A new security option for Dolibarr - MAIN_SECURITY_CSRF_WITH_TOKEN

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

A new security option for Dolibarr - MAIN_SECURITY_CSRF_WITH_TOKEN

Laurent Destailleur
A new option to enhance the security in Dolibarr exists... But it need some test to check this new option is correctly implemented.

Please add this new constant in your development environment:
MAIN_SECURITY_CSRF_WITH_TOKEN  to value 1

This will add a token into all forms and when the form is submitted, dolibarr will check tat the form was submitted by a previous page of Dolibarr generated by itself and not by another website. This is a very efficient solution to fight against CSRF attacks. But it may recreate some regression if it was not implemented everywhere (the field "token" must be set into every form).
So please enable the option and if you find some forms that does not work anymore, please report them on this mailing list. 
Above all if you develop external module : This feature may become enabled by default in a future version and your own module must be ready and must add this field "token", like any other form into the core are doing.


--
Laurent, aka eldy
------------------------------------------------------------------------------------
Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: https://www.twitter.com/eldy10

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
Reply | Threaded
Open this post in threaded view
|

Re: A new security option for Dolibarr - MAIN_SECURITY_CSRF_WITH_TOKEN

Frédéric FRANCE

Is it why I can't create new  module from modulebuilder? $_POST is cleaned after include of main.inc.php

---
Frédéric FRANCE


Le 2019-03-03 13:45, Laurent Destailleur a écrit :

A new option to enhance the security in Dolibarr exists... But it need some test to check this new option is correctly implemented.
 
Please add this new constant in your development environment:
MAIN_SECURITY_CSRF_WITH_TOKEN  to value 1
 
This will add a token into all forms and when the form is submitted, dolibarr will check tat the form was submitted by a previous page of Dolibarr generated by itself and not by another website. This is a very efficient solution to fight against CSRF attacks. But it may recreate some regression if it was not implemented everywhere (the field "token" must be set into every form).
So please enable the option and if you find some forms that does not work anymore, please report them on this mailing list. 
Above all if you develop external module : This feature may become enabled by default in a future version and your own module must be ready and must add this field "token", like any other form into the core are doing.
 
 
--
Laurent, aka eldy
------------------------------------------------------------------------------------
Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: https://www.twitter.com/eldy10

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
Reply | Threaded
Open this post in threaded view
|

Re: A new security option for Dolibarr - MAIN_SECURITY_CSRF_WITH_TOKEN

GRAND Philippe

For me I can't activate any module :

( ! ) Fatal error: Uncaught Error: Call to private method DolibarrModules::_load_tables() from context 'modBom' in /home/httpd/vhosts/aflac.fr/domains/compta.aflac.fr/httpdocs/core/modules/modBom.class.php on line 342
( ! ) Error: Call to private method DolibarrModules::_load_tables() from context 'modBom' in /home/httpd/vhosts/aflac.fr/domains/compta.aflac.fr/httpdocs/core/modules/modBom.class.php on line 342

Philippe GRAND

Le 04/03/2019 à 09:03, Frédéric FRANCE a écrit :

Is it why I can't create new  module from modulebuilder? $_POST is cleaned after include of main.inc.php

---
Frédéric FRANCE


Le 2019-03-03 13:45, Laurent Destailleur a écrit :

A new option to enhance the security in Dolibarr exists... But it need some test to check this new option is correctly implemented.
 
Please add this new constant in your development environment:
MAIN_SECURITY_CSRF_WITH_TOKEN  to value 1
 
This will add a token into all forms and when the form is submitted, dolibarr will check tat the form was submitted by a previous page of Dolibarr generated by itself and not by another website. This is a very efficient solution to fight against CSRF attacks. But it may recreate some regression if it was not implemented everywhere (the field "token" must be set into every form).
So please enable the option and if you find some forms that does not work anymore, please report them on this mailing list. 
Above all if you develop external module : This feature may become enabled by default in a future version and your own module must be ready and must add this field "token", like any other form into the core are doing.
 
