From b8b91db0071e8e660bffe0b23b760f77641464ed Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 9 May 2017 21:01:37 +0200
Subject: [PATCH] Use function top_httphead to include headers in pages.
---
htdocs/admin/agenda_xcal.php | 10 +++++-----
htdocs/cashdesk/affIndex.php | 3 ---
htdocs/cashdesk/facturation_dhtml.php | 3 +--
htdocs/cashdesk/tpl/ticket.tpl.php | 3 ++-
htdocs/core/ajax/check_notifications.php | 7 +++++++
htdocs/core/antispamimage.php | 3 ++-
htdocs/core/js/datepicker.js.php | 2 +-
htdocs/core/js/lib_head.js.php | 2 +-
htdocs/core/js/lib_notification.js.php | 11 ++++++-----
htdocs/core/js/select2_locale.js.php | 2 +-
htdocs/core/js/timepicker.js.php | 2 +-
htdocs/core/lib/functions.lib.php | 6 +++---
htdocs/document.php | 2 +-
htdocs/install/inc.php | 3 ++-
htdocs/main.inc.php | 18 ++++++++++++------
htdocs/paybox/lib/paybox.lib.php | 6 ++++--
htdocs/paypal/lib/paypal.lib.php | 3 ++-
htdocs/projet/jsgantt_language.js.php | 4 ++--
htdocs/support/inc.php | 3 ++-
htdocs/theme/eldy/style.css.php | 2 +-
htdocs/theme/md/style.css.php | 2 +-
htdocs/viewimage.php | 4 ++--
22 files changed, 59 insertions(+), 42 deletions(-)
diff --git a/htdocs/admin/agenda_xcal.php b/htdocs/admin/agenda_xcal.php
index 0e66125ba7c..1895eb5b15d 100644
--- a/htdocs/admin/agenda_xcal.php
+++ b/htdocs/admin/agenda_xcal.php
@@ -97,7 +97,7 @@ print "<td>".$langs->trans("Value")."</td>";
print "<td> </td>";
print "</tr>";
-print "<tr ".$bc[false].">";
+print '<tr class="oddeven">';
print '<td class="fieldrequired">'.$langs->trans("PasswordTogetVCalExport")."</td>";
print '<td><input required="required" type="text" class="flat" id="MAIN_AGENDA_XCAL_EXPORTKEY" name="MAIN_AGENDA_XCAL_EXPORTKEY" value="' . (GETPOST('MAIN_AGENDA_XCAL_EXPORTKEY','alpha')?GETPOST('MAIN_AGENDA_XCAL_EXPORTKEY','alpha'):$conf->global->MAIN_AGENDA_XCAL_EXPORTKEY) . '" size="40">';
if (! empty($conf->use_javascript_ajax))
@@ -106,13 +106,13 @@ print '</td>';
print "<td> </td>";
print "</tr>";
-print "<tr ".$bc[true].">";
+print '<tr class="oddeven">';
print "<td>".$langs->trans("PastDelayVCalExport")."</td>";
print "<td><input type=\"text\" class=\"flat\" name=\"MAIN_AGENDA_EXPORT_PAST_DELAY\" value=\"". (GETPOST('MAIN_AGENDA_EXPORT_PAST_DELAY','alpha')?GETPOST('MAIN_AGENDA_EXPORT_PAST_DELAY','alpha'):$conf->global->MAIN_AGENDA_EXPORT_PAST_DELAY) . "\" size=\"10\"> ".$langs->trans("days")."</td>";
print "<td> </td>";
print "</tr>";
-print "<tr ".$bc[false].">";
+print '<tr class="oddeven">';
print "<td>".$langs->trans("UseACacheDelay")."</td>";
print "<td><input type=\"text\" class=\"flat\" name=\"MAIN_AGENDA_EXPORT_CACHE\" value=\"". (GETPOST('MAIN_AGENDA_EXPORT_CACHE','alpha')?GETPOST('MAIN_AGENDA_EXPORT_CACHE','alpha'):$conf->global->MAIN_AGENDA_EXPORT_CACHE) . "\" size=\"10\"></td>";
print "<td> </td>";
@@ -128,8 +128,8 @@ print '<tr class="liste_titre">';
print '<td width="25%">'.$langs->trans("Parameter")."</td>";
print "<td>".$langs->trans("Value")."</td>";
print "</tr>";
-print "<tr ".$bc[false].">";
-print '<td class="fieldrequired">'.$langs->trans("FixTZ")."</td>";
+print '<tr class="oddeven">';
+print '<td>'.$langs->trans("FixTZ")."</td>";
print "<td>";
print '<input class="flat" type="text" size="4" name="AGENDA_EXPORT_FIX_TZ" value="'.$conf->global->AGENDA_EXPORT_FIX_TZ.'">';
print ' '.$langs->trans("FillThisOnlyIfRequired");
diff --git a/htdocs/cashdesk/affIndex.php b/htdocs/cashdesk/affIndex.php
index 6b1d13f719f..b5432b94eec 100644
--- a/htdocs/cashdesk/affIndex.php
+++ b/htdocs/cashdesk/affIndex.php
@@ -45,9 +45,6 @@ $langs->load("cashdesk");
$form = new Form($db);
