Re: [Dolibarr-dev] A new security option for Dolibarr - MAIN_SECURITY_CSRF_WITH_TOKEN

Tue, 05 Mar 2019 06:37:13 -0800 

Hello 

This is due to bad visibility in DolibarrModules, it's corrected, did
you update from last commits?

---
Frédéric FRANCE 

Le 2019-03-05 15:26, Philippe GRAND a écrit :

> For me I can't activate any module : 
> 
> ( ! ) FATAL ERROR: UNCAUGHT ERROR: CALL TO PRIVATE METHOD 
> DOLIBARRMODULES::_LOAD_TABLES() FROM CONTEXT 'MODBOM' IN 
> /HOME/HTTPD/VHOSTS/AFLAC.FR/DOMAINS/COMPTA.AFLAC.FR/HTTPDOCS/CORE/MODULES/MODBOM.CLASS.PHP
>  ON LINE _342_
> 
> ( ! ) ERROR: CALL TO PRIVATE METHOD DOLIBARRMODULES::_LOAD_TABLES() FROM 
> CONTEXT 'MODBOM' IN 
> /HOME/HTTPD/VHOSTS/AFLAC.FR/DOMAINS/COMPTA.AFLAC.FR/HTTPDOCS/CORE/MODULES/MODBOM.CLASS.PHP
>  ON LINE _342_
> 
> Philippe GRAND 
> 
> Le 04/03/2019 à 09:03, Frédéric FRANCE a écrit : 
> 
> Is it why I can't create new  module from modulebuilder? $_POST is cleaned 
> after include of main.inc.php
> 
> ---
> Frédéric FRANCE 
> 
> Le 2019-03-03 13:45, Laurent Destailleur a écrit : 
> A new option to enhance the security in Dolibarr exists... But it need some 
> test to check this new option is correctly implemented. 
> 
> Please add this new constant in your development environment: 
> MAIN_SECURITY_CSRF_WITH_TOKEN  to value 1
> 
> This will add a token into all forms and when the form is submitted, dolibarr 
> will check tat the form was submitted by a previous page of Dolibarr 
> generated by itself and not by another website. This is a very efficient 
> solution to fight against CSRF attacks. But it may recreate some regression 
> if it was not implemented everywhere (the field "token" must be set into 
> every form). 
> So please enable the option and if you find some forms that does not work 
> anymore, please report them on this mailing list.  
> Above all if you develop external module : This feature may become enabled by 
> default in a future version and your own module must be ready and must add 
> this field "token", like any other form into the core are doing. 
> 
> -- 
> 
> Laurent, aka eldy
> ------------------------------------------------------------------------------------
> Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
> Facebook: https://www.facebook.com/Destailleur.Laurent
> Twitter: https://www.twitter.com/eldy10 
> _______________________________________________
> Dolibarr-dev mailing list
> Dolibarr-dev@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/dolibarr-dev 
> 
> _______________________________________________
> Dolibarr-dev mailing list
> Dolibarr-dev@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
Dolibarr-dev@nongnu.org
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
_______________________________________________
Dolibarr-dev mailing list
Dolibarr-dev@nongnu.org
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

Répondre à