fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-368 Security Avoid the problem of overwriting session data opening multiple browser tabs or multiple browser instances

Browse Source 
up observations

active or desactive block tab
This commit is contained in:
Ronald Q
2016-03-08 18:37:38 -04:00
parent 5af732c912
commit 00885f541e
16 changed files with 177 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
gulliver/system/class.headPublisher.php
View File

@@ -330,6 +330,8 @@ class headPublisher
$head = "";
$head = $head . " <script type=\"text/javascript\" src=\"" . G::browserCacheFilesUrl("/js/ext/ext-base.js") . "\"></script>\n";
$head = $head . " <script type=\"text/javascript\" src=\"" . G::browserCacheFilesUrl("/js/ext/ext-all.js") . "\"></script>\n";
$head = $head . " <script type=\"text/javascript\" src=\"" . G::browserCacheFilesUrl("/jscore/src/PM.js") . "\"></script>\n";
$head = $head . " <script type=\"text/javascript\" src=\"" . G::browserCacheFilesUrl("/jscore/src/Sessions.js") . "\"></script>\n";
if (SYS_LANG != 'en') {
$tempLang = str_replace('-', '_', SYS_LANG);

5
workflow/engine/js/src/PM.js Normal file
View File

@@ -0,0 +1,5 @@
var PM = PM || {};
(function() {
PM.version = '3.0.1.8';
}());

3
workflow/engine/js/src/Register.js Normal file
View File

@@ -0,0 +1,3 @@
PM.Sessions.register();
localStorage.setItem('ID_BLOCKER_MSG', PM.Sessions.getCookie('PM-Warning'));

118
workflow/engine/js/src/Sessions.js Normal file
View File

@@ -0,0 +1,118 @@
PM.Sessions = (function () {
var Sessions = function () {
if (window.location.pathname.indexOf("login") === -1 &&
window.location.pathname.indexOf("sysLogin") === -1 &&
this.getCookie('PM-TabPrimary') != 101010010) {
this.checkTab();
}
};
Sessions.prototype.register = function () {
window.name = this.getCookie('PM-TabPrimary');
};
Sessions.prototype.checkTab = function () {
var ieVersion,
msg;
if (parent.parent.parent.window.name !== this.getCookie('PM-TabPrimary') && parent.parent.parent.window.name.indexOf(this.getCookie('PM-TabPrimary')) === -1 ) {
ieVersion = this.detectBrowser();
msg = this.getLabel('ID_BLOCKER_MSG');
if (ieVersion && ieVersion <= 11) {
window.open('', '_self', '');
window.document.execCommand('Stop');
if (confirm(msg)) {
window.close();
}
} else if (ieVersion && ieVersion <= 12) {
window.open('', '_self', '');
window.document.execCommand('Stop');
if (confirm(msg)) {
window.close();
}
} else {
window.open('', '_self', '');
window.stop();
if (confirm(msg)) {
window.close();
}
}
}
};
Sessions.prototype.detectBrowser = function() {
var ua = window.navigator.userAgent,
msie = ua.indexOf('MSIE '),
trident = ua.indexOf('Trident/'),
edge = ua.indexOf('Edge/');
// Test values; Uncomment to check result …
// IE 10
// ua = 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)';
// IE 11
// ua = 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko';
// IE 12 / Spartan
// ua = 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0';
// Edge (IE 12+)
// ua = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586';
if (msie > 0) {
// IE 10 or older => return version number
return parseInt(ua.substring(msie + 5, ua.indexOf('.', msie)), 10);
}
if (trident > 0) {
// IE 11 => return version number
var rv = ua.indexOf('rv:');
return parseInt(ua.substring(rv + 3, ua.indexOf('.', rv)), 10);
}
if (edge > 0) {
// Edge (IE 12+) => return version number
return parseInt(ua.substring(edge + 5, ua.indexOf('.', edge)), 10);
}
// other browser
return false;
};
Sessions.prototype.getCookie = function (cname) {
var name = cname + "=",
c,
ca = document.cookie.split(';');
for (var i = 0; i < ca.length; i++) {
c = ca[i];
while (c.charAt(0) == ' ') c = c.substring(1);
if (c.indexOf(name) == 0) return c.substring(name.length, c.length);
}
return "";
};
Sessions.prototype.createCookie = function(name, value, days) {
var date,
expires;
if (days) {
date = new Date();
date.setTime(date.getTime()+(days*24*60*60*1000));
expires = "; expires="+date.toGMTString();
} else {
expires = "";
}
document.cookie = name+"="+value+expires+"; path=/";
};
Sessions.prototype.eraseCookie = function(name) {
this.createCookie(name,"",-1);
};
Sessions.prototype.setLabel = function(nameLabel) {
localStorage.setItem(nameLabel, _(nameLabel));
};
Sessions.prototype.getLabel = function(nameLabel) {
return localStorage.getItem(nameLabel);
};
return new Sessions();
})();

