Fi:x Restore a security system broken by adding alt feature.

2010-12-27 19:25:59 +00:00 · 2010-12-27 19:25:59 +00:00 · 2215df18a3
commit 2215df18a3
parent 14e70e6e53
1 changed files with 8 additions and 2 deletions
--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@ -65,7 +65,8 @@ function GETPOST($paramname,$check='',$method=0)


 /**
- *  Return a prefix to use for this Dolibarr instance for session or cookie names
+ *  Return a prefix to use for this Dolibarr instance for session or cookie names.
+ *  This prefix is unique for instance and avoid conflict between multi-instances Dolibarrs.
 *  @return         string      A calculated prefix
 */
 function dol_getprefix()
@ -73,7 +74,12 @@ function dol_getprefix()
    // Add real path in session name
    $realpath='';
    if (preg_match('/^([^.]+)\/htdocs\//i', realpath($_SERVER["SCRIPT_FILENAME"]), $regs)) $realpath = isset($regs[1])?$regs[1]:'';
-    if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) $realpath=''; // warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another
+    if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT)
+    {
+        $realpath='';
+        // Warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another
+        // FIXME The fix is to use only "root url" as realpath like the one defined into $dolibarr_main_document_root
+    }
    return $realpath;
 }