From 003208bc9684cbc82b4daa00c1fe3d32db87dd4b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 24 May 2009 19:04:25 +0000 Subject: [PATCH] Disable the CSRF protection if we are in a development instance (to be able to do test and send post from tools). --- htdocs/main.inc.php | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 6464811aca3..ff373848a80 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -175,18 +175,19 @@ $token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire if (isset($_SESSION['token_level_1'])) $_SESSION['token_level_2'] = $_SESSION['token_level_1']; if (isset($_SESSION['newtoken'])) $_SESSION['token_level_1'] = $_SESSION['newtoken']; $_SESSION['newtoken'] = $token; -// Verification de la presence et de la validite du jeton -if (isset($_POST['token']) && isset($_SESSION['token_level_1']) && isset($_SESSION['token_level_2'])) +if (empty($conf->global->MAIN_FEATURES_LEVEL)) // Check validity of token, only if not a dev instance (this make developper tests no more working) { - if (($_POST['token'] != $_SESSION['token_level_1']) && ($_POST['token'] != $_SESSION['token_level_2'])) + if (isset($_POST['token']) && isset($_SESSION['token_level_1']) && isset($_SESSION['token_level_2'])) { - dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".$_POST['action'].", _POST['token']=".$_POST['token'].", _SESSION['token_level_1']=".$_SESSION['token_level_1'].", _SESSION['token_level_2']=".$_SESSION['token_level_2']); - print 'Unset POST by CSRF protection in main.inc.php.'; - unset($_POST); + if (($_POST['token'] != $_SESSION['token_level_1']) && ($_POST['token'] != $_SESSION['token_level_2'])) + { + dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".$_POST['action'].", _POST['token']=".$_POST['token'].", _SESSION['token_level_1']=".$_SESSION['token_level_1'].", _SESSION['token_level_2']=".$_SESSION['token_level_2']); + print 'Unset POST by CSRF protection in main.inc.php.'; + unset($_POST); + } } } - // Disable modules (this must be after session_start and after conf has been loaded) if (! empty($_REQUEST["disablemodules"])) $_SESSION["disablemodules"]=$_REQUEST["disablemodules"]; if (! empty($_SESSION["disablemodules"]))