('Submit').'"/></form> ';
+    //FIXME should take token as input
+    $token = getToken();
+    $HTML .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>';
 
     return $HTML;
 }

diff --git a/htdocs/timesheet/class/TimesheetUserTasks.class.php b/htdocs/timesheet/class/TimesheetUserTasks.class.php
@@ -1061,33 +1061,25 @@ public function getHTMLNavigation($optioncss, $ajax = false)
     global $langs, $conf;
     $form = new Form($this->db);
     $tail = '';
-    //$tail = '&wlm='.$this->whitelistmode;
     if (isset($conf->global->TIMESHEET_ADD_FOR_OTHER) 
         && $conf->global->TIMESHEET_ADD_FOR_OTHER == 1){
         $tail = '&userid='.$this->userId;
     }
     $Nav = '<table class = "noborder" width = "50%">'."\n\t".'<tr>'."\n\t\t".'<th>'."\n\t\t\t";
     if ($ajax) {
-//     $Nav .= '<a id = "navPrev" onClick = "loadXMLTimesheet(\''.getStartDate($this->date_start, -1).'\', 0);';
     } else{
         $Nav .= '<a href="?dateStart='.getStartDate($this->date_start, -1).$tail;
     }
     if ($optioncss != '')$Nav .= '&amp;optioncss='.$optioncss;
     $Nav .= '">  &lt;&lt;'.$langs->trans("Previous").' </a>'."\n\t\t</th>\n\t\t<th>\n\t\t\t";
-//  if ($ajax)
-//  {
-    //    $Nav .= '<form name = "goToDate" onsubmit = "return toDateHandler();" action="?action=goToDate&wlm='.$this->whitelistmode.'" method = "POST">'."\n\t\t\t";
-    //} else{
-        $Nav .= '<form name = "goToDate" action="?action=goToDate'.$tail.'" method = "POST" >'."\n\t\t\t";
-    //}
+    $Nav .= '<form name = "goToDate" action="?action=goToDate'.$tail.'" method = "POST" >'."\n\t\t\t";
+    //FIXME should take token as input
+    $token = getToken();
+    $Nav .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>';
+
     $Nav .= $langs->trans("GoTo").': '.$form->select_date(-1, 'toDate', 0, 0, 0, "", 1, 1, 1)."\n\t\t\t";;
     $Nav .= '<input type = "submit" value = "Go" /></form>'."\n\t\t</th>\n\t\t<th>\n\t\t\t";
-    //if ($ajax)
-//    {
-    //    $Nav .= '<a id = "navNext" onClick = "loadXMLTimesheet(\''.getStartDate($this->date_start, 1).'\', 0);';
-    //} else{
-        $Nav .= '<a href="?dateStart='.getStartDate($this->date_start, 1).$tail;
-    //}
+    $Nav .= '<a href="?dateStart='.getStartDate($this->date_start, 1).$tail;
     if ($optioncss != '') $Nav .= '&amp;optioncss='.$optioncss;
     $Nav .= '">'.$langs->trans("Next").' &gt;&gt;</a>'."\n\t\t</th>\n\t</tr>\n </table>\n";
     return $Nav;
@@ -1155,7 +1147,12 @@ public function getHTMLGetOtherUserTs($idsList, $selected, $admin)
         } else{
             $HTML .= $form->select_dolusers($selected, 'userid');
         }
+        //FIXME should take token as input
+        $token = getToken();
+        $HTML .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>';
+
         $HTML .= '<input type = "submit" value = "'.$langs->trans('Submit').'"/></form> ';
+
         return $HTML;
     }
     /**

diff --git a/htdocs/timesheet/core/modules/modtimesheet.class.php b/htdocs/timesheet/core/modules/modtimesheet.class.php
@@ -54,7 +54,7 @@ public function __construct($db)
 		        $this->editor_name = 'Patrick Delcroix';
 		        $this->editor_url = 'https://github.com/delcroip';
                 // Possible values for version are: 'development', 'experimental', 'dolibarr' or version
-                $this->version = '4.5.4';
+                $this->version = '4.5.6';
                 // Key used in llx_cons table to save module status enabled/disabled(where timesheet is value of property name of module in uppercase)
                 $this->const_name = 'MAIN_MODULE_'.strtoupper($this->name);
                 // Where to store the module in setup page(0=common, 1=interface, 2=others, 3=very specific)