lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: CSRF protection is enabled only if MAIN_SECURITY_CSRF is set.

Browse Source
This commit is contained in:
Laurent Destailleur 2009-09-14 01:56:24 +00:00
parent d9e82272cf
commit 5d9e35a3ed
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/main.inc.php
View File

@ -201,13 +201,13 @@ if (! defined('NOTOKENRENEWAL'))
if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
$_SESSION['newtoken'] = $token;
}
if (empty($conf->global->MAIN_FEATURES_LEVEL)) // Check validity of token, only if not a dev instance (this make developper tests no more working)
if (! empty($conf->global->MAIN_SECURITY_CSRF)) // Check validity of token, only if not option enabled (this option breaks some features sometimes)
{
if (isset($_POST['token']) && isset($_SESSION['token']))
{
if (($_POST['token'] != $_SESSION['token']))
{
dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".$_POST['action'].", _POST['token']=".$_POST['token'].", _SESSION['token']=".$_SESSION['token']);
dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".$_POST['action'].", _POST['token']=".$_POST['token'].", _SESSION['token']=".$_SESSION['token'],LOG_WARNING);
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
unset($_POST);
}