Skip to content
Permalink
Browse files
sec(App) validate CSRF on delete action
  • Loading branch information
joebordes committed Aug 14, 2021
1 parent f8a0221 commit 42369cf5c94224cd7723b0cab6b3e454495ade34
Showing with 24 additions and 5 deletions.
  1. +19 −0 include/utils/Request.php
  2. +1 −1 modules/Calendar4You/Delete.php
  3. +1 −1 modules/PriceBooks/Delete.php
  4. +1 −1 modules/ProductComponent/Delete.php
  5. +1 −1 modules/Products/Delete.php
  6. +1 −1 modules/Vtiger/Delete.php
@@ -194,6 +194,25 @@ protected function validateCSRF() {
}
}

public static function validateRequest($die = true, $msg = true) {
$request = new Vtiger_Request($_REQUEST);
try {
$request->validateWriteAccess();
} catch (\Throwable $th) {
if ($msg) {
require_once 'Smarty_setup.php';
echo '<br><br>';
$smarty = new vtigerCRM_Smarty();
$smarty->assign('csrfWarning', getTranslatedString($th->getMessage()));
$smarty->assign('csrfReload', getTranslatedString('csrf_reload'));
$smarty->display('csrf-warning.tpl');
}
if ($die) {
die();
}
}
}

public static function get_ip() {
$headers = $_SERVER;
// check for shared internet/ISP IP
@@ -10,7 +10,7 @@
require_once 'modules/Calendar4You/CalendarUtils.php';

global $currentModule, $current_user;

Vtiger_Request::validateRequest();
$Calendar4You = new Calendar4You();

$Calendar4You->GetDefPermission($current_user);
@@ -8,8 +8,8 @@
* All Rights Reserved.
************************************************************************************/
global $currentModule;
Vtiger_Request::validateRequest();
$focus = CRMEntity::getInstance($currentModule);

$record = vtlib_purify($_REQUEST['record']);
$module = urlencode(vtlib_purify($_REQUEST['module']));
$return_module = vtlib_purify($_REQUEST['return_module']);
@@ -8,8 +8,8 @@
* All Rights Reserved.
************************************************************************************/
global $currentModule;
Vtiger_Request::validateRequest();
$focus = CRMEntity::getInstance($currentModule);

$record = vtlib_purify($_REQUEST['record']);
$module = urlencode(vtlib_purify($_REQUEST['module']));
$return_module = vtlib_purify($_REQUEST['return_module']);
@@ -8,8 +8,8 @@
* All Rights Reserved.
************************************************************************************/
global $currentModule;
Vtiger_Request::validateRequest();
$focus = CRMEntity::getInstance($currentModule);

$record = vtlib_purify($_REQUEST['record']);
$module = urlencode(vtlib_purify($_REQUEST['module']));
$return_module = vtlib_purify($_REQUEST['return_module']);
@@ -8,8 +8,8 @@
* All Rights Reserved.
************************************************************************************/
global $currentModule;
Vtiger_Request::validateRequest();
$focus = CRMEntity::getInstance($currentModule);

$record = vtlib_purify($_REQUEST['record']);
$module = urlencode(vtlib_purify($_REQUEST['module']));
$return_module = vtlib_purify($_REQUEST['return_module']);

0 comments on commit 42369cf

Please sign in to comment.