diff --git a/htdocs/api/index.php b/htdocs/api/index.php index 63fb8783530..31f3a97ff68 100644 --- a/htdocs/api/index.php +++ b/htdocs/api/index.php @@ -22,10 +22,10 @@ * \file htdocs/api/indexphp * * @todo User authentication with api_key - * - * */ + if (! defined("NOLOGIN")) define("NOLOGIN",'1'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); $res=0; if (! $res && file_exists("../main.inc.php")) $res=include '../main.inc.php'; diff --git a/htdocs/core/photos_resize.php b/htdocs/core/photos_resize.php index 8a22e159cc7..85f98918530 100644 --- a/htdocs/core/photos_resize.php +++ b/htdocs/core/photos_resize.php @@ -23,17 +23,6 @@ * \brief File of page to resize photos */ -//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); -//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); -//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); -//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); -//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); -//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); -//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no menu to show -//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php -//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); -//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session) - require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/product.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php'; diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index 5ff5535ac10..e7f407acfd2 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -162,9 +162,12 @@ if (empty($multicompany_force_entity)) $multicompany_force_entity=0; // To force // Security: CSRF protection // This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST']) // when we post forms (we allow GET to allow direct link to access a particular page). -if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERVER['HTTP_REFERER']) && ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])) +// Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host +if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) + && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) + && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))) { - //print 'HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; + //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; print "Access refused by CSRF protection in main.inc.php.\n"; print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.\n"; die; diff --git a/htdocs/index.php b/htdocs/index.php index faa2eb9dcee..86733c21bcb 100644 --- a/htdocs/index.php +++ b/htdocs/index.php @@ -24,7 +24,7 @@ * \brief Dolibarr home page */ -define('NOCSRFCHECK',1); // This is login page. We must be able to go on it from another web site. +define('NOCSRFCHECK',1); // This is main home and login page. We must be able to go on it from another web site. require 'main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php'; diff --git a/htdocs/product/stock/productlot_card.php b/htdocs/product/stock/productlot_card.php index b750db87234..8cfeb861737 100644 --- a/htdocs/product/stock/productlot_card.php +++ b/htdocs/product/stock/productlot_card.php @@ -23,18 +23,6 @@ * Initialy built by build_class_from_table on 2016-05-17 12:22 */ -//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); -//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); -//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); -//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); -//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check anti CSRF attack test -//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data -//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not check anti POST attack test -//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu -//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php -//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); -//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session) - // Change this following line to use the correct relative path (../, ../../, etc) $res=0; if (! $res && file_exists("../main.inc.php")) $res=@include '../main.inc.php'; // to work if your module directory is into dolibarr root htdocs directory diff --git a/htdocs/product/stock/productlot_list.php b/htdocs/product/stock/productlot_list.php index a4ea70f9c2d..6c3cdc22f6f 100644 --- a/htdocs/product/stock/productlot_list.php +++ b/htdocs/product/stock/productlot_list.php @@ -22,18 +22,6 @@ * Initialy built by build_class_from_table on 2016-05-17 12:22 */ -//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); -//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); -//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); -//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); -//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check anti CSRF attack test -//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data -//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not check anti POST attack test -//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu -//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php -//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); -//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session) - // Change this following line to use the correct relative path (../, ../../, etc) $res=0; if (! $res && file_exists("../main.inc.php")) $res=@include '../main.inc.php'; // to work if your module directory is into dolibarr root htdocs directory diff --git a/htdocs/webservices/server_actioncomm.php b/htdocs/webservices/server_actioncomm.php index a5df31c2a7e..99e8ea59e6f 100644 --- a/htdocs/webservices/server_actioncomm.php +++ b/htdocs/webservices/server_actioncomm.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2016 Laurent Destailleur * Copyright (C) 2012 Florian Henry * * This program is free software; you can redistribute it and/or modify @@ -14,16 +14,16 @@ * * You should have received a copy of the GNU General Public License * along with this program. If not, see . + * + * Path to WSDL is: http://localhost/dolibarr/webservices/server_actioncomm.php?wsdl */ /** * \file htdocs/webservices/server_actioncomm.php * \brief File that is entry point to call Dolibarr WebServices - * \version $Id: server_actioncomm.php,v 1.7 2010/12/19 11:49:37 eldy Exp $ */ -// This is to make Dolibarr working with Plesk -set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); require_once("../master.inc.php"); require_once(NUSOAP_PATH.'/nusoap.php'); // Include SOAP diff --git a/htdocs/webservices/server_category.php b/htdocs/webservices/server_category.php index 2bf914ebd38..9ef07dda952 100644 --- a/htdocs/webservices/server_category.php +++ b/htdocs/webservices/server_category.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2016 Laurent Destailleur * Copyright (C) 2012 JF FERRY * * This program is free software; you can redistribute it and/or modify @@ -21,8 +21,7 @@ * \brief File that is entry point to call Dolibarr WebServices */ -// This is to make Dolibarr working with Plesk -set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); require_once("../master.inc.php"); require_once(NUSOAP_PATH.'/nusoap.php'); // Include SOAP diff --git a/htdocs/webservices/server_contact.php b/htdocs/webservices/server_contact.php index 8a12c288d55..cab58268f57 100644 --- a/htdocs/webservices/server_contact.php +++ b/htdocs/webservices/server_contact.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2016 Laurent Destailleur * Copyright (C) 2012 JF FERRY * * This program is free software; you can redistribute it and/or modify @@ -21,8 +21,7 @@ * \brief File that is entry point to call Dolibarr WebServices */ -// This is to make Dolibarr working with Plesk -set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); require_once("../master.inc.php"); require_once(NUSOAP_PATH.'/nusoap.php'); // Include SOAP diff --git a/htdocs/webservices/server_invoice.php b/htdocs/webservices/server_invoice.php index 04ce0c3cf48..54f5e3c564c 100644 --- a/htdocs/webservices/server_invoice.php +++ b/htdocs/webservices/server_invoice.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2016 Laurent Destailleur * Copyright (C) 2016 Juanjo Menent * * This program is free software; you can redistribute it and/or modify @@ -21,8 +21,7 @@ * \brief File that is entry point to call Dolibarr WebServices */ -// This is to make Dolibarr working with Plesk -set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); require_once '../master.inc.php'; require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP diff --git a/htdocs/webservices/server_order.php b/htdocs/webservices/server_order.php index de72af93b61..f477ccfed9c 100644 --- a/htdocs/webservices/server_order.php +++ b/htdocs/webservices/server_order.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2016 Laurent Destailleur * Copyright (C) 2012 JF FERRY * Copyright (C) 2012 Regis Houssin * @@ -22,9 +22,7 @@ * \brief File that is entry point to call Dolibarr WebServices */ - -// This is to make Dolibarr working with Plesk -set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); require_once '../master.inc.php'; require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP diff --git a/htdocs/webservices/server_other.php b/htdocs/webservices/server_other.php index ba948d463ea..8ac519ae87e 100644 --- a/htdocs/webservices/server_other.php +++ b/htdocs/webservices/server_other.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2016 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -20,8 +20,7 @@ * \brief File that is entry point to call Dolibarr WebServices */ -// This is to make Dolibarr working with Plesk -set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); require_once '../master.inc.php'; require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP diff --git a/htdocs/webservices/server_productorservice.php b/htdocs/webservices/server_productorservice.php index aa43dbb185c..385c7dc3b95 100644 --- a/htdocs/webservices/server_productorservice.php +++ b/htdocs/webservices/server_productorservice.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2016 Laurent Destailleur * Copyright (C) 2012 JF FERRY * * This program is free software; you can redistribute it and/or modify @@ -23,8 +23,7 @@ * \brief File that is entry point to call Dolibarr WebServices */ -// This is to make Dolibarr working with Plesk -set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); require_once '../master.inc.php'; require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP diff --git a/htdocs/webservices/server_project.php b/htdocs/webservices/server_project.php index 8838f726d63..5400e069c3f 100644 --- a/htdocs/webservices/server_project.php +++ b/htdocs/webservices/server_project.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2016 Laurent Destailleur * Copyright (C) 2016 Ion Agorria * * This program is free software; you can redistribute it and/or modify @@ -21,8 +21,7 @@ * \brief File that is entry point to call Dolibarr WebServices */ -// This is to make Dolibarr working with Plesk -set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); require_once '../master.inc.php'; require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP diff --git a/htdocs/webservices/server_supplier_invoice.php b/htdocs/webservices/server_supplier_invoice.php index fea871ac077..ea162ef2a8b 100644 --- a/htdocs/webservices/server_supplier_invoice.php +++ b/htdocs/webservices/server_supplier_invoice.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2016 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -20,8 +20,7 @@ * \brief File that is entry point to call Dolibarr WebServices */ -// This is to make Dolibarr working with Plesk -set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); require_once '../master.inc.php'; require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP diff --git a/htdocs/webservices/server_thirdparty.php b/htdocs/webservices/server_thirdparty.php index 50b8e80e363..6b2c94a36fd 100644 --- a/htdocs/webservices/server_thirdparty.php +++ b/htdocs/webservices/server_thirdparty.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2016 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -20,8 +20,7 @@ * \brief File that is entry point to call Dolibarr WebServices */ -// This is to make Dolibarr working with Plesk -set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); require_once '../master.inc.php'; require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP diff --git a/htdocs/webservices/server_user.php b/htdocs/webservices/server_user.php index 6339486922f..c4d8ce08724 100644 --- a/htdocs/webservices/server_user.php +++ b/htdocs/webservices/server_user.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2016 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -18,11 +18,9 @@ /** * \file htdocs/webservices/server_user.php * \brief File that is entry point to call Dolibarr WebServices - * \version $Id: server_user.php,v 1.7 2010/12/19 11:49:37 eldy Exp $ */ -// This is to make Dolibarr working with Plesk -set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); require_once '../master.inc.php'; require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP