From 42369cf5c94224cd7723b0cab6b3e454495ade34 Mon Sep 17 00:00:00 2001 From: Joe Bordes Date: Sat, 14 Aug 2021 10:01:47 +0200 Subject: [PATCH] sec(App) validate CSRF on delete action --- include/utils/Request.php | 19 +++++++++++++++++++ modules/Calendar4You/Delete.php | 2 +- modules/PriceBooks/Delete.php | 2 +- modules/ProductComponent/Delete.php | 2 +- modules/Products/Delete.php | 2 +- modules/Vtiger/Delete.php | 2 +- 6 files changed, 24 insertions(+), 5 deletions(-) diff --git a/include/utils/Request.php b/include/utils/Request.php index 552dda3cca..c30dcf564d 100644 --- a/include/utils/Request.php +++ b/include/utils/Request.php @@ -194,6 +194,25 @@ protected function validateCSRF() { } } + public static function validateRequest($die = true, $msg = true) { + $request = new Vtiger_Request($_REQUEST); + try { + $request->validateWriteAccess(); + } catch (\Throwable $th) { + if ($msg) { + require_once 'Smarty_setup.php'; + echo '

'; + $smarty = new vtigerCRM_Smarty(); + $smarty->assign('csrfWarning', getTranslatedString($th->getMessage())); + $smarty->assign('csrfReload', getTranslatedString('csrf_reload')); + $smarty->display('csrf-warning.tpl'); + } + if ($die) { + die(); + } + } + } + public static function get_ip() { $headers = $_SERVER; // check for shared internet/ISP IP diff --git a/modules/Calendar4You/Delete.php b/modules/Calendar4You/Delete.php index 971ca48e6a..fa224f5ecd 100644 --- a/modules/Calendar4You/Delete.php +++ b/modules/Calendar4You/Delete.php @@ -10,7 +10,7 @@ require_once 'modules/Calendar4You/CalendarUtils.php'; global $currentModule, $current_user; - +Vtiger_Request::validateRequest(); $Calendar4You = new Calendar4You(); $Calendar4You->GetDefPermission($current_user); diff --git a/modules/PriceBooks/Delete.php b/modules/PriceBooks/Delete.php index d06a3df7cf..88799b45e2 100644 --- a/modules/PriceBooks/Delete.php +++ b/modules/PriceBooks/Delete.php @@ -8,8 +8,8 @@ * All Rights Reserved. ************************************************************************************/ global $currentModule; +Vtiger_Request::validateRequest(); $focus = CRMEntity::getInstance($currentModule); - $record = vtlib_purify($_REQUEST['record']); $module = urlencode(vtlib_purify($_REQUEST['module'])); $return_module = vtlib_purify($_REQUEST['return_module']); diff --git a/modules/ProductComponent/Delete.php b/modules/ProductComponent/Delete.php index 5f15e1f27d..a69ffb847a 100644 --- a/modules/ProductComponent/Delete.php +++ b/modules/ProductComponent/Delete.php @@ -8,8 +8,8 @@ * All Rights Reserved. ************************************************************************************/ global $currentModule; +Vtiger_Request::validateRequest(); $focus = CRMEntity::getInstance($currentModule); - $record = vtlib_purify($_REQUEST['record']); $module = urlencode(vtlib_purify($_REQUEST['module'])); $return_module = vtlib_purify($_REQUEST['return_module']); diff --git a/modules/Products/Delete.php b/modules/Products/Delete.php index 13d44ccb4b..fccbc287c2 100644 --- a/modules/Products/Delete.php +++ b/modules/Products/Delete.php @@ -8,8 +8,8 @@ * All Rights Reserved. ************************************************************************************/ global $currentModule; +Vtiger_Request::validateRequest(); $focus = CRMEntity::getInstance($currentModule); - $record = vtlib_purify($_REQUEST['record']); $module = urlencode(vtlib_purify($_REQUEST['module'])); $return_module = vtlib_purify($_REQUEST['return_module']); diff --git a/modules/Vtiger/Delete.php b/modules/Vtiger/Delete.php index 27f3ce0079..17ff4ba8fb 100644 --- a/modules/Vtiger/Delete.php +++ b/modules/Vtiger/Delete.php @@ -8,8 +8,8 @@ * All Rights Reserved. ************************************************************************************/ global $currentModule; +Vtiger_Request::validateRequest(); $focus = CRMEntity::getInstance($currentModule); - $record = vtlib_purify($_REQUEST['record']); $module = urlencode(vtlib_purify($_REQUEST['module'])); $return_module = vtlib_purify($_REQUEST['return_module']);