Security Token crash site if using old modules #16096
Comments
choybe
changed the title
|
Hey Friend. I have the same Issue. As I said on the other post you already close, I have two different installations (diferent servers). They have the same configurations, I have the TOKEN error everywhere on the production server, but I do not have it on the TRAINING server, I do not have multycompany, but I have MAIN_FEATURES_LEVEL in 2 and the same external modules in both, anyways, the problem is only in my Production SITE. |
|
Is a downgrade from V13 to V12 possible? |
|
did you try with MAIN_SECURITY_CSRF_WITH_TOKEN set to 0 |
|
I made yesterday several tests and can say for now. The bug has nothing to do with the server, the MAIN_SECURITY_CSRF_WITH_TOKEN or the MAIN_FEATURES_LEVEL It makes no difference how they are set. The security token expired message keep the same: But I could find out so far: |
|
@choybe I did tests with V13 and I don't have all these problems by activating the CSRF token, even with Multicompany! |
|
@JESSTOFUNK What is you externals modules ? You try without this modules ? |
|
I have similar issue, when trying to go back on search page or list.PHP and using the "rerurn to last page" of firefox. |
|
I just were getting a feedback from the DropDown menu developer. On his test site all seems compatible with v13. But on my site it crashes the site. - I can therefore only conclude that the bug is anywhere on v13 in the definition or refresh of on the security token. |
|
I think this have something to do with the CSRF token validation, & more exactly on this part of code: Lines 429 to 473 in 6fe5c2f The session token weirdly doesn't match with the GETPOST token. As a temporary workaround, you can edit the if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $_SESSION['token'])then add this line just before it: $_GET['token'] = $_SESSION['token']; // Tmp workaround for https://github.com/Dolibarr/dolibarr/issues/16096Like so:
🚧 Keep in mind that this is only a temporary workaround until the issue get fixed by the Dolibarr team. |
|
Hi, I'm not sure but it seems to me that the logical test doesn't match the comment in dolibarr/htdocs/main.inc.php Lines 429 to 431. I mean whats if MAIN_SECURITY_CSRF_WITH_TOKEN is defined but disabled ? if ( |
|
Hi @daraelmin, i thought about that too but in the end i figured out that the logical test is correct, the comment is just not clear enough. Below are the cases when the logical test will fail: (
! defined('NOCSRFCHECK')
+ // if NOCSRFCHECK is defined we exit the sub-condition
&&
empty($dolibarr_nocsrfcheck)
+ // if $dolibarr_nocsrfcheck is not empty we exit the sub-condition
&&
! empty ($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)
+ // if $conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN is empty (which means it's disabled) we exit the sub-condition again
)
+ // if one of the sub-conditions above fails
||
defined('CSRFCHECK_WITH_TOKEN')
+ // and if CSRFCHECK_WITH_TOKEN is not defined we completely exit the logical testif we wrap up all together, it means that Edit:
if it's disabled then its value will be 0 & |
|
Right ! I confused isset and empty ... beginner error, sorry. Anyway. May the problem come from the upgrade of the getpost() function? |
i don't think so, the problem is from token mismatch, i didn't go deep further in my investigation but if you simply add an: echo GETPOST('token', 'alpha') . ' // ' . $_SESSION['token'];before the following line: Line 457 in 6fe5c2f you'll see that the token value from |
|
Hi @AXeL-dev and other. I can confirm your workaround #issuecomment-770215709 is working well. No more trouble with security token expired. Thanks a lot., |
|
@hregis I had some external modules, my application became useless, the message appeared even when I try to create a quote, agenda event or invoices, the token message didn't let me do nothing, so I was not able to disable the modules . I had to go the hard way, I created a brand new installation with V13 and this time, I do not have multi-company, I don't have external modules and I have MAIN_FEATURES_LEVEL in 0. The Token message still appears randomly some times, and it's becoming more recurrent but I do not have any of the items we thought was affecting, so I think eventually it is going to be useless again, but at least it lets me retry and at the second try it saves changes. The curious thing is that my TRAINING APPLICATION is not getting the message and I have FEATURES LEVEL 2 and all the extra modules. |
|
@JESSTOFUNK @choybe |
|
from my side I can just say: With the solution of @AXeL-dev there are no more security token warnings when enabling or disabling any modules built-in, experimental, or provided from dolistore, even with those who are out of date (en my case max v 10, 11, 12) |
|
hi @hregis, I wonder if your solution is the good one cause I've found a new commit 4c9bf1d witch advice to use NOTOKENRENEWAL when using ajax.
Cheers |
|
@eldy @hregis is there any way to provide a fix in hurry? please Edit: adding |
|
I just updates to DB 13.01 - The bug continue - stiil needs to be solved with next version. |
|
PR is here #16124 |
Fix #16096 missing CSRF token and use post instead get
|
The last merge 5095e7f should fix all cases |
|
you can make this change https://github.com/Dolibarr/dolibarr/pull/16371/files to see in dolibarr.log which file reclaim a new token |
|
I have one 13 ( upgraded ) on my local cpu and one on ext. cpu installed 12->13.0.1 |
|
If, after adding this log, suggested by frederic24, you see in the dolibarr.log an ajax file or a js or a css page asking for a new token, it means you find a bug into this file. There is no such known files in v13.0.1 but a lot of external modules are still bugged and make the token renewal when they should not. Uninstall such modules. If it is notbpossible, try ti remove colpletely rhe directory of external module found into /custom dir. |
|
I can confirm the suggestion of @eldy with db 13.02 : uninstalling all external modules helps and deleting them in htdocs/custom. To reinstall the external modules their compability it has to be tested one by one. |
|
Hello @eldy , if I understand well what you mean : |
Tks @AXeL-dev this help solve the token issue on my test lab |
|
dolibarr solution... mv to trash |
Bug
With reference to the bug report: #16085 (comment)
Here now a follow up on the V13 incompatibility with additional modules not prepared for V13
Expected and actual behavior
In contrary to former Dolibarr version V13 don't tolerate any more installing and activating additional modules not prepared for V13.
They are not only not accepted. They crash the site the message Security Token expired. It is then no more possible to change anything at the site, not even deactivating via UI the modules.
Steps to reproduce the behavior
I installed a V13 version from the scratch and added an additional module max. version V12, (In this case with the DroppDown Menu, It was possible. But after the module was enabled. It was no more possible t o add or remove any module (not even the V13 inherent modules). Same is happening with other additional modules not yet ready for V13.
For now this bug can only be resolved with the deletion of the modules entries at database level (eg via phpmyadmin).
I see it essential that either the code of V13 do not allow to activate additional modules not compatible with V13 and/or goving an explicit a warning to the user, that only own or purchased modules from dolistore compatible with v13 can be activated.
The text was updated successfully, but these errors were encountered: