Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix: Fix security holes

Browse Source
This commit is contained in:
Laurent Destailleur
2010-12-27 19:45:16 +00:00
parent 9a4c903211
commit da484f8524
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/lib/functions.lib.php
View File

@@ -67,6 +67,7 @@ function GETPOST($paramname,$check='',$method=0)
/** /**
* Return a prefix to use for this Dolibarr instance for session or cookie names. * Return a prefix to use for this Dolibarr instance for session or cookie names.
* This prefix is unique for instance and avoid conflict between multi-instances Dolibarrs. * This prefix is unique for instance and avoid conflict between multi-instances Dolibarrs.
* TODO This function is not called by main.inc.php because function is not included yet
* @return string A calculated prefix * @return string A calculated prefix
*/ */
function dol_getprefix() function dol_getprefix()
@@ -80,7 +81,7 @@ function dol_getprefix()
// Warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another // Warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another
// FIXME The fix is to use only "root url" like the one defined into $dolibarr_main_url_root // FIXME The fix is to use only "root url" like the one defined into $dolibarr_main_url_root
} }
return $realpath; return md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath);
} }
/** /**

4
htdocs/main.inc.php
View File

@@ -125,8 +125,8 @@ $realpath='';
if (preg_match('/^([^.]+)\/htdocs\//i', realpath($_SERVER["SCRIPT_FILENAME"]), $regs)) $realpath = isset($regs[1])?$regs[1]:''; if (preg_match('/^([^.]+)\/htdocs\//i', realpath($_SERVER["SCRIPT_FILENAME"]), $regs)) $realpath = isset($regs[1])?$regs[1]:'';
if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) $realpath=''; // warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) $realpath=''; // warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another
$prefix=$realpath; $prefix=$realpath;
$sessionname='DOLSESSID_'.$prefix; $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath);
$sessiontimeout='DOLSESSTIMEOUT_'.$prefix; $sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath);
if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]); if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]);
session_name($sessionname); session_name($sessionname);
session_start(); session_start();