FIX SEC Improve CSRF protection. Reduce usage of NOCSRFCHECK.
This commit is contained in:
Laurent Destailleur
parent
99a3cc6efc
commit
72e149e1a6
@ -22,10 +22,10 @@
|
||||
* \file htdocs/api/indexphp
|
||||
*
|
||||
* @todo User authentication with api_key
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
if (! defined("NOLOGIN")) define("NOLOGIN",'1');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
$res=0;
|
||||
if (! $res && file_exists("../main.inc.php")) $res=include '../main.inc.php';
|
||||
|
||||
@ -23,17 +23,6 @@
|
||||
* \brief File of page to resize photos
|
||||
*/
|
||||
|
||||
//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1');
|
||||
//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1');
|
||||
//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1');
|
||||
//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
|
||||
//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1');
|
||||
//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1');
|
||||
//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no menu to show
|
||||
//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php
|
||||
//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
|
||||
//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session)
|
||||
|
||||
require '../main.inc.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/product.lib.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php';
|
||||
|
||||
@ -162,9 +162,12 @@ if (empty($multicompany_force_entity)) $multicompany_force_entity=0; // To force
|
||||
// Security: CSRF protection
|
||||
// This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST'])
|
||||
// when we post forms (we allow GET to allow direct link to access a particular page).
|
||||
if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERVER['HTTP_REFERER']) && ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))
|
||||
// Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
|
||||
if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)
|
||||
&& ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
|
||||
&& (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
|
||||
{
|
||||
//print 'HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
|
||||
//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
|
||||
print "Access refused by CSRF protection in main.inc.php.\n";
|
||||
print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.\n";
|
||||
die;
|
||||
|
||||
@ -24,7 +24,7 @@
|
||||
* \brief Dolibarr home page
|
||||
*/
|
||||
|
||||
define('NOCSRFCHECK',1); // This is login page. We must be able to go on it from another web site.
|
||||
define('NOCSRFCHECK',1); // This is main home and login page. We must be able to go on it from another web site.
|
||||
|
||||
require 'main.inc.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php';
|
||||
|
||||
@ -23,18 +23,6 @@
|
||||
* Initialy built by build_class_from_table on 2016-05-17 12:22
|
||||
*/
|
||||
|
||||
//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1');
|
||||
//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1');
|
||||
//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1');
|
||||
//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
|
||||
//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check anti CSRF attack test
|
||||
//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data
|
||||
//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not check anti POST attack test
|
||||
//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu
|
||||
//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php
|
||||
//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
|
||||
//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session)
|
||||
|
||||
// Change this following line to use the correct relative path (../, ../../, etc)
|
||||
$res=0;
|
||||
if (! $res && file_exists("../main.inc.php")) $res=@include '../main.inc.php'; // to work if your module directory is into dolibarr root htdocs directory
|
||||
|
||||
@ -22,18 +22,6 @@
|
||||
* Initialy built by build_class_from_table on 2016-05-17 12:22
|
||||
*/
|
||||
|
||||
//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1');
|
||||
//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1');
|
||||
//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1');
|
||||
//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
|
||||
//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check anti CSRF attack test
|
||||
//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data
|
||||
//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not check anti POST attack test
|
||||
//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu
|
||||
//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php
|
||||
//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
|
||||
//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session)
|
||||
|
||||
// Change this following line to use the correct relative path (../, ../../, etc)
|
||||
$res=0;
|
||||
if (! $res && file_exists("../main.inc.php")) $res=@include '../main.inc.php'; // to work if your module directory is into dolibarr root htdocs directory
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2006-2011 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2012 Florian Henry <florian.henry@open-concept.pro>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
@ -14,16 +14,16 @@
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
* Path to WSDL is: http://localhost/dolibarr/webservices/server_actioncomm.php?wsdl
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file htdocs/webservices/server_actioncomm.php
|
||||
* \brief File that is entry point to call Dolibarr WebServices
|
||||
* \version $Id: server_actioncomm.php,v 1.7 2010/12/19 11:49:37 eldy Exp $
|
||||
*/
|
||||
|
||||
// This is to make Dolibarr working with Plesk
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
require_once("../master.inc.php");
|
||||
require_once(NUSOAP_PATH.'/nusoap.php'); // Include SOAP
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2012 JF FERRY <jfefe@aternatik.fr>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
@ -21,8 +21,7 @@
|
||||
* \brief File that is entry point to call Dolibarr WebServices
|
||||
*/
|
||||
|
||||
// This is to make Dolibarr working with Plesk
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
require_once("../master.inc.php");
|
||||
require_once(NUSOAP_PATH.'/nusoap.php'); // Include SOAP
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2006-2011 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2012 JF FERRY <jfefe@aternatik.fr>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
@ -21,8 +21,7 @@
|
||||
* \brief File that is entry point to call Dolibarr WebServices
|
||||
*/
|
||||
|
||||
// This is to make Dolibarr working with Plesk
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
require_once("../master.inc.php");
|
||||
require_once(NUSOAP_PATH.'/nusoap.php'); // Include SOAP
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2016 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
@ -21,8 +21,7 @@
|
||||
* \brief File that is entry point to call Dolibarr WebServices
|
||||
*/
|
||||
|
||||
// This is to make Dolibarr working with Plesk
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
require_once '../master.inc.php';
|
||||
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2012 JF FERRY <jfefe@aternatik.fr>
|
||||
* Copyright (C) 2012 Regis Houssin <regis.houssin@capnetworks.com>
|
||||
*
|
||||
@ -22,9 +22,7 @@
|
||||
* \brief File that is entry point to call Dolibarr WebServices
|
||||
*/
|
||||
|
||||
|
||||
// This is to make Dolibarr working with Plesk
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
require_once '../master.inc.php';
|
||||
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -20,8 +20,7 @@
|
||||
* \brief File that is entry point to call Dolibarr WebServices
|
||||
*/
|
||||
|
||||
// This is to make Dolibarr working with Plesk
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
require_once '../master.inc.php';
|
||||
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2012 JF FERRY <jfefe@aternatik.fr>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
@ -23,8 +23,7 @@
|
||||
* \brief File that is entry point to call Dolibarr WebServices
|
||||
*/
|
||||
|
||||
// This is to make Dolibarr working with Plesk
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
require_once '../master.inc.php';
|
||||
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2016 Ion Agorria <ion@agorria.com>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
@ -21,8 +21,7 @@
|
||||
* \brief File that is entry point to call Dolibarr WebServices
|
||||
*/
|
||||
|
||||
// This is to make Dolibarr working with Plesk
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
require_once '../master.inc.php';
|
||||
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2006-2011 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -20,8 +20,7 @@
|
||||
* \brief File that is entry point to call Dolibarr WebServices
|
||||
*/
|
||||
|
||||
// This is to make Dolibarr working with Plesk
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
require_once '../master.inc.php';
|
||||
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -20,8 +20,7 @@
|
||||
* \brief File that is entry point to call Dolibarr WebServices
|
||||
*/
|
||||
|
||||
// This is to make Dolibarr working with Plesk
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
require_once '../master.inc.php';
|
||||
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2006-2011 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -18,11 +18,9 @@
|
||||
/**
|
||||
* \file htdocs/webservices/server_user.php
|
||||
* \brief File that is entry point to call Dolibarr WebServices
|
||||
* \version $Id: server_user.php,v 1.7 2010/12/19 11:49:37 eldy Exp $
|
||||
*/
|
||||
|
||||
// This is to make Dolibarr working with Plesk
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
|
||||
|
||||
require_once '../master.inc.php';
|
||||
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
|
||||
|
||||
Loading…
Reference in New Issue
Block a user