From 7285270f1cb856c34e48d7f0cd52669b8458610f Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Sat, 16 May 2009 12:31:17 +0000
Subject: [PATCH] =?UTF-8?q?Fix:=20DOL=5FMAIN=5FURL=5FROOT=20est=20d=E9fini?=
 =?UTF-8?q?=20dans=20master.inc.php?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 htdocs/main.inc.php | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index ada51b38bf5..f448e343abc 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -107,13 +107,6 @@ function analyse_sql_injection(&$var)
 analyse_sql_injection($_GET);
 analyse_sql_injection($_POST);
 
-// Security: CSRF protection
-if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_REFERER']) && !eregi(DOL_MAIN_URL_ROOT, $_SERVER['HTTP_REFERER']))
-{
-	unset($_GET);
-	unset($_POST);
-}
-
 // This is to make Dolibarr working with Plesk
 set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
 
@@ -121,6 +114,15 @@ set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
 // This include will set: $conf, $langs and $mysoc objects
 require_once("master.inc.php");
 
+// Security: CSRF protection
+//print 'HTTP_REFERER='.$_SERVER['HTTP_REFERER'].'<br>';
+//print 'DOL_MAIN_URL_ROOT='.DOL_MAIN_URL_ROOT.'<br>';
+if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_REFERER']) && !eregi(DOL_MAIN_URL_ROOT, $_SERVER['HTTP_REFERER']))
+{
+	unset($_GET);
+	unset($_POST);
+}
+
 // Check if HTTPS
 if ($conf->file->main_force_https)
 {