-//header("Content-type: text/html; charset=UTF-8");
-//header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
$arrayofjs=array();
$arrayofcss=array('/cashdesk/css/style.css');
diff --git a/htdocs/cashdesk/facturation_dhtml.php b/htdocs/cashdesk/facturation_dhtml.php
index 8d4ebf8af31..3046644c35e 100644
--- a/htdocs/cashdesk/facturation_dhtml.php
+++ b/htdocs/cashdesk/facturation_dhtml.php
@@ -39,8 +39,7 @@ if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/cashdesk/include/environnement.php';
-//header("Content-type: text/html; charset=UTF-8");
-header("Content-type: text/html; charset=".$conf->file->character_set_client);
+top_httphead('text/html');
$search = GETPOST("code", "alpha");
diff --git a/htdocs/cashdesk/tpl/ticket.tpl.php b/htdocs/cashdesk/tpl/ticket.tpl.php
index 40be470c429..82b84ba3b56 100644
--- a/htdocs/cashdesk/tpl/ticket.tpl.php
+++ b/htdocs/cashdesk/tpl/ticket.tpl.php
@@ -20,7 +20,8 @@ include_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php';
$langs->load("main");
$langs->load('cashdesk');
-header("Content-type: text/html; charset=".$conf->file->character_set_client);
+
+top_httphead('text/html');
$facid=GETPOST('facid','int');
$object=new Facture($db);
diff --git a/htdocs/core/ajax/check_notifications.php b/htdocs/core/ajax/check_notifications.php
index fa3edd7a4be..332626fbabd 100644
--- a/htdocs/core/ajax/check_notifications.php
+++ b/htdocs/core/ajax/check_notifications.php
@@ -24,6 +24,13 @@ if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1');
require '../../main.inc.php';
+
+/*
+ * View
+ */
+
+top_httphead('text/html'); // TODO Use a json mime type
+
global $user, $db, $langs, $conf;
$time = (int) GETPOST('time'); // Use the time parameter that is always increased by time_update, even if call is late
diff --git a/htdocs/core/antispamimage.php b/htdocs/core/antispamimage.php
index a16844dd715..816763eeaf5 100644
--- a/htdocs/core/antispamimage.php
+++ b/htdocs/core/antispamimage.php
@@ -58,7 +58,8 @@ if (empty($img))
exit;
}
-header("Content-type: image/png");
+// Define mime type
+top_httphead('image/png');
$background_color = imagecolorallocate($img, 250, 250, 250);
$ecriture_color = imagecolorallocate($img, 0, 0, 0);
diff --git a/htdocs/core/js/datepicker.js.php b/htdocs/core/js/datepicker.js.php
index 02666409fc3..50c140f6f82 100644
--- a/htdocs/core/js/datepicker.js.php
+++ b/htdocs/core/js/datepicker.js.php
@@ -37,7 +37,7 @@ session_cache_limiter(FALSE);
require_once '../../main.inc.php';
// Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/core/js/lib_head.js.php b/htdocs/core/js/lib_head.js.php
index 8909f446812..e604f3281f9 100644
--- a/htdocs/core/js/lib_head.js.php
+++ b/htdocs/core/js/lib_head.js.php
@@ -39,7 +39,7 @@ session_cache_limiter(FALSE);
require_once '../../main.inc.php';
// Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/core/js/lib_notification.js.php b/htdocs/core/js/lib_notification.js.php
index a3b90a35db6..b640f4cc81b 100644
--- a/htdocs/core/js/lib_notification.js.php
+++ b/htdocs/core/js/lib_notification.js.php
@@ -33,21 +33,22 @@ if (! ($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root . '/' || $_SERVER['H
{
global $langs, $conf;
- // Define javascript type
- header('Content-type: text/javascript; charset=UTF-8');
-
+ top_httphead('text/javascript; charset=UTF-8');
+
$nowtime = time();
//$nowtimeprevious = floor($nowtime / 60) * 60; // auto_check_events_not_before is rounded to previous minute
// TODO Try to make a solution with only a javascript timer that is easier. Difficulty is to avoid notification twice when.
