Skip to content
Snippets Groups Projects
Commit 707ccf45 authored by Peter Rotich's avatar Peter Rotich
Browse files

Disable invalid CSRF token alerts - warning gets logged as usual.

parent eba99c39
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
include/class.osticket.php
+ 16
16
View file @ 707ccf45
...@@ -26,11 +26,11 @@ define('LOG_WARN',LOG_WARNING); ...@@ -26,11 +26,11 @@ define('LOG_WARN',LOG_WARNING);
class osTicket { class osTicket {
var $loglevel=array(1=>'Error','Warning','Debug'); var $loglevel=array(1=>'Error','Warning','Debug');
//Page errors. //Page errors.
var $errors; var $errors;
//System //System
var $system; var $system;
...@@ -47,7 +47,7 @@ class osTicket { ...@@ -47,7 +47,7 @@ class osTicket {
var $csrf; var $csrf;
function osTicket($cfgId) { function osTicket($cfgId) {
$this->config = Config::lookup($cfgId); $this->config = Config::lookup($cfgId);
//DB based session storage was added starting with v1.7 //DB based session storage was added starting with v1.7
...@@ -109,13 +109,13 @@ class osTicket { ...@@ -109,13 +109,13 @@ class osTicket {
$name = $name?$name:$this->getCSRF()->getTokenName(); $name = $name?$name:$this->getCSRF()->getTokenName();
if(isset($_POST[$name]) && $this->validateCSRFToken($_POST[$name])) if(isset($_POST[$name]) && $this->validateCSRFToken($_POST[$name]))
return true; return true;
if(isset($_SERVER['HTTP_X_CSRFTOKEN']) && $this->validateCSRFToken($_SERVER['HTTP_X_CSRFTOKEN'])) if(isset($_SERVER['HTTP_X_CSRFTOKEN']) && $this->validateCSRFToken($_SERVER['HTTP_X_CSRFTOKEN']))
return true; return true;
$msg=sprintf('Invalid CSRF token [%s] on %s', $msg=sprintf('Invalid CSRF token [%s] on %s',
($_POST[$name].''.$_SERVER['HTTP_X_CSRFTOKEN']), THISPAGE); ($_POST[$name].''.$_SERVER['HTTP_X_CSRFTOKEN']), THISPAGE);
$this->logWarning('Invalid CSRF Token '.$name, $msg); $this->logWarning('Invalid CSRF Token '.$name, $msg, false);
return false; return false;
} }
...@@ -129,7 +129,7 @@ class osTicket { ...@@ -129,7 +129,7 @@ class osTicket {
} }
function isFileTypeAllowed($file, $mimeType='') { function isFileTypeAllowed($file, $mimeType='') {
if(!$file || !($allowedFileTypes=$this->getConfig()->getAllowedFileTypes())) if(!$file || !($allowedFileTypes=$this->getConfig()->getAllowedFileTypes()))
return false; return false;
...@@ -148,9 +148,9 @@ class osTicket { ...@@ -148,9 +148,9 @@ class osTicket {
/* Replace Template Variables */ /* Replace Template Variables */
function replaceTemplateVariables($input, $vars=array()) { function replaceTemplateVariables($input, $vars=array()) {
$replacer = new VariableReplacer(); $replacer = new VariableReplacer();
$replacer->assign(array_merge($vars, $replacer->assign(array_merge($vars,
array('url' => $this->getConfig()->getBaseUrl()) array('url' => $this->getConfig()->getBaseUrl())
)); ));
...@@ -220,7 +220,7 @@ class osTicket { ...@@ -220,7 +220,7 @@ class osTicket {
function alertAdmin($subject, $message, $log=false) { function alertAdmin($subject, $message, $log=false) {
//Set admin's email address //Set admin's email address
if(!($to=$this->getConfig()->getAdminEmail())) if(!($to=$this->getConfig()->getAdminEmail()))
$to=ADMIN_EMAIL; $to=ADMIN_EMAIL;
...@@ -231,7 +231,7 @@ class osTicket { ...@@ -231,7 +231,7 @@ class osTicket {
//Try getting the alert email. //Try getting the alert email.
$email=null; $email=null;
if(!($email=$this->getConfig()->getAlertEmail())) if(!($email=$this->getConfig()->getAlertEmail()))
$email=$this->getConfig()->getDefaultEmail(); //will take the default email. $email=$this->getConfig()->getDefaultEmail(); //will take the default email.
if($email) { if($email) {
...@@ -257,7 +257,7 @@ class osTicket { ...@@ -257,7 +257,7 @@ class osTicket {
function logWarning($title, $message, $alert=true) { function logWarning($title, $message, $alert=true) {
return $this->log(LOG_WARN, $title, $message, $alert); return $this->log(LOG_WARN, $title, $message, $alert);
} }
function logError($title, $error, $alert=true) { function logError($title, $error, $alert=true) {
return $this->log(LOG_ERR, $title, $error, $alert); return $this->log(LOG_ERR, $title, $error, $alert);
} }
...@@ -275,8 +275,8 @@ class osTicket { ...@@ -275,8 +275,8 @@ class osTicket {
//We are providing only 3 levels of logs. Windows style. //We are providing only 3 levels of logs. Windows style.
switch($priority) { switch($priority) {
case LOG_EMERG: case LOG_EMERG:
case LOG_ALERT: case LOG_ALERT:
case LOG_CRIT: case LOG_CRIT:
case LOG_ERR: case LOG_ERR:
$level=1; //Error $level=1; //Error
break; break;
...@@ -306,9 +306,9 @@ class osTicket { ...@@ -306,9 +306,9 @@ class osTicket {
',log_type='.db_input($loglevel[$level]). ',log_type='.db_input($loglevel[$level]).
',log='.db_input($message). ',log='.db_input($message).
',ip_address='.db_input($_SERVER['REMOTE_ADDR']); ',ip_address='.db_input($_SERVER['REMOTE_ADDR']);
mysql_query($sql); //don't use db_query to avoid possible loop. mysql_query($sql); //don't use db_query to avoid possible loop.
return true; return true;
} }
...@@ -320,7 +320,7 @@ class osTicket { ...@@ -320,7 +320,7 @@ class osTicket {
//System logs //System logs
$sql='DELETE FROM '.SYSLOG_TABLE.' WHERE DATE_ADD(created, INTERVAL '.$gp.' MONTH)<=NOW()'; $sql='DELETE FROM '.SYSLOG_TABLE.' WHERE DATE_ADD(created, INTERVAL '.$gp.' MONTH)<=NOW()';
db_query($sql); db_query($sql);
//TODO: Activity logs //TODO: Activity logs
return true; return true;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment