From 590fac0345df8b4c6d0d395c4cda60c7f200a819 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 28 Nov 2022 20:18:12 +0100
Subject: [PATCH] Can also disable WAF for PHP_SELF

---
 htdocs/main.inc.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 94b69a065e4..62be7c7191e 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -226,7 +226,8 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
 	}
 }
 
-// To disable the WAF for GET and POST, uncomment this
+// To disable the WAF for GET and POST and PHP_SELF, uncomment this
+//define('NOSCANPHPSELFFORINJECTION', 1);
 //define('NOSCANGETFORINJECTION', 1);
 //define('NOSCANPOSTFORINJECTION', 1);
 
@@ -241,7 +242,7 @@ if (defined('NOREQUIREUSER') && !defined('NOREQUIREMENU')) {
 }
 
 // Sanity check on URL
-if (!empty($_SERVER["PHP_SELF"])) {
+if (!defined('NOSCANPHPSELFFORINJECTION') && !empty($_SERVER["PHP_SELF"])) {
 	$morevaltochecklikepost = array($_SERVER["PHP_SELF"]);
 	analyseVarsForSqlAndScriptsInjection($morevaltochecklikepost, 2);
 }