Merge commit from fork

Author: cedric-anne

inc/config.php

@@ -245,6 +245,7 @@
                 );
 
                 if ($outdated !== true) {
+                    $_SESSION['can_process_update'] = true;
                     echo "<form method='post' action='" . $CFG_GLPI["root_doc"] . "/install/update.php'>";
                     if (!VersionParser::isStableRelease(GLPI_VERSION)) {
                         echo Config::agreeUnstableMessage(VersionParser::isDevVersion(GLPI_VERSION));

install/install.php

@@ -506,6 +506,7 @@ function update1($dbname)
         footer_html();
     } else {
         $from_install = true;
+        $_SESSION['can_process_update'] = true;
         include_once(GLPI_ROOT . "/install/update.php");
     }
 }

install/update.php

@@ -70,7 +70,7 @@
 $update = new Update($DB);
 $update->initSession();
 
-if (isset($_POST['update_end'])) {
+if (($_SESSION['can_process_update'] ?? false) && isset($_POST['update_end'])) {
     if (isset($_POST['send_stats'])) {
         Telemetry::enable();
     }
@@ -228,32 +228,30 @@ function showSecurityKeyCheckForm()
 echo "<h2>GLPI SETUP</h2>";
 echo "<br><h3>" . __('Upgrade') . "</h3>";
 
-// step 1    avec bouton de confirmation
-
-if (empty($_POST["continuer"]) && empty($_POST["from_update"])) {
-    if (empty($from_install) && !isset($_POST["from_update"])) {
-        echo "<div class='center'>";
-        echo "<h3><span class='migred'>" . __('Impossible to accomplish an update by this way!') . "</span>";
-        echo "<p>";
-        echo "<a class='btn btn-primary' href='../index.php'>
-            " . __('Go back to GLPI') . "
-         </a></p>";
-        echo "</div>";
-    } else {
-        echo "<div class='center'>";
-        echo "<h3 class='my-4'><span class='migred p-2'>" . sprintf(__('Caution! You will update the GLPI database named: %s'), $DB->dbdefault) . "</h3>";
-
-        echo "<form action='update.php' method='post'>";
-        if (!VersionParser::isStableRelease(GLPI_VERSION)) {
-            echo Config::agreeUnstableMessage(VersionParser::isDevVersion(GLPI_VERSION));
-        }
-        echo "<button type='submit' class='btn btn-primary' name='continuer' value='1'>
-         " . __('Continue') . "
-         <i class='fas fa-chevron-right ms-1'></i>
-      </button>";
-        Html::closeForm();
-        echo "</div>";
+if (($_SESSION['can_process_update'] ?? false) === false) {
+    // Unexpected direct access to the form
+    echo "<div class='center'>";
+    echo "<h3><span class='migred'>" . __('Impossible to accomplish an update by this way!') . "</span>";
+    echo "<p>";
+    echo "<a class='btn btn-primary' href='../index.php'>
+        " . __('Go back to GLPI') . "
+     </a></p>";
+    echo "</div>";
+} elseif (empty($_POST["continuer"]) && empty($_POST["from_update"])) {
+    // step 1    avec bouton de confirmation
+    echo "<div class='center'>";
+    echo "<h3 class='my-4'><span class='migred p-2'>" . sprintf(__('Caution! You will update the GLPI database named: %s'), $DB->dbdefault) . "</h3>";
+
+    echo "<form action='update.php' method='post'>";
+    if (!VersionParser::isStableRelease(GLPI_VERSION)) {
+        echo Config::agreeUnstableMessage(VersionParser::isDevVersion(GLPI_VERSION));
     }
+    echo "<button type='submit' class='btn btn-primary' name='continuer' value='1'>
+     " . __('Continue') . "
+     <i class='fas fa-chevron-right ms-1'></i>
+  </button>";
+    Html::closeForm();
+    echo "</div>";
 } else {
    // Step 2
     if (test_connect()) {