From dfe9bbe286e7000bf65ab7984940aac2ae73e13a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 27 Dec 2010 18:59:11 +0000 Subject: [PATCH] Fi:x Restore a security system broken by adding alt feature. --- htdocs/lib/security.lib.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/htdocs/lib/security.lib.php b/htdocs/lib/security.lib.php index fe56be43f29..2e75cea5a62 100644 --- a/htdocs/lib/security.lib.php +++ b/htdocs/lib/security.lib.php @@ -79,8 +79,13 @@ function dol_loginfunction($langs,$conf,$mysoc) $conf->css = "/theme/".$conf->theme."/style.css.php?lang=".$langs->defaultlang; $conf_css = DOL_URL_ROOT.$conf->css; + // Add real path in session name (we must do that to avoid conflict between two dolibarr instances) + $realpath=''; + if ( preg_match('/^([^.]+)\/htdocs\//i', realpath($_SERVER["SCRIPT_FILENAME"]), $regs)) $realpath = isset($regs[1])?$regs[1]:''; + if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) $realpath=''; // warning, using alt feature is a security hole because path is not in session name + // Set cookie for timeout management - $sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); + $sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", '', 0); if (GETPOST("urlfrom")) $_SESSION["urlfrom"]=GETPOST("urlfrom"); @@ -112,7 +117,7 @@ function dol_loginfunction($langs,$conf,$mysoc) if (! empty($conf->global->MAIN_MULTICOMPANY_COOKIE)) { - $entityCookieName = 'DOLENTITYID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); + $entityCookieName = 'DOLENTITYID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath); if (isset($_COOKIE[$entityCookieName])) { include_once(DOL_DOCUMENT_ROOT . "/core/class/cookie.class.php");