 
--
Laurent, aka eldy
------------------------------------------------------------------------------------
Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: https://www.twitter.com/eldy10

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
Reply | Threaded
Open this post in threaded view
|

Re: A new security option for Dolibarr - MAIN_SECURITY_CSRF_WITH_TOKEN

Frédéric FRANCE

Hello

This is due to bad visibility in DolibarrModules, it's corrected, did you update from last commits?

---
Frédéric FRANCE


Le 2019-03-05 15:26, Philippe GRAND a écrit :

For me I can't activate any module :

( ! ) Fatal error: Uncaught Error: Call to private method DolibarrModules::_load_tables() from context 'modBom' in /home/httpd/vhosts/aflac.fr/domains/compta.aflac.fr/httpdocs/core/modules/modBom.class.php on line 342
( ! ) Error: Call to private method DolibarrModules::_load_tables() from context 'modBom' in /home/httpd/vhosts/aflac.fr/domains/compta.aflac.fr/httpdocs/core/modules/modBom.class.php on line 342
 
Philippe GRAND
 
Le 04/03/2019 à 09:03, Frédéric FRANCE a écrit :

Is it why I can't create new  module from modulebuilder? $_POST is cleaned after include of main.inc.php

---
Frédéric FRANCE


Le 2019-03-03 13:45, Laurent Destailleur a écrit :

A new option to enhance the security in Dolibarr exists... But it need some test to check this new option is correctly implemented.
 
Please add this new constant in your development environment:
MAIN_SECURITY_CSRF_WITH_TOKEN  to value 1
 
This will add a token into all forms and when the form is submitted, dolibarr will check tat the form was submitted by a previous page of Dolibarr generated by itself and not by another website. This is a very efficient solution to fight against CSRF attacks. But it may recreate some regression if it was not implemented everywhere (the field "token" must be set into every form).
So please enable the option and if you find some forms that does not work anymore, please report them on this mailing list. 
Above all if you develop external module : This feature may become enabled by default in a future version and your own module must be ready and must add this field "token", like any other form into the core are doing.
 
 
--
Laurent, aka eldy
------------------------------------------------------------------------------------
Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: https://www.twitter.com/eldy10

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
Reply | Threaded
Open this post in threaded view
|

Re: A new security option for Dolibarr - MAIN_SECURITY_CSRF_WITH_TOKEN

GRAND Philippe

It's already better...

Le 05/03/2019 à 15:35, Frédéric FRANCE a écrit :

Hello

This is due to bad visibility in DolibarrModules, it's corrected, did you update from last commits?

---
Frédéric FRANCE


Le 2019-03-05 15:26, Philippe GRAND a écrit :

For me I can't activate any module :

( ! ) Fatal error: Uncaught Error: Call to private method DolibarrModules::_load_tables() from context 'modBom' in /home/httpd/vhosts/aflac.fr/domains/compta.aflac.fr/httpdocs/core/modules/modBom.class.php on line 342
( ! ) Error: Call to private method DolibarrModules::_load_tables() from context 'modBom' in /home/httpd/vhosts/aflac.fr/domains/compta.aflac.fr/httpdocs/core/modules/modBom.class.php on line 342
 
Philippe GRAND
 
Le 04/03/2019 à 09:03, Frédéric FRANCE a écrit :

Is it why I can't create new  module from modulebuilder? $_POST is cleaned after include of main.inc.php

---
Frédéric FRANCE


Le 2019-03-03 13:45, Laurent Destailleur a écrit :

A new option to enhance the security in Dolibarr exists... But it need some test to check this new option is correctly implemented.
 
Please add this new constant in your development environment:
MAIN_SECURITY_CSRF_WITH_TOKEN  to value 1
 
This will add a token into all forms and when the form is submitted, dolibarr will check tat the form was submitted by a previous page of Dolibarr generated by itself and not by another website. This is a very efficient solution to fight against CSRF attacks. But it may recreate some regression if it was not implemented everywhere (the field "token" must be set into every form).
So please enable the option and if you find some forms that does not work anymore, please report them on this mailing list. 
Above all if you develop external module : This feature may become enabled by default in a future version and your own module must be ready and must add this field "token", like any other form into the core are doing.
 
 
--
Laurent, aka eldy
------------------------------------------------------------------------------------
Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: https://www.twitter.com/eldy10

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev