From 3b01b8cb4796de441c5d8f1d7c5193d2d5bad0d1 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 13 Sep 2015 22:50:08 +0200
Subject: [PATCH] Fix security hole

---
 htdocs/filefunc.inc.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index dc3f1866382..1898b50e693 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -67,7 +67,9 @@ $conffiletoshow = "htdocs/conf/conf.php";
 
 // Include configuration
 // --- End of part replaced by Dolibarr packager makepack-dolibarr
+
 // Replace conf filename with "conf" parameter on url by GET
+/* Disabled. This is a serious security hole
 if (! empty($_GET['conf']))
 {
 	$confname=basename($_GET['conf']);
@@ -77,7 +79,7 @@ if (! empty($_GET['conf']))
 	$confname=basename(empty($_COOKIE['dolconf']) ? 'conf' : $_COOKIE['dolconf']);
 	$conffile = 'conf/'.$confname.'.php';
 }
-
+*/
 
 // Include configuration
 $result=@include_once $conffile;	// Keep @ because with some error reporting this break the redirect