From 972d7b0b359b83563f7eaae9e73f4e37015d348d Mon Sep 17 00:00:00 2001 From: Brady Miller Date: Sat, 13 Oct 2018 19:23:52 -0700 Subject: [PATCH] bug fix march continued (#1921) --- contrib/forms/body_composition/new.php | 2 +- contrib/forms/body_composition/view.php | 2 +- contrib/forms/clinical_notes/new.php | 2 +- contrib/forms/clinical_notes/view.php | 2 +- contrib/forms/contacts/save.php | 2 +- contrib/forms/evaluation/save.php | 2 +- contrib/util/de_identification_upgrade.php | 2 +- custom/ajax_download.php | 2 +- custom/chart_tracker.php | 4 +- custom/download_qrda.php | 2 +- custom/export_qrda_xml.php | 2 +- custom/export_registry_xml.php | 2 +- custom/import_xml.php | 2 +- custom/qrda_download.php | 2 +- interface/batchcom/batchEmail.php | 2 +- interface/batchcom/batchPhoneList.php | 2 +- interface/batchcom/batchcom.php | 2 +- interface/batchcom/emailnotification.php | 2 +- interface/batchcom/settingsnotification.php | 2 +- interface/batchcom/smsnotification.php | 2 +- interface/billing/billing_process.php | 2 +- interface/billing/billing_report.php | 12 +- interface/billing/edih_main.php | 4 +- interface/billing/era_payments.php | 4 +- interface/billing/get_claim_file.php | 2 +- interface/billing/indigent_patients_report.php | 2 +- interface/billing/sl_eob_invoice.php | 2 +- interface/billing/sl_eob_patient_note.php | 2 +- interface/billing/sl_eob_process.php | 2 +- interface/billing/sl_eob_search.php | 12 +- interface/billing/sl_receipts_report.php | 2 +- interface/cmsportal/list_requests.php | 2 +- interface/cmsportal/patient_select.php | 2 +- .../de_identification_screen2.php | 2 +- .../de_identification_forms/find_code_popup.php | 2 +- .../de_identification_forms/find_drug_popup.php | 2 +- .../find_immunization_popup.php | 2 +- .../re_identification_op_single_patient.php | 2 +- interface/drugs/add_edit_drug.php | 4 +- interface/drugs/add_edit_lot.php | 2 +- interface/drugs/destroy_lot.php | 2 +- interface/expand_contract_js.php | 20 +++- interface/fax/fax_dispatch.php | 6 +- interface/fax/fax_dispatch_newpid.php | 2 +- interface/fax/fax_view.php | 2 +- interface/forms/CAMOS/admin.php | 4 +- interface/forms/CAMOS/ajax_save.php | 2 +- interface/forms/CAMOS/notegen.php | 2 +- interface/forms/CAMOS/rx_print.php | 4 +- interface/forms/CAMOS/save.php | 2 +- interface/forms_admin/forms_admin.php | 10 +- interface/language/lang_constant.php | 2 +- interface/language/lang_definition.php | 4 +- interface/language/lang_language.php | 2 +- interface/language/lang_manage.php | 2 +- interface/language/language.php | 2 +- interface/logview/erx_logview.php | 6 +- interface/logview/logview.php | 2 +- interface/main/authorizations/authorizations.php | 2 +- .../main/authorizations/authorizations_full.php | 2 +- interface/main/dated_reminders/dated_reminders.php | 2 +- .../main/dated_reminders/dated_reminders_add.php | 4 +- .../main/dated_reminders/dated_reminders_log.php | 2 +- interface/main/finder/dynamic_finder.php | 40 +++++-- interface/main/finder/dynamic_finder_ajax.php | 24 ++-- interface/main/finder/finder_navigation.php | 70 ----------- interface/main/finder/multi_patients_finder.php | 29 +++-- .../main/finder/multi_patients_finder_ajax.php | 7 +- interface/main/finder/patient_finder.php | 27 ----- interface/main/finder/patient_select.php | 121 ++++++++++--------- interface/main/left_nav.php | 11 +- interface/main/main_screen.php | 7 +- interface/main/messages/messages.php | 30 ++--- interface/new/new_comprehensive.php | 2 +- interface/new/new_navigation.php | 42 ------- interface/new/new_patient.php | 29 ----- interface/new/new_title.php | 32 ----- interface/orders/patient_match_dialog.php | 1 + interface/orders/pending_followup.php | 4 +- interface/orders/pending_orders.php | 4 +- interface/orders/procedure_stats.php | 2 +- interface/patient_file/deleter.php | 2 +- interface/patient_file/encounter/diagnosis.php | 2 +- .../patient_file/encounter/diagnosis_full.php | 2 +- interface/patient_file/encounter/search_code.php | 4 +- interface/patient_file/summary/demographics.php | 24 +++- interface/patient_tracker/patient_tracker.php | 1 + interface/reports/cqm.php | 10 +- interface/super/edit_globals.php | 6 +- interface/super/edit_layout.php | 16 +-- interface/super/edit_layout_props.php | 2 +- interface/super/layout_listitems_ajax.php | 2 +- interface/super/layout_service_codes.php | 2 +- interface/super/load_codes.php | 2 +- interface/super/manage_document_templates.php | 6 +- interface/super/manage_site_files.php | 6 +- interface/usergroup/admin_frameset.php | 27 ----- interface/usergroup/mfa_registrations.php | 2 +- interface/usergroup/mfa_u2f.php | 2 +- interface/usergroup/usergroup.php | 61 ---------- interface/usergroup/usergroup_navigation.php | 133 --------------------- interface/usergroup/usergroup_title.php | 31 ----- library/ajax/addlistitem.php | 2 +- library/ajax/adminacl_ajax.php | 4 +- library/ajax/ccr_import_ajax.php | 2 +- library/ajax/code_attributes_ajax.php | 2 +- library/ajax/offsite_portal_ajax.php | 2 +- library/ajax/user_settings.php | 26 ++-- library/log_validation.php | 2 +- library/sanitize.inc.php | 11 ++ library/user.inc | 21 ++-- 111 files changed, 370 insertions(+), 723 deletions(-) delete mode 100644 interface/main/finder/finder_navigation.php delete mode 100644 interface/main/finder/patient_finder.php delete mode 100644 interface/new/new_navigation.php delete mode 100644 interface/new/new_patient.php delete mode 100644 interface/new/new_title.php delete mode 100644 interface/usergroup/admin_frameset.php delete mode 100644 interface/usergroup/usergroup.php delete mode 100644 interface/usergroup/usergroup_navigation.php delete mode 100644 interface/usergroup/usergroup_title.php diff --git a/contrib/forms/body_composition/new.php b/contrib/forms/body_composition/new.php index 206af8fa7..9e2c96704 100644 --- a/contrib/forms/body_composition/new.php +++ b/contrib/forms/body_composition/new.php @@ -57,7 +57,7 @@ $formid = $_GET['id']; // if ($_POST['bn_save']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // If updating an existing form... diff --git a/contrib/forms/body_composition/view.php b/contrib/forms/body_composition/view.php index b08c3f8ba..92a8642d9 100644 --- a/contrib/forms/body_composition/view.php +++ b/contrib/forms/body_composition/view.php @@ -58,7 +58,7 @@ $formid = $_GET['id']; // if ($_POST['bn_save']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // If updating an existing form... diff --git a/contrib/forms/clinical_notes/new.php b/contrib/forms/clinical_notes/new.php index 6070ff607..79929d3cb 100644 --- a/contrib/forms/clinical_notes/new.php +++ b/contrib/forms/clinical_notes/new.php @@ -84,7 +84,7 @@ $formid = $_GET['id']; if ($_POST['bn_save']) { $fu_timing = $_POST['fu_timing']; if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // If updating an existing form... diff --git a/contrib/forms/clinical_notes/view.php b/contrib/forms/clinical_notes/view.php index 920d1ef51..f249aeee4 100644 --- a/contrib/forms/clinical_notes/view.php +++ b/contrib/forms/clinical_notes/view.php @@ -84,7 +84,7 @@ $formid = $_GET['id']; if ($_POST['bn_save']) { $fu_timing = $_POST['fu_timing']; if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // If updating an existing form... diff --git a/contrib/forms/contacts/save.php b/contrib/forms/contacts/save.php index d36257aca..2e841cc02 100644 --- a/contrib/forms/contacts/save.php +++ b/contrib/forms/contacts/save.php @@ -5,7 +5,7 @@ require_once("$srcdir/api.inc"); require_once("$srcdir/forms.inc"); if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } if ($encounter == "") { diff --git a/contrib/forms/evaluation/save.php b/contrib/forms/evaluation/save.php index 9633ec3d5..a7c469fcb 100644 --- a/contrib/forms/evaluation/save.php +++ b/contrib/forms/evaluation/save.php @@ -4,7 +4,7 @@ require_once("$srcdir/api.inc"); require("C_FormEvaluation.class.php"); if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $c = new C_FormEvaluation(); diff --git a/contrib/util/de_identification_upgrade.php b/contrib/util/de_identification_upgrade.php index 50067e401..849f0c2fa 100644 --- a/contrib/util/de_identification_upgrade.php +++ b/contrib/util/de_identification_upgrade.php @@ -157,7 +157,7 @@ closedir($dh); diff --git a/interface/batchcom/batchPhoneList.php b/interface/batchcom/batchPhoneList.php index 90acba305..7d78f1c18 100644 --- a/interface/batchcom/batchPhoneList.php +++ b/interface/batchcom/batchPhoneList.php @@ -17,7 +17,7 @@ require_once("../globals.php"); use OpenEMR\Core\Header; if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } ?> diff --git a/interface/batchcom/batchcom.php b/interface/batchcom/batchcom.php index 134c52c44..52233a56f 100644 --- a/interface/batchcom/batchcom.php +++ b/interface/batchcom/batchcom.php @@ -35,7 +35,7 @@ $sort_by_choices = array(xl('Zip Code')=>'patient_data.postal_code', xl('Last Na // process form if ($_POST['form_action']=='process') { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } //validation uses the functions in batchcom.inc.php diff --git a/interface/batchcom/emailnotification.php b/interface/batchcom/emailnotification.php index 7d1eb452c..ec319376f 100755 --- a/interface/batchcom/emailnotification.php +++ b/interface/batchcom/emailnotification.php @@ -37,7 +37,7 @@ $email_subject = "Welcome to EMR Group"; // process form if ($_POST['form_action']=='save') { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } //validation uses the functions in notification.inc.php diff --git a/interface/batchcom/settingsnotification.php b/interface/batchcom/settingsnotification.php index 163645d1d..4de902a4d 100755 --- a/interface/batchcom/settingsnotification.php +++ b/interface/batchcom/settingsnotification.php @@ -28,7 +28,7 @@ if (!acl_check('admin', 'notification')) { // process form if ($_POST['form_action']=='save') { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } if ($_POST['Send_SMS_Before_Hours']=="") { diff --git a/interface/batchcom/smsnotification.php b/interface/batchcom/smsnotification.php index ff5480634..68182b8c6 100755 --- a/interface/batchcom/smsnotification.php +++ b/interface/batchcom/smsnotification.php @@ -36,7 +36,7 @@ $message="Welcome to EMR Group"; // process form if ($_POST['form_action']=='save') { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } //validation uses the functions in notification.inc.php diff --git a/interface/billing/billing_process.php b/interface/billing/billing_process.php index c6301a25e..32b401ede 100644 --- a/interface/billing/billing_process.php +++ b/interface/billing/billing_process.php @@ -33,7 +33,7 @@ require_once("$srcdir/gen_x12_837.inc.php"); require_once("$srcdir/gen_hcfa_1500.inc.php"); if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } if ($GLOBALS['ub04_support']) { diff --git a/interface/billing/billing_report.php b/interface/billing/billing_report.php index 5b0c5c706..3034fc3c8 100644 --- a/interface/billing/billing_report.php +++ b/interface/billing/billing_report.php @@ -47,7 +47,7 @@ $alertmsg = ''; if (isset($_POST['mode'])) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } if ($_POST['mode'] == 'export') { @@ -412,9 +412,9 @@ $oauthorized = $my_authorized;

-

diff --git a/interface/billing/edih_main.php b/interface/billing/edih_main.php index f0d0b3a85..777f25401 100644 --- a/interface/billing/edih_main.php +++ b/interface/billing/edih_main.php @@ -142,7 +142,7 @@ if (count($_POST)) { */ if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // @@ -190,7 +190,7 @@ if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') { // } elseif (strtolower($_SERVER['REQUEST_METHOD']) == 'get') { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // diff --git a/interface/billing/era_payments.php b/interface/billing/era_payments.php index bedfd1a6a..d65dd6bbf 100644 --- a/interface/billing/era_payments.php +++ b/interface/billing/era_payments.php @@ -70,7 +70,7 @@ function era_callback(&$out) // Handle X12 835 file upload. if ($_FILES['form_erafile']['size']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $tmp_name = $_FILES['form_erafile']['tmp_name']; @@ -251,7 +251,7 @@ if ($_FILES['form_erafile']['size']) {

-

diff --git a/interface/billing/get_claim_file.php b/interface/billing/get_claim_file.php index 9b2069434..976cd6099 100644 --- a/interface/billing/get_claim_file.php +++ b/interface/billing/get_claim_file.php @@ -14,7 +14,7 @@ require_once(dirname(__FILE__) . "/../globals.php"); require_once $GLOBALS['OE_SITE_DIR'] . "/config.php"; if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $content_type = "text/plain"; diff --git a/interface/billing/indigent_patients_report.php b/interface/billing/indigent_patients_report.php index 3de24b812..0c0a13dd9 100644 --- a/interface/billing/indigent_patients_report.php +++ b/interface/billing/indigent_patients_report.php @@ -179,7 +179,7 @@ $form_end_date = (!empty($_POST['form_end_date'])) ? DateToYYYYMMDD($_POST['for " + } + ); } function npopup(pid) { @@ -884,7 +890,7 @@ if (($_REQUEST['form_print'] || $_REQUEST['form_download'] || $_REQUEST['form_em diff --git a/interface/cmsportal/list_requests.php b/interface/cmsportal/list_requests.php index 3b13d429f..fecd24679 100644 --- a/interface/cmsportal/list_requests.php +++ b/interface/cmsportal/list_requests.php @@ -152,7 +152,7 @@ function openRequest(postid, type) { // // To open results in the same frame: if (type.indexOf('Demographics') == 0) { - document.location.href = 'patient_select.php?postid=' + postid; + document.location.href = 'patient_select.php?postid=' + postid + '&csrf_token_form='; } else if (type.indexOf('Insurance') == 0) { document.location.href = 'insurance_form.php?postid=' + postid; diff --git a/interface/cmsportal/patient_select.php b/interface/cmsportal/patient_select.php index e6318437c..3b1208311 100644 --- a/interface/cmsportal/patient_select.php +++ b/interface/cmsportal/patient_select.php @@ -62,7 +62,7 @@ if ($postid) { cursor: pointer; } -.highlight { +.highlight { background-color: #336699; color: white; } diff --git a/interface/de_identification_forms/de_identification_screen2.php b/interface/de_identification_forms/de_identification_screen2.php index 6c7cf46d2..32c716ae8 100644 --- a/interface/de_identification_forms/de_identification_screen2.php +++ b/interface/de_identification_forms/de_identification_screen2.php @@ -29,7 +29,7 @@ if (!acl_check('admin', 'super')) { } if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } /*executes the De Identification process, using the parameters chosen from the diff --git a/interface/de_identification_forms/find_code_popup.php b/interface/de_identification_forms/find_code_popup.php index 89565acca..c7c5cb1bb 100644 --- a/interface/de_identification_forms/find_code_popup.php +++ b/interface/de_identification_forms/find_code_popup.php @@ -170,7 +170,7 @@ if ($codetype) { diff --git a/interface/de_identification_forms/re_identification_op_single_patient.php b/interface/de_identification_forms/re_identification_op_single_patient.php index 4f261ad31..155b49c7b 100644 --- a/interface/de_identification_forms/re_identification_op_single_patient.php +++ b/interface/de_identification_forms/re_identification_op_single_patient.php @@ -27,7 +27,7 @@ if (!acl_check('admin', 'super')) { } if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $query = "SELECT status FROM re_identification_status"; diff --git a/interface/drugs/add_edit_drug.php b/interface/drugs/add_edit_drug.php index 95d307150..048771a78 100644 --- a/interface/drugs/add_edit_drug.php +++ b/interface/drugs/add_edit_drug.php @@ -142,7 +142,7 @@ function sel_related() { // if ($_POST['form_save']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $crow = sqlQuery( @@ -169,7 +169,7 @@ if ($_POST['form_save']) { if (($_POST['form_save'] || $_POST['form_delete']) && !$alertmsg) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $new_drug = false; diff --git a/interface/drugs/add_edit_lot.php b/interface/drugs/add_edit_lot.php index 2fd426193..cd499d4b7 100644 --- a/interface/drugs/add_edit_lot.php +++ b/interface/drugs/add_edit_lot.php @@ -201,7 +201,7 @@ if ($lot_id) { // if ($_POST['form_save'] || $_POST['form_delete']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $form_quantity = $_POST['form_quantity'] + 0; diff --git a/interface/drugs/destroy_lot.php b/interface/drugs/destroy_lot.php index 5191db1cd..ddc11f02a 100644 --- a/interface/drugs/destroy_lot.php +++ b/interface/drugs/destroy_lot.php @@ -69,7 +69,7 @@ td { font-size:10pt; } // if ($_POST['form_save']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } sqlStatement( diff --git a/interface/expand_contract_js.php b/interface/expand_contract_js.php index fd7ff49b3..6b01213bb 100644 --- a/interface/expand_contract_js.php +++ b/interface/expand_contract_js.php @@ -16,23 +16,35 @@ $( document ).ready(function() { var contractTitle = ''; var expandTitle = ''; var arrFiles = ; - + if (elementTitle == contractTitle) { elementTitle = expandTitle; $(this).toggleClass('fa-expand fa-compress'); $('.expandable').toggleClass('container container-fluid'); if ($(arrFiles).length) { $.each(arrFiles, function (index, value) { - $.post( "/library/ajax/user_settings.php", { target: arrFiles[index].trim(), setting: 0 }); + $.post( "/library/ajax/user_settings.php", + { + target: arrFiles[index].trim(), + setting: 0, + csrf_token_form: "" + } + ); }); - } + } } else if (elementTitle == expandTitle) { elementTitle = contractTitle; $(this).toggleClass('fa-compress fa-expand'); $('.expandable').toggleClass('container-fluid container'); if ($(arrFiles).length) { $.each(arrFiles, function (index, value) { - $.post( "/library/ajax/user_settings.php", { target: arrFiles[index].trim(), setting: 1 }); + $.post( "/library/ajax/user_settings.php", + { + target: arrFiles[index].trim(), + setting: 1, + csrf_token_form: "" + } + ); }); } } diff --git a/interface/fax/fax_dispatch.php b/interface/fax/fax_dispatch.php index 2050827a9..5385ce294 100644 --- a/interface/fax/fax_dispatch.php +++ b/interface/fax/fax_dispatch.php @@ -23,7 +23,7 @@ use OpenEMR\Core\Header; if ($_GET['file']) { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $mode = 'fax'; @@ -35,7 +35,7 @@ if ($_GET['file']) { $filepath = $GLOBALS['hylafax_basedir'] . '/recvq/' . $filename; } else if ($_GET['scan']) { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $mode = 'scan'; @@ -106,7 +106,7 @@ function mergeTiffs() // if ($_POST['form_save']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $action_taken = false; diff --git a/interface/fax/fax_dispatch_newpid.php b/interface/fax/fax_dispatch_newpid.php index c3e30ee5e..bf499a9a7 100644 --- a/interface/fax/fax_dispatch_newpid.php +++ b/interface/fax/fax_dispatch_newpid.php @@ -15,7 +15,7 @@ require_once("../globals.php"); if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $res = sqlStatement("SELECT date, encounter, reason FROM form_encounter " . diff --git a/interface/fax/fax_view.php b/interface/fax/fax_view.php index 11bed7891..e9acc7109 100644 --- a/interface/fax/fax_view.php +++ b/interface/fax/fax_view.php @@ -13,7 +13,7 @@ require_once("../globals.php"); if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $ffname = ''; diff --git a/interface/forms/CAMOS/admin.php b/interface/forms/CAMOS/admin.php index b2c14e416..6d56e6d00 100644 --- a/interface/forms/CAMOS/admin.php +++ b/interface/forms/CAMOS/admin.php @@ -11,7 +11,7 @@ if (!acl_check('admin', 'super')) { if ($_POST['export']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $temp = tmpfile(); @@ -57,7 +57,7 @@ if ($_POST['export']) { if ($_POST['import']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } ?> $_POST["category"], 'subcategory' => $_POST["subcategory"], 'item' => $_POST["item"], 'content' => $_POST['content']); diff --git a/interface/forms/CAMOS/notegen.php b/interface/forms/CAMOS/notegen.php index d31ef74b2..f6a54b03b 100755 --- a/interface/forms/CAMOS/notegen.php +++ b/interface/forms/CAMOS/notegen.php @@ -111,7 +111,7 @@ title='' /> if ($_POST['submit_pdf'] || $_POST['submit_html'] || ($_GET['pid'] && $_GET['encounter'])) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // note we are trimming variables before sending through this function diff --git a/interface/forms/CAMOS/rx_print.php b/interface/forms/CAMOS/rx_print.php index 22b2d048d..46e038a6e 100755 --- a/interface/forms/CAMOS/rx_print.php +++ b/interface/forms/CAMOS/rx_print.php @@ -51,7 +51,7 @@ if ($result = sqlFetchArray($query)) { //update user information if selected from form if ($_POST['update']) { // OPTION update practice inf if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $query = "update users set " . @@ -87,7 +87,7 @@ if ($result = sqlFetchArray($query)) { if ($_POST['print_pdf'] || $_POST['print_html']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $camos_content = array(); diff --git a/interface/forms/CAMOS/save.php b/interface/forms/CAMOS/save.php index 4fb6032d4..fdb82f945 100755 --- a/interface/forms/CAMOS/save.php +++ b/interface/forms/CAMOS/save.php @@ -7,7 +7,7 @@ require_once("./content_parser.php"); if ($_GET["mode"] == "delete") { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } foreach ($_POST as $key => $val) { diff --git a/interface/forms_admin/forms_admin.php b/interface/forms_admin/forms_admin.php index c2885e704..1fa56349d 100644 --- a/interface/forms_admin/forms_admin.php +++ b/interface/forms_admin/forms_admin.php @@ -15,17 +15,17 @@ require_once("$srcdir/registry.inc"); if ($_GET['method'] == "enable") { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } updateRegistered($_GET['id'], "state=1"); } elseif ($_GET['method'] == "disable") { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } updateRegistered($_GET['id'], "state=0"); } elseif ($_GET['method'] == "install_db") { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $dir = getRegistryEntry($_GET['id'], "directory"); if (installSQL("$srcdir/../interface/forms/{$dir['directory']}")) { @@ -35,7 +35,7 @@ if ($_GET['method'] == "enable") { } } elseif ($_GET['method'] == "register") { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } registerForm($_GET['name']) or $err=xl('error while registering form!'); } @@ -55,7 +55,7 @@ $bigdata = getRegistered("%") or $bigdata = false; $val) { if (preg_match('/nickname_(\d+)/', $key, $matches)) { diff --git a/interface/language/lang_constant.php b/interface/language/lang_constant.php index 0317efee6..072833860 100644 --- a/interface/language/lang_constant.php +++ b/interface/language/lang_constant.php @@ -31,7 +31,7 @@ if (!$thisauth) { if ($_POST['add']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } //validate diff --git a/interface/language/lang_definition.php b/interface/language/lang_definition.php index 7a8ab5567..862072a0e 100644 --- a/interface/language/lang_definition.php +++ b/interface/language/lang_definition.php @@ -104,7 +104,7 @@ if (!$disable_utf8_flag) { if ($_POST['load']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // query for entering new definitions it picks the cons_id because is existant. @@ -169,7 +169,7 @@ if ($_POST['load']) { if ($_POST['edit']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } if ($_POST['language_select'] == '') { diff --git a/interface/language/lang_language.php b/interface/language/lang_language.php index 0db412e77..9a79b3d38 100644 --- a/interface/language/lang_language.php +++ b/interface/language/lang_language.php @@ -29,7 +29,7 @@ if (!$thisauth) { if ($_POST['add']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } //validate diff --git a/interface/language/lang_manage.php b/interface/language/lang_manage.php index bd5c58618..0cd92718a 100644 --- a/interface/language/lang_manage.php +++ b/interface/language/lang_manage.php @@ -29,7 +29,7 @@ if (!$thisauth) { if ($_POST['check'] || $_POST['synchronize']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // set up flag if only checking for changes (ie not performing synchronization) diff --git a/interface/language/language.php b/interface/language/language.php index ecdc3e422..3df394244 100644 --- a/interface/language/language.php +++ b/interface/language/language.php @@ -46,7 +46,7 @@ require_once("language.inc.php"); 2; // This authorizes everything for the specified patient. if (isset($_GET["mode"]) && $_GET["mode"] == "authorize" && $imauthorized) { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $retVal = getProviderId($_SESSION['authUser']); diff --git a/interface/main/authorizations/authorizations_full.php b/interface/main/authorizations/authorizations_full.php index 1d30ccfe3..b30a720cf 100644 --- a/interface/main/authorizations/authorizations_full.php +++ b/interface/main/authorizations/authorizations_full.php @@ -15,7 +15,7 @@ require_once("$srcdir/patient.inc"); if (isset($_GET["mode"]) && $_GET["mode"] == "authorize") { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } newEvent("authorize", $_SESSION["authUser"], $_SESSION["authProvider"], 1, '', $_GET["pid"]); diff --git a/interface/main/dated_reminders/dated_reminders.php b/interface/main/dated_reminders/dated_reminders.php index 4068afbbd..31bbbb029 100644 --- a/interface/main/dated_reminders/dated_reminders.php +++ b/interface/main/dated_reminders/dated_reminders.php @@ -36,7 +36,7 @@ require_once("$srcdir/dated_reminder_functions.php"); // ---------------------------------------------------------------------------- if (isset($_POST['drR'])) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // set as processed diff --git a/interface/main/dated_reminders/dated_reminders_add.php b/interface/main/dated_reminders/dated_reminders_add.php index 14fa7fde0..0af0d9937 100644 --- a/interface/main/dated_reminders/dated_reminders_add.php +++ b/interface/main/dated_reminders/dated_reminders_add.php @@ -54,7 +54,7 @@ $max_reminder_words=160; // ---------------- FOR FORWARDING MESSAGES -------------> if (isset($_GET['mID']) and is_numeric($_GET['mID'])) { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $forwarding = true; @@ -68,7 +68,7 @@ if (isset($_GET['mID']) and is_numeric($_GET['mID'])) { // --- add reminders if ($_POST) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // --- initialize $output as blank diff --git a/interface/main/dated_reminders/dated_reminders_log.php b/interface/main/dated_reminders/dated_reminders_log.php index 72515ab2d..a83fd4587 100644 --- a/interface/main/dated_reminders/dated_reminders_log.php +++ b/interface/main/dated_reminders/dated_reminders_log.php @@ -25,7 +25,7 @@ */ if ($_GET) { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } if (!$isAdmin) { diff --git a/interface/main/finder/dynamic_finder.php b/interface/main/finder/dynamic_finder.php index e0fcba992..6a61a8a3e 100644 --- a/interface/main/finder/dynamic_finder.php +++ b/interface/main/finder/dynamic_finder.php @@ -1,11 +1,18 @@ -// Sponsored by David Eschelbacher, MD -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License -// as published by the Free Software Foundation; either version 2 -// of the License, or (at your option) any later version. +/** + * dynamic_finder.php + * + * Sponsored by David Eschelbacher, MD + * + * @package OpenEMR + * @link http://www.open-emr.org + * @author Rod Roark + * @author Brady Miller + * @copyright Copyright (c) 2012-2016 Rod Roark + * @copyright Copyright (c) 2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 + */ + require_once("../../globals.php"); require_once "$srcdir/user.inc"; @@ -65,7 +72,7 @@ while ($row = sqlFetchArray($res)) { "serverSide": true, // NOTE kept the legacy command 'sAjaxSource' here for now since was unable to get // the new 'ajax' command to work. - "sAjaxSource": "dynamic_finder_ajax.php", + "sAjaxSource": "dynamic_finder_ajax.php?csrf_token_form=", "fnServerParams": function (aoData) { var searchType = $("#setting_search_type:checked").length > 0; aoData.push({"name": "searchType", "value": searchType}); @@ -83,7 +90,7 @@ while ($row = sqlFetchArray($res)) { }); $("div.mytopdiv").html("
"); + echo ' checked';}?> / >"); // This is to support column-specific search fields. // Borrowed from the multi_filter.html example. $("thead input").keyup(function () { @@ -106,7 +113,7 @@ while ($row = sqlFetchArray($res)) { } else { top.restoreSession(); - top.RTop.location = "../../patient_file/summary/demographics.php?set_pid=" + newpid; + top.RTop.location = "../../patient_file/summary/demographics.php?set_pid=" + encodeURIComponent(newpid); } }); }); @@ -121,7 +128,13 @@ while ($row = sqlFetchArray($res)) { e.preventDefault(); let target = uspfx + "patient_finder_exact_search"; let val = el.checked ? ' checked' : ' '; - $.post( "../../../library/ajax/user_settings.php", { target: target, setting: val }); + $.post( "../../../library/ajax/user_settings.php", + { + target: target, + setting: val, + csrf_token_form: "" + } + ); } @@ -144,7 +157,7 @@ while ($row = sqlFetchArray($res)) { - ... + ... @@ -152,7 +165,8 @@ while ($row = sqlFetchArray($res)) {
-
'> +'> +
diff --git a/interface/main/finder/dynamic_finder_ajax.php b/interface/main/finder/dynamic_finder_ajax.php index 2ed560f54..ea5bc9235 100644 --- a/interface/main/finder/dynamic_finder_ajax.php +++ b/interface/main/finder/dynamic_finder_ajax.php @@ -1,15 +1,25 @@ -// Sponsored by David Eschelbacher, MD -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License -// as published by the Free Software Foundation; either version 2 -// of the License, or (at your option) any later version. +/** + * dynamic_finder_ajax.php + * + * Sponsored by David Eschelbacher, MD + * + * @package OpenEMR + * @link http://www.open-emr.org + * @author Rod Roark + * @author Brady Miller + * @copyright Copyright (c) 2012 Rod Roark + * @copyright Copyright (c) 2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 + */ require_once("../../globals.php"); require_once($GLOBALS['srcdir']."/options.inc.php"); +if (!verifyCsrfToken($_GET["csrf_token_form"])) { + csrfNotVerified(); +} + $popup = empty($_REQUEST['popup']) ? 0 : 1; // With the ColReorder or ColReorderWithResize plug-in, the expected column diff --git a/interface/main/finder/finder_navigation.php b/interface/main/finder/finder_navigation.php deleted file mode 100644 index a1c4c1ed1..000000000 --- a/interface/main/finder/finder_navigation.php +++ /dev/null @@ -1,70 +0,0 @@ - - * @copyright Copyright (c) 2018 Brady Miller - * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 - */ - - -require_once("../../globals.php"); -?> - - - - -Navigation - - - - - - - - - - diff --git a/interface/main/finder/multi_patients_finder.php b/interface/main/finder/multi_patients_finder.php index 1c26b3011..c5336bb15 100644 --- a/interface/main/finder/multi_patients_finder.php +++ b/interface/main/finder/multi_patients_finder.php @@ -1,21 +1,27 @@ + * @author Brady Miller * @copyright Copyright (c) 2017 Amiel Elboim * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ require_once('../../globals.php'); require_once("$srcdir/patient.inc"); + use OpenEMR\Core\Header; // for editing selected patients if (isset($_GET['patients'])) { + if (!verifyCsrfToken($_GET["csrf_token_form"])) { + csrfNotVerified(); + } + $patients = rtrim($_GET['patients'], ";"); $patients = explode(';', $patients); $results = array(); @@ -31,7 +37,7 @@ if (isset($_GET['patients'])) { - <?php echo htmlspecialchars(xl('Patient Finder'), ENT_NOQUOTES); ?> + <?php echo xlt('Patient Finder'); ?> - + display->navigation($logged_in); @@ -388,8 +388,8 @@ if (!empty($_REQUEST['go'])) { ?> $message_legend = xlt('Add To Existing Message'); $onclick = ""; } - - ?> + + ?>
@@ -753,7 +753,7 @@ if (!empty($_REQUEST['go'])) { ?> alert(""); } } - + // This is to allow selection of all items in Messages table for deletion. function selectAll() { @@ -865,7 +865,7 @@ if (!empty($_REQUEST['go'])) { ?> $("#li-remi").removeClass("active"); $("#li-reca").removeClass("active"); $("#li-sms").removeClass("active"); - + }); $("#reminders-li").click(function(){ $("#messages-div").hide(250); @@ -905,7 +905,7 @@ if (!empty($_REQUEST['go'])) { ?> ,minDate : 0 //only future }) - + }); $(document).ready(function(){ $( "ul.navbar-nav" ).children().click(function(){ @@ -918,8 +918,8 @@ if (!empty($_REQUEST['go'])) { ?> $('#see-all-tooltip').attr( "title", "" ); $('#see-all-tooltip').tooltip(); $('#just-mine-tooltip').attr( "title", "" ); - $('#just-mine-tooltip').tooltip(); - }); + $('#just-mine-tooltip').tooltip(); + }); $(function () { var f = $("#smsForm"); $("#SMS_patient").autocomplete({ @@ -960,7 +960,7 @@ if (!empty($_REQUEST['go'])) { ?> $("#assigned_to").val(""); $("#users").val("--"); }); - + //clear inputs of patients $("#clear_patients").click(function(){ $("#reply_to").val(""); @@ -1062,7 +1062,7 @@ if (!empty($_REQUEST['go'])) { ?> $("#new_note").submit(); } - + // This is for callback by the multi_patients_finder popup. function setMultiPatients(patientsList) { var f = document.getElementById('new_note'); @@ -1086,13 +1086,13 @@ if (!empty($_REQUEST['go'])) { ?> function sel_patient() { dlgopen('../../main/calendar/find_patient_popup.php', '_blank', 625, 400); } - + function multi_sel_patient() { $('#reply_to').trigger('click'); var url = '../../main/finder/multi_patients_finder.php' // for edit selected list - if($('#reply_to').val() !== ''){ - url = url+'?patients='+$('#reply_to').val(); + if ($('#reply_to').val() !== '') { + url = url + '?patients=' + $('#reply_to').val() + '&csrf_token_form='; } dlgopen(url, '_blank', 625, 400); } diff --git a/interface/new/new_comprehensive.php b/interface/new/new_comprehensive.php index 380e4a647..ba0456215 100644 --- a/interface/new/new_comprehensive.php +++ b/interface/new/new_comprehensive.php @@ -356,7 +356,7 @@ function selBlur(elem) { // This invokes the patient search dialog. function searchme() { var f = document.forms[0]; - var url = '../main/finder/patient_select.php?popup=1'; + var url = '../main/finder/patient_select.php?popup=1&csrf_token_form='; - - - - -<?php xl('Navigation', 'e'); ?> - - - - - - - - - - diff --git a/interface/new/new_patient.php b/interface/new/new_patient.php deleted file mode 100644 index a18e0655e..000000000 --- a/interface/new/new_patient.php +++ /dev/null @@ -1,29 +0,0 @@ - - - - - -<?php echo $openemr_name; ?> - - - - - -,*" cols="*" frameborder="0" border="0" framespacing="0"> - - - - - - - -<body bgcolor="#FFFFFF"> - -</body> - - diff --git a/interface/new/new_title.php b/interface/new/new_title.php deleted file mode 100644 index f3c5b8e34..000000000 --- a/interface/new/new_title.php +++ /dev/null @@ -1,32 +0,0 @@ - - - - - - - - - - - - - - - - - - - - -
-: () - - -
- - - diff --git a/interface/orders/patient_match_dialog.php b/interface/orders/patient_match_dialog.php index 82b190987..8a41333dc 100644 --- a/interface/orders/patient_match_dialog.php +++ b/interface/orders/patient_match_dialog.php @@ -75,6 +75,7 @@ $form_DOB = $args['DOB'];
+ ' /> if ($_POST['form_submit']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $pd_fields = ''; diff --git a/interface/patient_file/deleter.php b/interface/patient_file/deleter.php index 9eb9370ad..ffaa16482 100644 --- a/interface/patient_file/deleter.php +++ b/interface/patient_file/deleter.php @@ -227,7 +227,7 @@ function popup_close() { // if ($_POST['form_submit']) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } if ($patient) { diff --git a/interface/patient_file/encounter/diagnosis.php b/interface/patient_file/encounter/diagnosis.php index feeca97e8..9b365e5f2 100644 --- a/interface/patient_file/encounter/diagnosis.php +++ b/interface/patient_file/encounter/diagnosis.php @@ -35,7 +35,7 @@ if ($payment_method == "insurance") { if (isset($mode)) { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } if ($mode == "add") { diff --git a/interface/patient_file/encounter/diagnosis_full.php b/interface/patient_file/encounter/diagnosis_full.php index 772c0b204..b46a81538 100644 --- a/interface/patient_file/encounter/diagnosis_full.php +++ b/interface/patient_file/encounter/diagnosis_full.php @@ -7,7 +7,7 @@ $id = $_GET['id']; if (isset($mode)) { if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } if ($mode == "add") { diff --git a/interface/patient_file/encounter/search_code.php b/interface/patient_file/encounter/search_code.php index d1fab8fce..47e02b63f 100644 --- a/interface/patient_file/encounter/search_code.php +++ b/interface/patient_file/encounter/search_code.php @@ -50,7 +50,7 @@ $code_type = $_GET['type']; "; @@ -59,7 +59,7 @@ if (isset($_POST["mode"]) && $_POST["mode"] == "search" && $_POST["text"] == "") if (isset($_POST["mode"]) && $_POST["mode"] == "search" && $_POST["text"] != "") { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // $sql = "SELECT * FROM codes WHERE (code_text LIKE '%" . $_POST["text"] . diff --git a/interface/patient_file/summary/demographics.php b/interface/patient_file/summary/demographics.php index 0ff3660f3..44b72c5a6 100644 --- a/interface/patient_file/summary/demographics.php +++ b/interface/patient_file/summary/demographics.php @@ -233,11 +233,23 @@ function toggleIndicator(target,div) { if ( $mode == "" ) { $(target).find(".indicator").text( "" ); $("#"+div).hide(); - $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 0 }); + $.post( "../../../library/ajax/user_settings.php", + { + target: div, + mode: 0, + csrf_token_form: "" + } + ); } else { $(target).find(".indicator").text( "" ); $("#"+div).show(); - $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 1 }); + $.post( "../../../library/ajax/user_settings.php", + { + target: div, + mode: 1, + csrf_token_form: "" + } + ); } } @@ -655,7 +667,7 @@ if (!empty($grparr['']['grp_size'])) { echo "\n\n"; exit(); }?> - + @@ -667,7 +679,7 @@ if (!empty($grparr['']['grp_size'])) { - +
- +
diff --git a/interface/patient_tracker/patient_tracker.php b/interface/patient_tracker/patient_tracker.php index 0df31a2a7..2b595cafe 100644 --- a/interface/patient_tracker/patient_tracker.php +++ b/interface/patient_tracker/patient_tracker.php @@ -925,6 +925,7 @@ if (!$_REQUEST['flb_table']) { ?> '> + diff --git a/interface/reports/cqm.php b/interface/reports/cqm.php index 1d554ba42..d38278baa 100644 --- a/interface/reports/cqm.php +++ b/interface/reports/cqm.php @@ -759,7 +759,7 @@ if (isset($row['is_main']) || isset($row['is_sub'])) { } if (isset($row['itemized_test_id']) && ($row['pass_filter'] > 0)) { - echo "" . text($row['pass_filter']) . ""; + echo "" . text($row['pass_filter']) . ""; } else { echo "" . text($row['pass_filter']) . ""; } @@ -768,7 +768,7 @@ if (isset($row['is_main']) || isset($row['is_sub'])) { // Note that amc will likely support in excluded items in the future for MU2 if (($type_report != "standard") && isset($row['itemized_test_id']) && ($row['excluded'] > 0)) { // Note standard reporting exluded is different than cqm/amc and will not support itemization - echo "" . text($row['excluded']) . ""; + echo "" . text($row['excluded']) . ""; } else { echo "" . text($row['excluded']) . ""; } @@ -778,14 +778,14 @@ if (isset($row['is_main']) || isset($row['is_sub'])) { // Note that amc will likely support in exception items in the future for MU2 if (isset($row['itemized_test_id']) && ($row['exception'] > 0)) { // Note standard reporting exluded is different than cqm/amc and will not support itemization - echo "" . text($row['exception']) . ""; + echo "" . text($row['exception']) . ""; } else { echo "" . text($row['exception']) . ""; } } if (isset($row['itemized_test_id']) && ($row['pass_target'] > 0)) { - echo "" . text($row['pass_target']) . ""; + echo "" . text($row['pass_target']) . ""; } else { echo "" . text($row['pass_target']) . ""; } @@ -804,7 +804,7 @@ if (isset($row['is_main']) || isset($row['is_sub'])) { } if (isset($row['itemized_test_id']) && ($failed_items > 0)) { - echo "" . text($failed_items) . ""; + echo "" . text($failed_items) . ""; } else { echo "" . text($failed_items) . ""; } diff --git a/interface/super/edit_globals.php b/interface/super/edit_globals.php index 0a1482772..7ca646d07 100644 --- a/interface/super/edit_globals.php +++ b/interface/super/edit_globals.php @@ -117,7 +117,7 @@ function checkBackgroundServices() if (array_key_exists('form_save', $_POST) && $_POST['form_save'] && $userMode) { //verify csrf if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $i = 0; @@ -156,7 +156,7 @@ if (array_key_exists('form_save', $_POST) && $_POST['form_save'] && $userMode) { if (array_key_exists('form_download', $_POST) && $_POST['form_download']) { //verify csrf if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $client = portal_connection(); @@ -205,7 +205,7 @@ if (array_key_exists('form_download', $_POST) && $_POST['form_download']) { if (array_key_exists('form_save', $_POST) && $_POST['form_save'] && !$userMode) { //verify csrf if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $force_off_enable_auditlog_encryption = true; diff --git a/interface/super/edit_layout.php b/interface/super/edit_layout.php index 347e7a3bd..826deca0a 100644 --- a/interface/super/edit_layout.php +++ b/interface/super/edit_layout.php @@ -340,7 +340,7 @@ $lbfonly = substr($layout_id, 0, 3) == 'LBF' ? "" : "style='display:none;'"; if ($_POST['formaction'] == "save" && $layout_id) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // If we are saving, then save. @@ -403,7 +403,7 @@ if ($_POST['formaction'] == "save" && $layout_id) { } } else if ($_POST['formaction'] == "addfield" && $layout_id) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // Add a new field to a specific group @@ -437,7 +437,7 @@ if ($_POST['formaction'] == "save" && $layout_id) { addOrDeleteColumn($layout_id, trim($_POST['newid']), true); } else if ($_POST['formaction'] == "movefields" && $layout_id) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // Move field(s) to a new group in the layout @@ -457,7 +457,7 @@ if ($_POST['formaction'] == "save" && $layout_id) { sqlStatement($sqlstmt); } else if ($_POST['formaction'] == "deletefields" && $layout_id) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // Delete a field from a specific group @@ -477,7 +477,7 @@ if ($_POST['formaction'] == "save" && $layout_id) { } } else if ($_POST['formaction'] == "addgroup" && $layout_id) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // Generate new value for layout_items.group_id. @@ -523,7 +523,7 @@ if ($_POST['formaction'] == "save" && $layout_id) { } /********************************************************************** else if ($_POST['formaction'] == "deletegroup" && $layout_id) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // drop the fields from the related table (this is critical) @@ -544,7 +544,7 @@ else if ($_POST['formaction'] == "deletegroup" && $layout_id) { else if ($_POST['formaction'] == "movegroup" && $layout_id) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // Note that in some cases below the swapGroups() call will do nothing. @@ -573,7 +573,7 @@ else if ($_POST['formaction'] == "movegroup" && $layout_id) { } // Renaming a group. This might include moving to a different parent group. else if ($_POST['formaction'] == "renamegroup" && $layout_id) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $newparent = $_POST['renamegroupparent']; // this is an ID diff --git a/interface/super/edit_layout_props.php b/interface/super/edit_layout_props.php index f4ed93245..9f9d1f3ca 100644 --- a/interface/super/edit_layout_props.php +++ b/interface/super/edit_layout_props.php @@ -110,7 +110,7 @@ function get_related() { - - - - - - - src="usergroup_admin.php" - - src="../forms_admin/forms_admin.php" - - src="/controller.php?practice_settings" - - src="../main/calendar/index.php?module=PostCalendar&type=admin&func=modifyconfig" - - src="/logview/logview.php" - - name="Main" scrolling="auto" frameborder="0" noresize> - - diff --git a/interface/usergroup/mfa_registrations.php b/interface/usergroup/mfa_registrations.php index 6f5bdeb8e..33efe11ab 100644 --- a/interface/usergroup/mfa_registrations.php +++ b/interface/usergroup/mfa_registrations.php @@ -30,7 +30,7 @@ $userid = $_SESSION['authId']; $message = ''; if (!empty($_POST['form_delete_method'])) { if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } // Delete the indicated MFA instance. sqlStatement( diff --git a/interface/usergroup/mfa_u2f.php b/interface/usergroup/mfa_u2f.php index c9458b638..fcf40ca9d 100644 --- a/interface/usergroup/mfa_u2f.php +++ b/interface/usergroup/mfa_u2f.php @@ -114,7 +114,7 @@ if ($action == 'reg1') { doRegister(json_decode($_POST['form_request']), json_decode($_POST['form_registration'])); diff --git a/interface/usergroup/usergroup.php b/interface/usergroup/usergroup.php deleted file mode 100644 index 80453e688..000000000 --- a/interface/usergroup/usergroup.php +++ /dev/null @@ -1,61 +0,0 @@ - - - - -<?php echo $openemr_name ?> - - - - - -,*" cols="*" frameborder="NO" border="0" framespacing="0"> - - - - src="usergroup_admin.php" - - src="../forms_admin/forms_admin.php" - - src="/controller.php?practice_settings" - - src="../main/calendar/index.php?module=PostCalendar&type=admin&func=modifyconfig" - - src="/logview/logview.php" - - name="Main" scrolling="auto" noresize frameborder="NO"> - - -<body bgcolor="#FFFFFF"> - -</body> - - - - - - - - - - - - - diff --git a/interface/usergroup/usergroup_navigation.php b/interface/usergroup/usergroup_navigation.php deleted file mode 100644 index d511f1082..000000000 --- a/interface/usergroup/usergroup_navigation.php +++ /dev/null @@ -1,133 +0,0 @@ - - - -<?php xl('Navigation', 'e'); ?> - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-    -  -  -  -  -  -  -   -  -  -  -  -  -  -  -
- -
- - - diff --git a/interface/usergroup/usergroup_title.php b/interface/usergroup/usergroup_title.php deleted file mode 100644 index 29fa5c564..000000000 --- a/interface/usergroup/usergroup_title.php +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - - - - - - - - - - - - - - -
-: - - -
- - - diff --git a/library/ajax/addlistitem.php b/library/ajax/addlistitem.php index 29225d59d..df12c89e5 100644 --- a/library/ajax/addlistitem.php +++ b/library/ajax/addlistitem.php @@ -23,7 +23,7 @@ require_once("../../interface/globals.php"); //verify csrf if (!verifyCsrfToken($_GET["csrf_token_form"])) { echo json_encode(array("error"=> xl('Authentication Error') )); - exit; + csrfNotVerified(false); } // check for required values diff --git a/library/ajax/adminacl_ajax.php b/library/ajax/adminacl_ajax.php index dd9d5fc72..54c3d8ce5 100644 --- a/library/ajax/adminacl_ajax.php +++ b/library/ajax/adminacl_ajax.php @@ -27,13 +27,13 @@ $error = array(); //verify csrf if (!verifyCsrfToken($_POST["csrf_token_form"])) { echo error_xml(xl('Authentication Error')); - exit; + csrfNotVerified(false); } //ensure user has proper access if (!acl_check('admin', 'acl')) { echo error_xml(xl('ACL Administration Not Authorized')); - exit; + csrfNotVerified(false); } //ensure php is installed diff --git a/library/ajax/ccr_import_ajax.php b/library/ajax/ccr_import_ajax.php index 16baae3ae..aa4072f38 100644 --- a/library/ajax/ccr_import_ajax.php +++ b/library/ajax/ccr_import_ajax.php @@ -30,7 +30,7 @@ require_once(dirname(__FILE__) . "/../parse_patient_xml.php"); //verify csrf if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } if ($_REQUEST["ccr_ajax"] == "yes") { diff --git a/library/ajax/code_attributes_ajax.php b/library/ajax/code_attributes_ajax.php index c98ec85a8..524099901 100644 --- a/library/ajax/code_attributes_ajax.php +++ b/library/ajax/code_attributes_ajax.php @@ -19,7 +19,7 @@ require_once("$fileroot/interface/drugs/drugs.inc.php"); //verify csrf if (!verifyCsrfToken($_GET["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } function write_code_info($codetype, $code, $selector, $pricelevel) diff --git a/library/ajax/offsite_portal_ajax.php b/library/ajax/offsite_portal_ajax.php index 18a17ca04..a42feaea5 100644 --- a/library/ajax/offsite_portal_ajax.php +++ b/library/ajax/offsite_portal_ajax.php @@ -31,7 +31,7 @@ require_once(dirname(__FILE__)."/../../myportal/soap_service/portal_connectivity //verify csrf if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } if ($_POST['action'] == 'check_file' && acl_check('admin', 'super')) { diff --git a/library/ajax/user_settings.php b/library/ajax/user_settings.php index 2f690810c..3527ce099 100644 --- a/library/ajax/user_settings.php +++ b/library/ajax/user_settings.php @@ -1,21 +1,23 @@ -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License -// as published by the Free Software Foundation; either version 2 -// of the License, or (at your option) any later version. -// -// -// This file contains functions that manage custom user -// settings -// - +/** + * This file contains functions that manage custom user + * settings + * + * @package OpenEMR + * @link http://www.open-emr.org + * @author Brady Miller + * @copyright Copyright (c) 2010-2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 + */ require_once(dirname(__FILE__) . "/../../interface/globals.php"); require_once(dirname(__FILE__) . "/../user.inc"); +if (!verifyCsrfToken($_POST["csrf_token_form"])) { + csrfNotVerified(); +} + //If 'mode' is either a 1 or 0 and 'target' ends with _expand // Then will update the appropriate user _expand flag if (( $_POST['mode'] == 1 || $_POST['mode'] == 0 ) && ( substr($_POST['target'], -7, 7) == "_expand" )) { diff --git a/library/log_validation.php b/library/log_validation.php index b4d79c394..bd9ce0462 100644 --- a/library/log_validation.php +++ b/library/log_validation.php @@ -30,7 +30,7 @@ if (!acl_check('admin', 'users')) { } if (!verifyCsrfToken($_POST["csrf_token_form"])) { - die(xlt('Authentication Error')); + csrfNotVerified(); } $valid = true; diff --git a/library/sanitize.inc.php b/library/sanitize.inc.php index 89d412f8f..855885c49 100644 --- a/library/sanitize.inc.php +++ b/library/sanitize.inc.php @@ -59,6 +59,17 @@ function verifyCsrfToken($token) } } +function csrfNotVerified($toScreen = true, $toLog = true) +{ + if ($toScreen) { + echo xlt('Authentication Error'); + } + if ($toLog) { + error_log("OpenEMR CSRF token authentication error"); + } + die; +} + // If the label contains any illegal characters, then the script will die. function check_file_dir_name($label) { diff --git a/library/user.inc b/library/user.inc index ce98806ba..f0974b442 100644 --- a/library/user.inc +++ b/library/user.inc @@ -1,10 +1,13 @@ -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License -// as published by the Free Software Foundation; either version 2 -// of the License, or (at your option) any later version. +/** + * user.inc + * + * @package OpenEMR + * @link http://www.open-emr.org + * @author Brady Miller + * @copyright Copyright (c) 2010 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 + */ // Set effective user - If no user id is provided, then use the currently logged in user @@ -146,7 +149,7 @@ function collectAndOrganizeExpandSetting($filenames = array()) { $current_filename = $filenames[0]; $global_value = $GLOBALS['expand_form']; - + if (getUserSetting($current_filename) > -1) { $current_state = getUserSetting($current_filename); } elseif ($global_value) { @@ -154,12 +157,12 @@ function collectAndOrganizeExpandSetting($filenames = array()) } else { $current_state = 0; } - + if ($filenames.length) { foreach ($filenames as $filename) { setUserSetting($filename, $current_state); } } - + return $current_state; } -- 2.11.4.GIT