PMCORE-651 Web entry data is insecure because the Guest user's session overwrites the one of the user currently logged

2021-03-02 13:17:37 -04:00
parent d1f61a99fe
commit 838c2b3a32
6 changed files with 86 additions and 0 deletions
--- a/workflow/engine/content/translations/english/processmaker.en.po
+++ b/workflow/engine/content/translations/english/processmaker.en.po
@@ -4931,6 +4931,12 @@ msgstr "Continue"
 msgid "Continue with option"
 msgstr "Continue with option"

+# TRANSLATION
+# LABEL/ID_CONTINUE_WITH_THE_SESSION
+#: LABEL/ID_CONTINUE_WITH_THE_SESSION
+msgid "continue with the session"
+msgstr "continue with the session"
+
 # TRANSLATION
 # LABEL/ID_CONVERT_NATIVE_REP_TABLE
 #: LABEL/ID_CONVERT_NATIVE_REP_TABLE
@@ -9557,6 +9563,12 @@ msgstr "Syncing Users"
 msgid "Has been deleted"
 msgstr "Has been deleted"

+# TRANSLATION
+# LABEL/ID_HAVE_AN_ACTIVE_SESSION_PLEASE_SELECT_ONE_OPTION
+#: LABEL/ID_HAVE_AN_ACTIVE_SESSION_PLEASE_SELECT_ONE_OPTION
+msgid "You have an active ProcessMaker session with user \"{0}\". Please select one of the options:"
+msgstr "You have an active ProcessMaker session with user \"{0}\". Please select one of the options:"
+
 # TRANSLATION
 # LABEL/ID_HEADER_ALIGN
 #: LABEL/ID_HEADER_ALIGN
@@ -11249,6 +11261,12 @@ msgstr "Logo"
 msgid "Logout"
 msgstr "Logout"

+# TRANSLATION
+# LABEL/ID_LOGOUT_FROM_THE_ACTIVE_SESSION
+#: LABEL/ID_LOGOUT_FROM_THE_ACTIVE_SESSION
+msgid "logout from the active session"
+msgstr "logout from the active session"
+
 # TRANSLATION
 # LABEL/ID_LOGS
 #: LABEL/ID_LOGS
@@ -20813,6 +20831,12 @@ msgstr "Started by Me"
 msgid "Unread"
 msgstr "Unread"

+# TRANSLATION
+# LABEL/ID_OR
+#: LABEL/ID_OR
+msgid "or"
+msgstr "or"
+
 # TRANSLATION
 # LABEL/ID_ORIENTATION
 #: LABEL/ID_ORIENTATION
--- a/workflow/engine/data/mysql/insert.sql
+++ b/workflow/engine/data/mysql/insert.sql
@@ -57640,6 +57640,7 @@ INSERT INTO TRANSLATION (TRN_CATEGORY,TRN_ID,TRN_LANG,TRN_VALUE,TRN_UPDATE_DATE
 ( 'LABEL','ID_CONTACT_ADMIN','en','Please contact your system administrator','2014-01-15') ,
 ( 'LABEL','ID_CONTINUE','en','Continue','2014-01-15') ,
 ( 'LABEL','ID_CONTINUE_WITH_OPTION','en','Continue with option','2014-01-15') ,
+( 'LABEL','ID_CONTINUE_WITH_THE_SESSION','en','continue with the session','2020-09-14') ,
 ( 'LABEL','ID_CONVERT_NATIVE_REP_TABLE','en','Convert to native Report Table','2014-01-15') ,
 ( 'LABEL','ID_CONVERT_SIMPLE_REPORT','en','Convert to Simple Report','2014-01-15') ,
 ( 'LABEL','ID_COPY','en','Copy','2014-01-15') ,
@@ -58441,6 +58442,7 @@ INSERT INTO TRANSLATION (TRN_CATEGORY,TRN_ID,TRN_LANG,TRN_VALUE,TRN_UPDATE_DATE
 ( 'LABEL','ID_G_SUITE_LOAD_GROUPS','en','Update G Suite groups','2018-09-21') ,
 ( 'LABEL','ID_G_SUITE_SYNC_USERS','en','Syncing Users','2018-09-21') ,
 ( 'LABEL','ID_HAS_BEEN_DELETED','en','Has been deleted','2014-01-15') ,
+( 'LABEL','ID_HAVE_AN_ACTIVE_SESSION_PLEASE_SELECT_ONE_OPTION','en','You have an active ProcessMaker session with user "{0}". Please select one of the options:','2020-09-14') ,
 ( 'LABEL','ID_HEADER_ALIGN','en','Align','2014-01-15') ,
 ( 'LABEL','ID_HEADER_FIELD_NAME','en','Field Name','2014-01-15') ,
 ( 'LABEL','ID_HEADER_FIELD_TYPE','en','Field Type','2014-01-15') ,
@@ -58732,6 +58734,7 @@ INSERT INTO TRANSLATION (TRN_CATEGORY,TRN_ID,TRN_LANG,TRN_VALUE,TRN_UPDATE_DATE
 ( 'LABEL','ID_LOGIN_WITH_FACEBOOK','en','Login with Facebook!!','2014-01-15') ,
 ( 'LABEL','ID_LOGO','en','Logo','2014-01-15') ,
 ( 'LABEL','ID_LOGOUT','en','Logout','2014-01-15') ,
+( 'LABEL','ID_LOGOUT_FROM_THE_ACTIVE_SESSION','en','logout from the active session','2020-09-14') ,
 ( 'LABEL','ID_LOGS','en','Logs','2014-01-15') ,
 ( 'LABEL','ID_LOG_AGAIN','en','Please login again to apply the changes.','2014-01-15') ,
 ( 'LABEL','ID_LOG_CASE_SCHEDULER','en','Case Scheduler Log','2014-01-15') ,
@@ -60364,6 +60367,7 @@ INSERT INTO TRANSLATION (TRN_CATEGORY,TRN_ID,TRN_LANG,TRN_VALUE,TRN_UPDATE_DATE

 ( 'LABEL','ID_OPT_STARTED','en','Started by Me','2014-01-15') ,
 ( 'LABEL','ID_OPT_UNREAD','en','Unread','2014-01-15') ,
+( 'LABEL','ID_OR','en','or','2020-09-14') ,
 ( 'LABEL','ID_ORIENTATION','en','Orientation','2014-01-15') ,
 ( 'LABEL','ID_ORIGIN','en','Origin','2014-01-15') ,
 ( 'LABEL','ID_ORIGIN_TASK','en','Origin Task','2014-01-15') ,
--- a/workflow/engine/methods/login/checkContinueOrCloseSession.php
+++ b/workflow/engine/methods/login/checkContinueOrCloseSession.php
@@ -0,0 +1,11 @@
+<?php
+
+if (!empty($_POST['form'])) {
+    if (!empty($_POST['form']['buttonContinue'])) {
+        $_SESSION['__WEBENTRYCONTINUE__'] = true;
+    }
+    if (!empty($_POST['form']['buttonLogout'])) {
+        $_SESSION = [];
+    }
+    G::header('Location: ' . $_SERVER['HTTP_REFERER']);
+}
--- a/workflow/engine/src/ProcessMaker/BusinessModel/WebEntry.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/WebEntry.php
@@ -4,9 +4,11 @@ namespace ProcessMaker\BusinessModel;
 use AppSequence;
 use Cases;
 use Criteria;
+use G;
 use Illuminate\Support\Facades\DB;
 use ProcessMaker\Core\System;
 use ProcessMaker\Model\Application;
+use Publisher;
 use ResultSet;
 use WebEntryPeer;

@@ -1099,6 +1101,15 @@ class WebEntry
     */
    public function isWebEntryOne($weUid)
    {
+        if (!empty($_SESSION['USER_LOGGED']) && empty($_SESSION['__WEBENTRYCONTINUE__'])) {
+            global $G_PUBLISH;
+            $G_PUBLISH = new Publisher();
+            $G_PUBLISH->AddContent('xmlform', 'xmlform', 'login/checkContinueOrCloseSession', '', [], SYS_URI . 'login/checkContinueOrCloseSession');
+            G::RenderPage('publish', 'blank');
+            exit();
+        }
+        unset($_SESSION['__WEBENTRYCONTINUE__']);
+
        $webEntry = WebEntryPeer::retrieveByPK($weUid);
        return $webEntry->getWeType() === 'SINGLE'
            && $webEntry->getWeAuthentication() === 'ANONYMOUS'
--- a/workflow/engine/xmlform/login/checkContinueOrCloseSession.html
+++ b/workflow/engine/xmlform/login/checkContinueOrCloseSession.html
@@ -0,0 +1,31 @@
+<script type="text/javascript">
+</script>
+<div class="panel-default">
+    <p>{php}echo G::LoadTranslation('ID_HAVE_AN_ACTIVE_SESSION_PLEASE_SELECT_ONE_OPTION',[$_SESSION['USR_USERNAME']]);{/php}</p>
+</div>
+<form id="{$form_id}" 
+      method="post" 
+      enctype="multipart/form-data" 
+      action="{$form_action}" 
+      class="form-signin" 
+      style="margin:0px;" 
+      accept-charset="UTF-8" 
+      role="form">
+    <input style="" 
+           class="module_app_button___gray" 
+           id="form[buttonContinue]" 
+           name="form[buttonContinue]" 
+           type="submit" 
+           value="{php}echo G::LoadTranslation('ID_CONTINUE_WITH_THE_SESSION');{/php}" />
+    {php}echo G::LoadTranslation('ID_OR');{/php}
+    <input style="" 
+           class="module_app_button___gray" 
+           id="form[buttonLogout]" 
+           name="form[buttonLogout]" 
+           type="submit" 
+           value="{php}echo G::LoadTranslation('ID_LOGOUT_FROM_THE_ACTIVE_SESSION');{/php}" />
+</form>
+<script src="/lib/pmdynaform/libs/respondjs/respond.min.js">
+</script>
+<script src="/lib/pmdynaform/libs/html5shiv/html5shiv.js">
+</script>
--- a/workflow/engine/xmlform/login/checkContinueOrCloseSession.xml
+++ b/workflow/engine/xmlform/login/checkContinueOrCloseSession.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<dynaForm type="xmlform" 
+          name="login/checkContinueOrCloseSession" 
+          enabletemplate="1">
+</dynaForm>