lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CSRF test

Browse Source
This commit is contained in:
Laurent Destailleur 2018-04-06 20:06:05 +02:00
parent 35d2f0e441
commit ebb418fe3a
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/filefunc.inc.php
View File

@ -159,11 +159,11 @@ if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck))
{ {
$tmpa=parse_url($_SERVER['HTTP_HOST']); $tmpa=parse_url($_SERVER['HTTP_HOST']);
$tmpb=parse_url($_SERVER['HTTP_REFERER']); $tmpb=parse_url($_SERVER['HTTP_REFERER']);
if ($tmpa['host'] != $tmpb['host']) $csrfattack=true; if ((empty($tmpa['host'])?$tmpa['path']:$tmpa['host']) != (empty($tmpb['host'])?$tmpb['path']:$tmpb['host'])) $csrfattack=true;
} }
if ($csrfattack) if ($csrfattack)
{ {
//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_HOST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n"; print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n";
print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n"; print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
die; die;