composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-12 23:14:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°7124 - Security hardening

Browse Source
This commit is contained in:
jf-cbd
2024-07-03 15:51:23 +02:00
parent cb8af0a02b
commit 8b35679fcf
1 changed files with 18 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
pages/ajax.render.php
View File

@@ -27,27 +27,20 @@ use Combodo\iTop\Service\TemporaryObjects\TemporaryObjectManager;
require_once('../approot.inc.php');
// check if header contains X-Combodo-Ajax for POST request (CSRF protection for ajax calls)
if (!isset($_SERVER['HTTP_X_COMBODO_AJAX']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
$sReferer = utils::HtmlEntities($_SERVER['HTTP_REFERER']);
IssueLog::Error("Unprotected ajax call from: $sReferer", 'SECURITY');
header('HTTP/1.1 401 Unauthorized');
die('Unauthorized access. Please see https://www.itophub.io/wiki/page?id=3_2_0:release:developer#checking_for_the_presence_of_specific_header_in_the_post_to_enhance_protection_against_csrf_attacks');
}
function LogErrorMessage($sMsgPrefix, $aContextInfo) {
$sCurrentUserLogin = UserRights::GetUser();
$sContextInfo = urldecode(http_build_query($aContextInfo, '', ', '));
$sErrorMessage = "$sMsgPrefix - User='$sCurrentUserLogin', $sContextInfo";
IssueLog::Error($sErrorMessage);
}
try
{
require_once(APPROOT.'/application/startup.inc.php');
require_once(APPROOT.'/application/user.preferences.class.inc.php');
// check if header contains X-Combodo-Ajax for POST request (CSRF protection for ajax calls)
if (!isset($_SERVER['HTTP_X_COMBODO_AJAX']) && $_SERVER['REQUEST_METHOD'] !== 'GET') {
$sReferer = $_SERVER['HTTP_REFERER'];
$sErrorMsg = 'Unauthorized access. Please see https://www.itophub.io/wiki/page?id=3_2_0:release:developer#checking_for_the_presence_of_specific_header_in_the_post_to_enhance_protection_against_csrf_attacks';
IssueLog::Error("Unprotected ajax call from: $sReferer. $sErrorMsg");
header('HTTP/1.1 401 Unauthorized');
die($sErrorMsg);
}
IssueLog::Trace('----- Request: '.utils::GetRequestUri(), LogChannels::WEB_REQUEST);
$oKPI = new ExecutionKPI();
$oKPI->ComputeAndReport('Data model loaded');
@@ -2609,3 +2602,11 @@ EOF
echo utils::EscapeHtml($e->GetMessage());
IssueLog::Error($e->getMessage()."\nDebug trace:\n".$e->getTraceAsString());
}
function LogErrorMessage($sMsgPrefix, $aContextInfo) {
$sCurrentUserLogin = UserRights::GetUser();
$sContextInfo = urldecode(http_build_query($aContextInfo, '', ', '));
$sErrorMessage = "$sMsgPrefix - User='$sCurrentUserLogin', $sContextInfo";
IssueLog::Error($sErrorMessage);
}