3
workflow/engine/methods/cases/main.php
View File

@@ -31,5 +31,8 @@ $_POST['qs'] = isset( $_SERVER['QUERY_STRING'] ) && $_SERVER['QUERY_STRING'] !=
$G_PUBLISH = new Publisher();
$G_PUBLISH->AddContent( 'view', 'cases/cases_Load' );
$oHeadPublisher = & headPublisher::getSingleton();
$oHeadPublisher->addScriptFile('/jscore/src/PM.js');
$oHeadPublisher->addScriptFile('/jscore/src/Sessions.js');
G::RenderPage( 'publish' );

6
workflow/engine/methods/login/authentication.php
View File

@@ -412,6 +412,12 @@ try {
die;
}
$configS = System::getSystemConfiguration('', '', SYS_SYS);
$activeSession = array_key_exists('session_block', $configS) ? !(int)$configS['session_block']:true;
if ($activeSession){
setcookie("PM-TabPrimary", 101010010, time() + (24 * 60 * 60), '/');
}
$oHeadPublisher = &headPublisher::getSingleton();
$oHeadPublisher->extJsInit = true;

6
workflow/engine/methods/login/login.php
View File

@@ -338,7 +338,13 @@ $flagForgotPassword = isset($oConf->aConfig['login_enableForgotPassword'])
? $oConf->aConfig['login_enableForgotPassword']
: 'off';
setcookie('PM-Warning', trim(G::LoadTranslation('ID_BLOCKER_MSG'),'*'), time() + (24 * 60 * 60), SYS_CURRENT_URI);
setcookie("PM-TabPrimary", uniqid(), time() + (24 * 60 * 60), '/');
$oHeadPublisher->addScriptCode("var flagForgotPassword = '$flagForgotPassword';");
$oHeadPublisher->addScriptFile('/jscore/src/PM.js');
$oHeadPublisher->addScriptFile('/jscore/src/Sessions.js');
$oHeadPublisher->addScriptFile('/jscore/src/Register.js');
G::RenderPage('publish');

6
workflow/engine/methods/login/sysLogin.php
View File

@@ -177,6 +177,12 @@ switch (WS_IN_LOGIN) {
$fileLogin = 'login/sysLogin';
break;
}
setcookie("PM-Warning", trim(G::LoadTranslation('ID_BLOCKER_MSG'),'*'), time() + (24 * 60 * 60), SYS_CURRENT_URI);
setcookie("PM-TabPrimary", uniqid(), time() + (24 * 60 * 60), '/');
$oHeadPublisher = & headPublisher::getSingleton();
$oHeadPublisher->addScriptFile('/jscore/src/PM.js');
$oHeadPublisher->addScriptFile('/jscore/src/Sessions.js');
$oHeadPublisher->addScriptFile('/jscore/src/Register.js');
$G_PUBLISH->AddContent ('xmlform', 'xmlform', $fileLogin, '', $aField, 'sysLogin');
G::RenderPage ("publish");

5
workflow/engine/methods/processes/main.php
View File

@@ -48,8 +48,9 @@ $G_ID_MENU_SELECTED = 'PROCESSES';
$G_ID_SUB_MENU_SELECTED = '-';
$G_PUBLISH = new Publisher();
// $oHeadPublisher = & headPublisher::getSingleton();
//$oHeadPublisher->addScriptFile('/jscore/processes/main.js');
$oHeadPublisher = & headPublisher::getSingleton();
$oHeadPublisher->addScriptFile('/jscore/src/PM.js');
$oHeadPublisher->addScriptFile('/jscore/src/Sessions.js');
$G_PUBLISH->AddContent( 'view', 'processes/mainLoad' );
if (isset( $_GET['type'] ))

6
workflow/engine/templates/cases/casesList.js
View File

@@ -80,7 +80,8 @@ function caseNotes(){
}
function openCase(){
var rowModel = grid.getSelectionModel().getSelected();
var rowModel = grid.getSelectionModel().getSelected(),
nameTab;
if(rowModel){
var appUid = rowModel.data.APP_UID;
var delIndex = rowModel.data.DEL_INDEX;
@@ -134,7 +135,8 @@ function openCase(){
if(casesNewTab) {
casesNewTab.close();
}
casesNewTab = window.open(requestFile + '?' + params);
nameTab = PM.Sessions.getCookie('PM-TabPrimary') + '_openCase';
casesNewTab = window.open(requestFile + '?' + params, nameTab);
} else {
redirect(requestFile + '?' + params);
}

8
workflow/engine/templates/cases/casesListConsolidated.js
View File

@@ -262,7 +262,9 @@ function openCase(){
if(newCaseNewTab) {
newCaseNewTab.close();
}
newCaseNewTab = window.open(requestFile + '?' + params);
newCaseNewTab.name = PM.Sessions.getCookie('PM-TabPrimary');
} else {
redirect(requestFile + '?' + params);
}
@@ -278,7 +280,8 @@ function jumpToCase(appNumber){
Ext.Ajax.request({
url: 'cases_Ajax',
success: function(response) {
var res = Ext.decode(response.responseText);
var res = Ext.decode(response.responseText),
nameTab;
if (res.exists === true) {
params = 'APP_NUMBER=' + appNumber;
params += '&action=jump';
@@ -287,7 +290,8 @@ function jumpToCase(appNumber){
if(newCaseNewTab) {
newCaseNewTab.close();
}
newCaseNewTab = window.open(requestFile + '?' + params);
nameTab = PM.Sessions.getCookie('PM-TabPrimary') + '_openCase';
newCaseNewTab = window.open(requestFile + '?' + params, nameTab);
} else {
redirect(requestFile + '?' + params);
}

5
workflow/engine/templates/cases/casesStartCase.js
View File

@@ -461,7 +461,7 @@ function openCaseA(n){
taskId : n.attributes.tas_uid
},
success : function(response) {
var nameTab;
try {
var res = Ext.util.JSON.decode(response.responseText);
if (res.openCase) {
@@ -469,7 +469,8 @@ function openCaseA(n){
if(newCaseNewTab) {
newCaseNewTab.close();
}
newCaseNewTab = window.open(res.openCase.PAGE);
nameTab = PM.Sessions.getCookie('PM-TabPrimary') + '_openCase';
newCaseNewTab = window.open(res.openCase.PAGE, nameTab);
} else {
window.location = res.openCase.PAGE;
}

2
workflow/engine/templates/cases/cases_Load.php
View File

@@ -56,4 +56,6 @@ $_POST['qs'] = $filter->xssFilterHard($_POST['qs']);
}
}
</script>
<SCRIPT src="/jscore/src/PM.js" type=text/javascript></SCRIPT>
<SCRIPT src="/jscore/src/Sessions.js" type=text/javascript></SCRIPT>
</html>

3
workflow/engine/templates/designer/index.html
View File

@@ -184,5 +184,6 @@
<div class="head"></div>
</div>
</section>
<SCRIPT src="/jscore/src/PM.js" type=text/javascript></SCRIPT>
<SCRIPT src="/jscore/src/Sessions.js" type=text/javascript></SCRIPT>
</body>

6
workflow/engine/templates/processes/main.js
View File

@@ -1847,6 +1847,7 @@ Ext.EventManager.on(window, 'beforeunload', function () {
function openWindowIfIE(pathDesigner) {
var nameTab;
if ((navigator.userAgent.indexOf("MSIE") != -1) || (navigator.userAgent.indexOf("Trident") != -1)) {
if (Ext.getCmp('newProjectWin'))
Ext.getCmp('newProjectWin').close();
@@ -1861,14 +1862,15 @@ function openWindowIfIE(pathDesigner) {
if (Ext.getCmp('changeOrKeepUidsWindow'))
Ext.getCmp('changeOrKeepUidsWindow').close();
processesGrid.store.reload();
nameTab = PM.Sessions.getCookie('PM-TabPrimary') + '_winDesigner';
if (winDesigner && winDesigner.closed === false) {
if (winDesigner.window.PMDesigner.project.isDirty()) {
Ext.Msg.alert(_('ID_REFRESH_LABEL'), _('ID_UNSAVED_TRIGGERS_WINDOW'));
} else {
winDesigner = window.open(pathDesigner, 'winDesigner');
winDesigner = window.open(pathDesigner, nameTab);
}
} else {
winDesigner = window.open(pathDesigner, 'winDesigner');
winDesigner = window.open(pathDesigner, nameTab);
}
return;
}

3
workflow/engine/templates/processes/mainLoad.php
View File

@@ -66,4 +66,7 @@
}
}
</script>
<SCRIPT src="/jscore/src/PM.js" type=text/javascript></SCRIPT>
<SCRIPT src="/jscore/src/Sessions.js" type=text/javascript></SCRIPT>
</html>