diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index 23852ae4918..1ac8978bbb8 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -176,6 +176,8 @@ if (empty($dolibarr_strict_mode)) { $dolibarr_strict_mode = 0; // For debug in php strict mode } +define('DOL_DOCUMENT_ROOT', $dolibarr_main_document_root); // Filesystem core php (htdocs) + // Security: CSRF protection // This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST']) // when we post forms (we allow GET and HEAD to accept direct link from a particular page). @@ -196,6 +198,7 @@ if (!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)) { if ($csrfattack) { //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_HOST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; // Note: We can't use dol_escape_htmltag here to escape output because lib functions.lib.ph is not yet loaded. + include_once DOL_DOCUMENT_ROOT.'/core/lib/functions.lib.php'; dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (Bad referer).", LOG_WARNING); print "Access refused by CSRF protection in main.inc.php. Referer of form (".htmlentities($_SERVER['HTTP_REFERER'], ENT_COMPAT, 'UTF-8').") is outside the server that serve this page (with method = ".htmlentities($_SERVER['REQUEST_METHOD'], ENT_COMPAT, 'UTF-8').").\n"; print "If you access your server behind a proxy using url rewriting, you might check that all HTTP headers are propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file to remove this security check).\n"; @@ -228,7 +231,6 @@ if (empty($dolibarr_main_data_root)) { // Define some constants define('DOL_CLASS_PATH', 'class/'); // Filesystem path to class dir (defined only for some code that want to be compatible with old versions without this parameter) define('DOL_DATA_ROOT', $dolibarr_main_data_root); // Filesystem data (documents) -define('DOL_DOCUMENT_ROOT', $dolibarr_main_document_root); // Filesystem core php (htdocs) // Try to autodetect DOL_MAIN_URL_ROOT and DOL_URL_ROOT. // Note: autodetect works only in case 1, 2, 3 and 4 of phpunit test CoreTest.php. For case 5, 6, only setting value into conf.php will works. $tmp = '';