sec(App) validate CSRF on delete action

tsolucio · Aug 14, 2021 · 42369cf · 42369cf
1 parent f8a0221
commit 42369cf
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 5 deletions.
diff --git a/include/utils/Request.php b/include/utils/Request.php
@@ -194,6 +194,25 @@ protected function validateCSRF() {
 		}
 	}
 
+	public static function validateRequest($die = true, $msg = true) {
+		$request = new Vtiger_Request($_REQUEST);
+		try {
+			$request->validateWriteAccess();
+		} catch (\Throwable $th) {
+			if ($msg) {
+				require_once 'Smarty_setup.php';
+				echo '<br><br>';
+				$smarty = new vtigerCRM_Smarty();
+				$smarty->assign('csrfWarning', getTranslatedString($th->getMessage()));
+				$smarty->assign('csrfReload', getTranslatedString('csrf_reload'));
+				$smarty->display('csrf-warning.tpl');
+			}
+			if ($die) {
+				die();
+			}
+		}
+	}
+
 	public static function get_ip() {
 		$headers = $_SERVER;
 		// check for shared internet/ISP IP

diff --git a/modules/Calendar4You/Delete.php b/modules/Calendar4You/Delete.php
@@ -10,7 +10,7 @@
 require_once 'modules/Calendar4You/CalendarUtils.php';
 
 global $currentModule, $current_user;
-
+Vtiger_Request::validateRequest();
 $Calendar4You = new Calendar4You();
 
 $Calendar4You->GetDefPermission($current_user);

diff --git a/modules/PriceBooks/Delete.php b/modules/PriceBooks/Delete.php
@@ -8,8 +8,8 @@
  * All Rights Reserved.
  ************************************************************************************/
 global $currentModule;
+Vtiger_Request::validateRequest();
 $focus = CRMEntity::getInstance($currentModule);
-
 $record = vtlib_purify($_REQUEST['record']);
 $module = urlencode(vtlib_purify($_REQUEST['module']));
 $return_module = vtlib_purify($_REQUEST['return_module']);

diff --git a/modules/ProductComponent/Delete.php b/modules/ProductComponent/Delete.php
@@ -8,8 +8,8 @@
  * All Rights Reserved.
  ************************************************************************************/
 global $currentModule;
+Vtiger_Request::validateRequest();
 $focus = CRMEntity::getInstance($currentModule);
-
 $record = vtlib_purify($_REQUEST['record']);
 $module = urlencode(vtlib_purify($_REQUEST['module']));
 $return_module = vtlib_purify($_REQUEST['return_module']);

diff --git a/modules/Products/Delete.php b/modules/Products/Delete.php
@@ -8,8 +8,8 @@
  * All Rights Reserved.
  ************************************************************************************/
 global $currentModule;
+Vtiger_Request::validateRequest();
 $focus = CRMEntity::getInstance($currentModule);
-
 $record = vtlib_purify($_REQUEST['record']);
 $module = urlencode(vtlib_purify($_REQUEST['module']));
 $return_module = vtlib_purify($_REQUEST['return_module']);

diff --git a/modules/Vtiger/Delete.php b/modules/Vtiger/Delete.php
@@ -8,8 +8,8 @@
  * All Rights Reserved.
  ************************************************************************************/
 global $currentModule;
+Vtiger_Request::validateRequest();
 $focus = CRMEntity::getInstance($currentModule);
-
 $record = vtlib_purify($_REQUEST['record']);
 $module = urlencode(vtlib_purify($_REQUEST['module']));
 $return_module = vtlib_purify($_REQUEST['return_module']);