if (isset($_REQUEST['forcetab'])) { if (preg_match('/([a-zA-Z]+).form.php/', $_SERVER['PHP_SELF'], $matches)) { $itemtype = $matches[1]; Session::setActiveTab($matches[1], $_REQUEST['forcetab']); } } // Manage tabs if (isset($_REQUEST['glpi_tab']) && isset($_REQUEST['itemtype'])) { Session::setActiveTab($_REQUEST['itemtype'], $_REQUEST['glpi_tab']); } // Override list-limit if choosen if (isset($_REQUEST['glpilist_limit'])) { $_SESSION['glpilist_limit'] = $_REQUEST['glpilist_limit']; } // Security : Check HTTP_REFERRER : need to be in GLPI. if (!defined('DO_NOT_CHECK_HTTP_REFERER') && !isCommandLine() && isset($_POST) && is_array($_POST) && count($_POST)) { if (!isset($_SERVER['HTTP_REFERER']) || !is_array($url = parse_url($_SERVER['HTTP_REFERER'])) || !isset($url['host']) || $url['host'] != $_SERVER['SERVER_NAME'] && (!isset($_SERVER['HTTP_X_FORWARDED_SERVER']) || $url['host'] != $_SERVER['HTTP_X_FORWARDED_SERVER']) || !isset($url['path']) || !empty($CFG_GLPI['root_doc']) && strpos($url['path'], $CFG_GLPI['root_doc']) !== 0) { Html::displayErrorAndDie(__("The action you have requested is not allowed. Reload previous page before doing action again."), true); } } // Security : check CSRF token if (GLPI_USE_CSRF_CHECK && isset($_POST) && is_array($_POST) && count($_POST)) { // No ajax pages if (!preg_match(':' . $CFG_GLPI['root_doc'] . '(/plugins/[^/]*|)/ajax/:', $_SERVER['REQUEST_URI'])) { if (!Session::validateCSRF($_POST)) { Html::displayErrorAndDie(__("The action you have requested is not allowed. Reload previous page before doing action again."), true); } } } // SET new global Token $CURRENTCSRFTOKEN = '';
/** * Check CSRF data * * @since version 0.84.2 * * @param $data array $_POST datas * * @return nothing : display error if not permit **/ public static function checkCSRF($data) { if (GLPI_USE_CSRF_CHECK && !Session::validateCSRF($data)) { Html::displayErrorAndDie(__("The action you have requested is not allowed."), true); } }