Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

CSRF chek is not done on GET methods as this breaks way to have links to a direct page.

Browse Source
This commit is contained in:
Laurent Destailleur 2010-01-16 11:53:50 +00:00
parent 17a1ae5c3c
commit ee3cae8c38
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
htdocs/main.inc.php
View File

@ -111,8 +111,9 @@ analyse_sql_and_script($_GET);
analyse_sql_and_script($_POST);
// Security: CSRF protection
// The test to do is to check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST']).
if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERVER['HTTP_REFERER']) && ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))
// This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST'])
// when we post forms (we allow GET to allow direct link to access a particular page).
if (! defined('NOCSRFCHECK') && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERVER['HTTP_REFERER']) && ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))
{
//print 'HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
print 'Access refused by CSRF protection in main.inc.php.';
@ -259,7 +260,7 @@ if ($conf->global->MAIN_DWOO2)
//$dwoo_libs = $dolibarr_dwoo_libs_dir. "dwooAutoload.php";
$dwoo_libs = $dolibarr_dwoo_libs_dir. "Dwoo.php";
$dwoo_smarty_adapter = $dolibarr_dwoo_libs_dir. "Dwoo/Smarty/Adapter.php";
if (include_once($dwoo_libs) && include_once($dwoo_smarty_adapter))
{
//$dwoo = new Dwoo($dolibarr_dwoo_compile,$dolibarr_dwoo_cache);