From 3c49c6e5b77855a3933e962f0b447cb630b2bf85 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 16 May 2009 06:31:59 +0000 Subject: [PATCH] Sec: Make CSRF test at the beginning. No functionnal code must be done if there is a security risk, so use just a return. Add test on a constant to remove test for some pages because this break a lot of features. --- htdocs/index.php | 2 ++ htdocs/main.inc.php | 20 +++++++------------- 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/htdocs/index.php b/htdocs/index.php index 105f7bcbb6a..08115f8fbf4 100644 --- a/htdocs/index.php +++ b/htdocs/index.php @@ -24,6 +24,8 @@ * \version $Id$ */ +define('NOCSRFCHECK'); // This is login page. We must be able to go on it from another web site. + require("./pre.inc.php"); require_once(DOL_DOCUMENT_ROOT."/boxes.php"); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 99fd1e0e998..cc59f0633fc 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -45,7 +45,7 @@ if (! empty($_SERVER['DOL_TUNING'])) // Forcage du parametrage PHP magic_quotes_gpc et nettoyage des parametres // (Sinon il faudrait a chaque POST, conditionner // la lecture de variable par stripslashes selon etat de get_magic_quotes). -// En mode off (recommande il faut juste faire addslashes au moment d'un insert/update. +// En mode off (recommande, il faut juste faire addslashes au moment d'un insert/update. function stripslashes_deep($value) { return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value)); @@ -62,7 +62,7 @@ if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* removed in PHP6 @set_magic_quotes_runtime(0); } -// Filtre les GET et POST pour supprimer les SQL INJECTION +// Security: SQL Injection protection (Filters on GET and POST) function test_sql_inject($val) { $sql_inj = 0; @@ -106,26 +106,20 @@ function analyse_sql_injection(&$var) } analyse_sql_injection($_GET); analyse_sql_injection($_POST); -// Fin filtre des GET et POST +// Security: CSRF protection +if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_REFERER']) && !eregi(DOL_MAIN_URL_ROOT, $_SERVER['HTTP_REFERER'])) +{ + return; +} // This is to make Dolibarr working with Plesk set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); -// Retrieve the entity in login form, and after in the cookie -// Removed: The session has not been initialized yet so using SESSION is forbidden here -//$entityCookieName = "DOLENTITYID_dolibarr"; -//if (isset($_POST["entity"])) $_SESSION["dol_entity"] = $_POST["entity"]; -//if (isset($_COOKIE[$entityCookieName])) $_SESSION["dol_entity"] = $_COOKIE[$entityCookieName]; - // Set and init common variables // This include will set: $conf, $langs and $mysoc objects require_once("master.inc.php"); -// Protection faille CSRF !!! -if (! empty($_SERVER['HTTP_REFERER']) && !eregi(DOL_MAIN_URL_ROOT, $_SERVER['HTTP_REFERER'])) -accessforbidden(); - // Check if HTTPS if ($conf->file->main_force_https) {