Warning appears on Category and API pages in admin mode

[jcoquery]

Steps to reproduce

1. Log into admin
2. Go to Parameters.
3. Click on Category or API

Expected behaviour

no Warning

Actual behaviour

2 warning appears

Server configuration

Operating system: Docker (Centos)

Web server: Apache

Database: 5.7.19

PHP version: 7.1.9

Teampass version: 2.1.27

Teampass configuration file:
tp.config.txt

Client configuration

Browser: All

Operating system: Windows 10

[nilsteampassnet]

Sorry I couldn't reproduce too.
Can you please give me the exact version you use?

Can you check this in parallel?

Do the following value match the url you enter to access the application :
jsUrl, found in includes/libraries/csrfp/libs/csrfp.config.php. If the value is "https://my.beautiful.password.manager/includes/libraries/csrfp/js/csrfprotector.js, the url which you use to access the web application should be https://my.beautiful.password.manager/index.php. Otherwise, a "Hacking attempt..." will be sent through a POST response by the server and your session will be terminated.

[jcoquery]

The version is the same as you 2.1.27.9. But run with a docker-compose file.
I don't understand what I must look at in the csrfp config, but the line is:
"jsUrl" => "https://teampass.monsite.int/includes/libraries/csrfp/js/csrfprotector.js",

Thanks

[nilsteampassnet]

Can you please try the next thing?

• Edit file admin.settings_categories.php,
• move the 2 lines

require_once('sources/SecureHandler.php');
session_start();

• before the ?> that is just after the file warning usage

Once done, you should have something that looks like this

 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 */

require_once('sources/SecureHandler.php');
session_start();
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>API Settings</title></head><body>

<?php
if (!isset($_SESSION['CPM']) || $_SESSION['CPM'] != 1) {
    die('Hacking attempt...');
}

You can do the same on file admin.settings_api.php.

I believe this will fix the issue, and I will commit the changes.

[jcoquery]

Hi,
It was almost that.
With this modification, the warning still appear because of the line header("Content-type: text/html; charset=utf-8");
So, to resolve this issue, you must move the 2 lines:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>API Settings</title></head><body>

just after the first "echo" arround line 102.
In the file admin.settings_api.php the solution is the same.
Move the fist html part (between the line 20 and 60) just after the first echo (line 107).

Thanks

[nilsteampassnet]

Thank you for the feedback