From 2215df18a3580897d7b595b4f41f061f141f7d92 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 27 Dec 2010 19:25:59 +0000 Subject: [PATCH] Fi:x Restore a security system broken by adding alt feature. --- htdocs/lib/functions.lib.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php index dca84a1f3ed..67d70fef964 100644 --- a/htdocs/lib/functions.lib.php +++ b/htdocs/lib/functions.lib.php @@ -65,7 +65,8 @@ function GETPOST($paramname,$check='',$method=0) /** - * Return a prefix to use for this Dolibarr instance for session or cookie names + * Return a prefix to use for this Dolibarr instance for session or cookie names. + * This prefix is unique for instance and avoid conflict between multi-instances Dolibarrs. * @return string A calculated prefix */ function dol_getprefix() @@ -73,7 +74,12 @@ function dol_getprefix() // Add real path in session name $realpath=''; if (preg_match('/^([^.]+)\/htdocs\//i', realpath($_SERVER["SCRIPT_FILENAME"]), $regs)) $realpath = isset($regs[1])?$regs[1]:''; - if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) $realpath=''; // warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another + if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) + { + $realpath=''; + // Warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another + // FIXME The fix is to use only "root url" as realpath like the one defined into $dolibarr_main_document_root + } return $realpath; }