composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-05-19 15:22:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Security hardening

Browse Source
This commit is contained in:
jf-cbd
2024-04-23 11:55:39 +02:00
parent 16ff6341d0
commit eeec57536b
4 changed files with 82 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
datamodels/2.x/itop-hub-connector/TokenValidation.php Normal file
View File

@@ -0,0 +1,19 @@
<?php
class TokenValidation
{
// construct function
public function __construct()
{
}
public function isSetupTokenValid($sParamToken) : bool
{
if (!file_exists(APPROOT.'data/.setup')) {
return false;
}
$sSetupToken = trim(file_get_contents(APPROOT.'data/.setup'));
unlink(APPROOT.'data/.setup');
return $sParamToken === $sSetupToken;
}
}

20
datamodels/2.x/itop-hub-connector/launch.php
View File

@@ -280,6 +280,7 @@ try
require_once ('hubconnectorpage.class.inc.php');
require_once (APPROOT.'/application/startup.inc.php');
require_once('TokenValidation.php');
$sTargetRoute = utils::ReadParam('target', ''); // ||browse_extensions|deploy_extensions|
@@ -299,11 +300,20 @@ try
case 'inform_after_setup':
// Hidden IFRAME at the end of the setup
require_once (APPROOT.'/application/ajaxwebpage.class.inc.php');
$oPage = new NiceWebPage('');
$aDataToPost = MakeDataToPost($sTargetRoute);
$oPage->add('<form id="hub_launch_form" action="'.$sHubUrlStateless.'" method="post">');
$oPage->add('<input type="hidden" name="json" value="'.htmlentities(json_encode($aDataToPost), ENT_QUOTES, 'UTF-8').'">');
$oPage->add_ready_script('$("#hub_launch_form").submit();');
$sParamToken = utils::ReadParam('setup_token');
$oTokenValidation = new TokenValidation();
$bIsTokenValid = $oTokenValidation->isSetupTokenValid($sParamToken);
if (UserRights::IsAdministrator() || $bIsTokenValid) {
$oPage = new NiceWebPage('');
$aDataToPost = MakeDataToPost($sTargetRoute);
$oPage->add('<form id="hub_launch_form" action="' . $sHubUrlStateless . '" method="post">');
$oPage->add('<input type="hidden" name="json" value="' . htmlentities(json_encode($aDataToPost), ENT_QUOTES, 'UTF-8') . '">');
$oPage->add_ready_script('$("#hub_launch_form").submit();');
} else {
IssueLog::Error('TokenValidation failed on inform_after_setup page');
throw new Exception("Not allowed");
}
break;
default: