From 6390f2de6fabd4210e71437021f2a33c815ff2d4 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 18 Sep 2021 19:47:51 +0200
Subject: [PATCH] Fix add all confirm_* action as sensitive actions

---
 htdocs/main.inc.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index d28004430f481..9c1122daf81cf 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -464,8 +464,6 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
 	// Array of action code where CSRFCHECK with token will be forced (so token must be provided on url request)
 	$arrayofactiontoforcetokencheck = array(
 		'activate', 'add', 'addrights', 'addtimespent',
-		'confirm_create_user', 'confirm_create_thirdparty', 'confirm_delete', 'confirm_deletedir', 'confirm_deletefile', 'confirm_deleteline', 'confirm_purge', 'confirm_reject_check',
-		'confirm_activate', 'confirm_validate', 'confirm_close',
 		'delete', 'deletecontact', 'deletefilter', 'deleteoperation', 'deleteprof', 'deletepayment', 'delrights',
 		'disable',
 		'doprev', 'donext', 'dvprev', 'dvnext',
@@ -478,7 +476,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
 	if (in_array(GETPOST('action', 'aZ09'), $arrayofactiontoforcetokencheck)) {
 		$sensitiveget = true;
 	}
-	if (preg_match('/^(disable_|enable_|setremise)/', GETPOST('action', 'aZ09'))) {
+	if (preg_match('/^(confirm_|disable_|enable_|setremise)/', GETPOST('action', 'aZ09'))) {
 		$sensitiveget = true;
 	}