Example #1
0
if (isset($_REQUEST['forcetab'])) {
    if (preg_match('/([a-zA-Z]+).form.php/', $_SERVER['PHP_SELF'], $matches)) {
        $itemtype = $matches[1];
        Session::setActiveTab($matches[1], $_REQUEST['forcetab']);
    }
}
// Manage tabs
if (isset($_REQUEST['glpi_tab']) && isset($_REQUEST['itemtype'])) {
    Session::setActiveTab($_REQUEST['itemtype'], $_REQUEST['glpi_tab']);
}
// Override list-limit if choosen
if (isset($_REQUEST['glpilist_limit'])) {
    $_SESSION['glpilist_limit'] = $_REQUEST['glpilist_limit'];
}
// Security : Check HTTP_REFERRER : need to be in GLPI.
if (!defined('DO_NOT_CHECK_HTTP_REFERER') && !isCommandLine() && isset($_POST) && is_array($_POST) && count($_POST)) {
    if (!isset($_SERVER['HTTP_REFERER']) || !is_array($url = parse_url($_SERVER['HTTP_REFERER'])) || !isset($url['host']) || $url['host'] != $_SERVER['SERVER_NAME'] && (!isset($_SERVER['HTTP_X_FORWARDED_SERVER']) || $url['host'] != $_SERVER['HTTP_X_FORWARDED_SERVER']) || !isset($url['path']) || !empty($CFG_GLPI['root_doc']) && strpos($url['path'], $CFG_GLPI['root_doc']) !== 0) {
        Html::displayErrorAndDie(__("The action you have requested is not allowed. Reload previous page before doing action again."), true);
    }
}
// Security : check CSRF token
if (GLPI_USE_CSRF_CHECK && isset($_POST) && is_array($_POST) && count($_POST)) {
    // No ajax pages
    if (!preg_match(':' . $CFG_GLPI['root_doc'] . '(/plugins/[^/]*|)/ajax/:', $_SERVER['REQUEST_URI'])) {
        if (!Session::validateCSRF($_POST)) {
            Html::displayErrorAndDie(__("The action you have requested is not allowed. Reload previous page before doing action again."), true);
        }
    }
}
// SET new global Token
$CURRENTCSRFTOKEN = '';
Example #2
0
 /**
  * Check CSRF data
  *
  * @since version 0.84.2
  *
  * @param $data array $_POST datas
  *
  * @return nothing : display error if not permit
  **/
 public static function checkCSRF($data)
 {
     if (GLPI_USE_CSRF_CHECK && !Session::validateCSRF($data)) {
         Html::displayErrorAndDie(__("The action you have requested is not allowed."), true);
     }
 }