Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fi:x Restore a security system broken by adding alt feature.

Browse Source
This commit is contained in:
Laurent Destailleur
2010-12-27 19:13:06 +00:00
parent dfe9bbe286
commit 14e70e6e53
6 changed files with 31 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/lib/security.lib.php
View File

@@ -79,13 +79,9 @@ function dol_loginfunction($langs,$conf,$mysoc)
$conf->css = "/theme/".$conf->theme."/style.css.php?lang=".$langs->defaultlang;
$conf_css = DOL_URL_ROOT.$conf->css;
// Add real path in session name (we must do that to avoid conflict between two dolibarr instances)
$realpath='';
if ( preg_match('/^([^.]+)\/htdocs\//i', realpath($_SERVER["SCRIPT_FILENAME"]), $regs)) $realpath = isset($regs[1])?$regs[1]:'';
if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) $realpath=''; // warning, using alt feature is a security hole because path is not in session name
// Set cookie for timeout management
$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath);
$prefix=dol_getprefix();
$sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", '', 0);
if (GETPOST("urlfrom")) $_SESSION["urlfrom"]=GETPOST("urlfrom");