From 707ccf452eee5271e3a4af95938701bbac22f9a4 Mon Sep 17 00:00:00 2001 From: Peter Rotich Date: Wed, 6 Mar 2013 13:49:35 -0500 Subject: [PATCH] Disable invalid CSRF token alerts - warning gets logged as usual. --- include/class.osticket.php | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/include/class.osticket.php b/include/class.osticket.php index 4445aca6..fa4cdc0f 100644 --- a/include/class.osticket.php +++ b/include/class.osticket.php @@ -26,11 +26,11 @@ class.osticket.php class osTicket { var $loglevel=array(1=>'Error','Warning','Debug'); - + //Page errors. var $errors; - //System + //System var $system; @@ -47,7 +47,7 @@ class osTicket { var $csrf; function osTicket($cfgId) { - + $this->config = Config::lookup($cfgId); //DB based session storage was added starting with v1.7 @@ -109,13 +109,13 @@ function checkCSRFToken($name='') { $name = $name?$name:$this->getCSRF()->getTokenName(); if(isset($_POST[$name]) && $this->validateCSRFToken($_POST[$name])) return true; - + if(isset($_SERVER['HTTP_X_CSRFTOKEN']) && $this->validateCSRFToken($_SERVER['HTTP_X_CSRFTOKEN'])) return true; $msg=sprintf('Invalid CSRF token [%s] on %s', ($_POST[$name].''.$_SERVER['HTTP_X_CSRFTOKEN']), THISPAGE); - $this->logWarning('Invalid CSRF Token '.$name, $msg); + $this->logWarning('Invalid CSRF Token '.$name, $msg, false); return false; } @@ -129,7 +129,7 @@ function validateLinkToken($token) { } function isFileTypeAllowed($file, $mimeType='') { - + if(!$file || !($allowedFileTypes=$this->getConfig()->getAllowedFileTypes())) return false; @@ -148,9 +148,9 @@ function isFileTypeAllowed($file, $mimeType='') { /* Replace Template Variables */ function replaceTemplateVariables($input, $vars=array()) { - + $replacer = new VariableReplacer(); - $replacer->assign(array_merge($vars, + $replacer->assign(array_merge($vars, array('url' => $this->getConfig()->getBaseUrl()) )); @@ -220,7 +220,7 @@ function clearNotice() { function alertAdmin($subject, $message, $log=false) { - + //Set admin's email address if(!($to=$this->getConfig()->getAdminEmail())) $to=ADMIN_EMAIL; @@ -231,7 +231,7 @@ function alertAdmin($subject, $message, $log=false) { //Try getting the alert email. $email=null; - if(!($email=$this->getConfig()->getAlertEmail())) + if(!($email=$this->getConfig()->getAlertEmail())) $email=$this->getConfig()->getDefaultEmail(); //will take the default email. if($email) { @@ -257,7 +257,7 @@ function logInfo($title, $message, $alert=false) { function logWarning($title, $message, $alert=true) { return $this->log(LOG_WARN, $title, $message, $alert); } - + function logError($title, $error, $alert=true) { return $this->log(LOG_ERR, $title, $error, $alert); } @@ -275,8 +275,8 @@ function log($priority, $title, $message, $alert=false) { //We are providing only 3 levels of logs. Windows style. switch($priority) { case LOG_EMERG: - case LOG_ALERT: - case LOG_CRIT: + case LOG_ALERT: + case LOG_CRIT: case LOG_ERR: $level=1; //Error break; @@ -306,9 +306,9 @@ function log($priority, $title, $message, $alert=false) { ',log_type='.db_input($loglevel[$level]). ',log='.db_input($message). ',ip_address='.db_input($_SERVER['REMOTE_ADDR']); - + mysql_query($sql); //don't use db_query to avoid possible loop. - + return true; } @@ -320,7 +320,7 @@ function purgeLogs() { //System logs $sql='DELETE FROM '.SYSLOG_TABLE.' WHERE DATE_ADD(created, INTERVAL '.$gp.' MONTH)<=NOW()'; db_query($sql); - + //TODO: Activity logs return true;