+ /* session already started into main
session_cache_limiter(FALSE);
header('Cache-Control: no-cache');
- session_start();
+ session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
+ session_start();*/
if (! isset($_SESSION['auto_check_events_not_before']))
{
print 'console.log("_SESSION[auto_check_events_not_before] is not set");'."\n";
// Round to eliminate the seconds
- $_SESSION['auto_check_events_not_before'] = $nowtime; // auto_check_events_not_before is rounded to previous minute
+ $_SESSION['auto_check_events_not_before'] = $nowtime;
}
print 'var nowtime = ' . $nowtime . ';' . "\n";
print 'var login = \'' . $_SESSION['dol_login'] . '\';' . "\n";
diff --git a/htdocs/core/js/select2_locale.js.php b/htdocs/core/js/select2_locale.js.php
index 31c6a91bc74..aa62b5a0ec1 100644
--- a/htdocs/core/js/select2_locale.js.php
+++ b/htdocs/core/js/select2_locale.js.php
@@ -37,7 +37,7 @@ session_cache_limiter(FALSE);
require_once '../../main.inc.php';
// Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/core/js/timepicker.js.php b/htdocs/core/js/timepicker.js.php
index cc33a5a3933..8342ac9e3ac 100644
--- a/htdocs/core/js/timepicker.js.php
+++ b/htdocs/core/js/timepicker.js.php
@@ -37,7 +37,7 @@ session_cache_limiter(FALSE);
require_once '../../main.inc.php';
// Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index e3c6cb7d5cd..8dbc705c5b2 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -400,11 +400,11 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
/**
- * Return a prefix to use for this Dolibarr instance for session or cookie names.
+ * Return a prefix to use for this Dolibarr instance, for session/cookie names or email id.
* This prefix is unique for instance and avoid conflict between multi-instances,
- * even when having two instances with one root dir or two instances in virtual servers
+ * even when having two instances with one root dir or two instances in virtual servers.
*
- * @param string $mode '' or 'email'
+ * @param string $mode '' (prefix for session name) or 'email' (prefix for email id)
* @return string A calculated prefix
*/
function dol_getprefix($mode='')
diff --git a/htdocs/document.php b/htdocs/document.php
index 02eb7193675..4e4f18826ef 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -170,9 +170,9 @@ if (! file_exists($original_file_osencoded))
}
// Permissions are ok and file found, so we return it
+top_httphead($type);
header('Content-Description: File Transfer');
if ($encoding) header('Content-Encoding: '.$encoding);
-if ($type) header('Content-Type: '.$type.(preg_match('/text/',$type)?'; charset="'.$conf->file->character_set_client:''));
// Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, atachment=need user action to open)
if ($attachment) header('Content-Disposition: attachment; filename="'.$filename.'"');
else header('Content-Disposition: inline; filename="'.$filename.'"');
diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php
index 840fa709ddf..6da4125a56c 100644
--- a/htdocs/install/inc.php
+++ b/htdocs/install/inc.php
@@ -384,7 +384,8 @@ function pHeader($subtitle,$next,$action='set',$param='',$forcejqueryurl='',$css
// We force the content charset
header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ header("X-Content-Type-Options: nosniff");
+
print '<!DOCTYPE HTML>'."\n";
print '<html>'."\n";
print '<head>'."\n";
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index ab92df9ca12..11dccf47ade 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -197,6 +197,7 @@ $sessionname='DOLSESSID_'.$prefix;
$sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]);
session_name($sessionname);
+session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
session_start();
if (ini_get('register_globals')) // Deprecated in 5.3 and removed in 5.4. To solve bug in using $_SESSION
{
@@ -528,6 +529,7 @@ if (! defined('NOLOGIN'))
dol_syslog('User not found, connexion refused');
session_destroy();
session_name($sessionname);
+ session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
session_start(); // Fixing the bug of register_globals here is useless since session is empty
if ($resultFetchUser == 0)
@@ -586,6 +588,7 @@ if (! defined('NOLOGIN'))
dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING);
session_destroy();
session_name($sessionname);
+ session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
session_start(); // Fixing the bug of register_globals here is useless since session is empty
if ($resultFetchUser == 0)
@@ -967,19 +970,22 @@ if (! function_exists("llxHeader"))
/**
* Show HTTP header
*
+ * @param string $contenttype Content type. For example, 'text/html'
* @return void
*/
-function top_httphead()
+function top_httphead($contenttype='text/html')
{
global $conf;
- //header("Content-type: text/html; charset=UTF-8");
- header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ if ($contenttype == 'text/html' ) header("Content-Type: text/html; charset=".$conf->file->character_set_client);
+ else header("Content-Type: ".$contenttype);
+ header("X-Content-Type-Options: nosniff");
+ header("X-Frame-Options: SAMEORIGIN");
+
// On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1.
- if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) {
+ /*if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) {
ob_start("ob_gzhandler");
- }
+ }*/
}
/**
diff --git a/htdocs/paybox/lib/paybox.lib.php b/htdocs/paybox/lib/paybox.lib.php
index 922679bcb86..ca5fd6a71ad 100644
--- a/htdocs/paybox/lib/paybox.lib.php
+++ b/htdocs/paybox/lib/paybox.lib.php
@@ -36,7 +36,8 @@ function llxHeaderPaybox($title, $head = "")
global $user, $conf, $langs;
header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ header("X-Content-Type-Options: nosniff");
+
print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">';
//print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" http://www.w3.org/TR/1999/REC-html401-19991224/strict.dtd>';
print "\n";
@@ -171,7 +172,8 @@ function print_paybox_redirect($PRICE,$CURRENCY,$EMAIL,$urlok,$urlko,$TAG)
dol_syslog("PBX_TYPEPAIEMENT: $PBX_TYPEPAIEMENT", LOG_DEBUG);
header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ header("X-Content-Type-Options: nosniff");
+
print '<html>'."\n";
print '<head>'."\n";
print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=".$conf->file->character_set_client."\">\n";
diff --git a/htdocs/paypal/lib/paypal.lib.php b/htdocs/paypal/lib/paypal.lib.php
index 4c1cb588f1f..b1be8f56647 100644
--- a/htdocs/paypal/lib/paypal.lib.php
+++ b/htdocs/paypal/lib/paypal.lib.php
@@ -35,7 +35,8 @@ function llxHeaderPaypal($title, $head = "")
global $user, $conf, $langs;
header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ header("X-Content-Type-Options: nosniff");
+
$appli='Dolibarr';
if (!empty($conf->global->MAIN_APPLICATION_TITLE)) $appli=$conf->global->MAIN_APPLICATION_TITLE;
diff --git a/htdocs/projet/jsgantt_language.js.php b/htdocs/projet/jsgantt_language.js.php
index f6b5799bda0..7aafd97fb45 100644
--- a/htdocs/projet/jsgantt_language.js.php
+++ b/htdocs/projet/jsgantt_language.js.php
@@ -34,8 +34,8 @@ if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
require_once __DIR__.'/../main.inc.php';
-// Define css type
-header('Content-type: text/javascript');
+// Define mime type
+top_httphead('text/javascript');
global $langs;
?>
diff --git a/htdocs/support/inc.php b/htdocs/support/inc.php
index 869dace222d..16aa40b246d 100644
--- a/htdocs/support/inc.php
+++ b/htdocs/support/inc.php
@@ -207,7 +207,8 @@ function pHeader($soutitre,$next,$action='none')
// On force contenu dans format sortie
header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ header("X-Content-Type-Options: nosniff");
+
print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">'."\n";
print '<html manifest="'.DOL_URL_ROOT.'/cache.manifest">'."\n";
print '<head>'."\n";
diff --git a/htdocs/theme/eldy/style.css.php b/htdocs/theme/eldy/style.css.php
index 9de83c3bd97..f923413da4c 100644
--- a/htdocs/theme/eldy/style.css.php
+++ b/htdocs/theme/eldy/style.css.php
@@ -45,7 +45,7 @@ if (empty($user->id) && ! empty($_SESSION['dol_login'])) $user->fetch('',$_SESSI
// Define css type
-header('Content-type: text/css');
+top_httphead('text/css');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php
index e6809a2c574..3bd33b07225 100644
--- a/htdocs/theme/md/style.css.php
+++ b/htdocs/theme/md/style.css.php
@@ -46,7 +46,7 @@ if (empty($user->id) && ! empty($_SESSION['dol_login'])) $user->fetch('',$_SESSI
// Define css type
-header('Content-type: text/css');
+top_httphead('text/css');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index f69c7e4e4aa..4f1ef007f1f 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -191,13 +191,13 @@ else // Open and return file
// Les drois sont ok et fichier trouve
if ($type)
{
+ top_httphead($type);
header('Content-Disposition: inline; filename="'.basename($original_file).'"');
- header('Content-type: '.$type);
}
else
{
+ top_httphead('image/png');
header('Content-Disposition: inline; filename="'.basename($original_file).'"');
- header('Content-type: image/png');
}
$original_file_osencoded=dol_osencode($original_file);
--
GitLab