From 9a474602a8a0a67151aa81cfee02d059cf1aca5d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 16 Mar 2021 11:58:03 +0100 Subject: [PATCH] Fix #yogosha5644 --- htdocs/filefunc.inc.php | 4 ++-- htdocs/index.php | 3 ++- htdocs/main.inc.php | 2 ++ 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index 35a97677f63..aff0ebad349 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -178,9 +178,9 @@ if (empty($dolibarr_strict_mode)) { // Security: CSRF protection // This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST']) -// when we post forms (we allow GET to allow direct link to access a particular page). +// when we post forms (we allow GET and HEAD to accept direct link from a particular page). // Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host -// See also option $conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN for a stronger CSRF protection. +// See also CSRF protections done into main.inc.php if (!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)) { if (!empty($_SERVER['REQUEST_METHOD']) && !in_array($_SERVER['REQUEST_METHOD'], array('GET', 'HEAD')) && !empty($_SERVER['HTTP_HOST'])) { $csrfattack = false; diff --git a/htdocs/index.php b/htdocs/index.php index debdec757cb..5485f9bc7be 100644 --- a/htdocs/index.php +++ b/htdocs/index.php @@ -24,7 +24,8 @@ * \brief Dolibarr home page */ -define('NOCSRFCHECK', 1); // This is main home and login page. We must be able to go on it from another web site. + +define('CSRFCHECK_WITH_TOKEN', 1); // We force need to use a token to login when making a POST require 'main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php'; diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 31fbc0ee4b3..54794909003 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -471,6 +471,8 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl unset($_GET['massaction']); $_POST['id'] = ((int) $savid); } + + // Note: There is another CSRF protection into the filefunc.inc.php } // Disable modules (this must be after session_start and after conf has been loaded)