From 14e70e6e537f69b1a8f310518d22f62115971db6 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Mon, 27 Dec 2010 19:13:06 +0000
Subject: [PATCH] Fi:x Restore a security system broken by adding alt feature.

---
 htdocs/compta/bank/pre.inc.php |  6 +++---
 htdocs/lib/functions.lib.php   | 14 ++++++++++++++
 htdocs/lib/security.lib.php    |  8 ++------
 htdocs/main.inc.php            | 11 +++++++----
 htdocs/master.inc.php          |  3 ++-
 htdocs/user/logout.php         |  5 +++--
 6 files changed, 31 insertions(+), 16 deletions(-)

diff --git a/htdocs/compta/bank/pre.inc.php b/htdocs/compta/bank/pre.inc.php
index c653d399646..d9910938a84 100644
--- a/htdocs/compta/bank/pre.inc.php
+++ b/htdocs/compta/bank/pre.inc.php
@@ -67,15 +67,15 @@ function llxHeader($head = '', $title='', $help_url='', $target='', $disablejs=0
 			$numr = $db->num_rows($resql);
 			$i = 0;
 
-			if ($numr > 0) 	$menu->add(DOL_URL_ROOT."/compta/bank/index.php",$langs->trans("BankAccounts"),0,$user->rights->banque->lire);
+			if ($numr > 0) 	$menu->add(dol_buildpath('/compta/bank/index.php',1),$langs->trans("BankAccounts"),0,$user->rights->banque->lire);
 
 			while ($i < $numr)
 			{
 				$objp = $db->fetch_object($resql);
-				$menu->add_submenu(DOL_URL_ROOT."/compta/bank/fiche.php?id=".$objp->rowid,$objp->label,1,$user->rights->banque->lire);
+				$menu->add_submenu(dol_buildpath('/compta/bank/fiche.php?id='.$objp->rowid,1),$objp->label,1,$user->rights->banque->lire);
                 if ($objp->rappro && $objp->courant != 2)  // If not cash account and can be reconciliate
                 {
-				    $menu->add_submenu(DOL_URL_ROOT.'/compta/bank/rappro.php?account='.$objp->rowid,$langs->trans("Conciliate"),2,$user->rights->banque->consolidate);
+				    $menu->add_submenu(dol_buildpath('/compta/bank/rappro.php?account='.$objp->rowid,1),$langs->trans("Conciliate"),2,$user->rights->banque->consolidate);
                 }
 /*
 				$menu->add_submenu(DOL_URL_ROOT."/compta/bank/annuel.php?account=".$objp->rowid ,$langs->trans("IOMonthlyReporting"));
diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php
index 535f35cbcf6..dca84a1f3ed 100644
--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@@ -63,6 +63,20 @@ function GETPOST($paramname,$check='',$method=0)
     return $out;
 }
 
+
+/**
+ *  Return a prefix to use for this Dolibarr instance for session or cookie names
+ *  @return         string      A calculated prefix
+ */
+function dol_getprefix()
+{
+    // Add real path in session name
+    $realpath='';
+    if (preg_match('/^([^.]+)\/htdocs\//i', realpath($_SERVER["SCRIPT_FILENAME"]), $regs)) $realpath = isset($regs[1])?$regs[1]:'';
+    if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) $realpath=''; // warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another
+    return $realpath;
+}
+
 /**
  *	Make an include_once using default root and alternate root if it fails.
  * 	@param			relpath		Relative path to file (Ie: mydir/myfile, ../myfile, ...)
diff --git a/htdocs/lib/security.lib.php b/htdocs/lib/security.lib.php
index 2e75cea5a62..d297804754d 100644
--- a/htdocs/lib/security.lib.php
+++ b/htdocs/lib/security.lib.php
@@ -79,13 +79,9 @@ function dol_loginfunction($langs,$conf,$mysoc)
 	$conf->css = "/theme/".$conf->theme."/style.css.php?lang=".$langs->defaultlang;
 	$conf_css = DOL_URL_ROOT.$conf->css;
 
-    // Add real path in session name (we must do that to avoid conflict between two dolibarr instances)
-    $realpath='';
-    if ( preg_match('/^([^.]+)\/htdocs\//i', realpath($_SERVER["SCRIPT_FILENAME"]), $regs)) $realpath = isset($regs[1])?$regs[1]:'';
-    if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) $realpath=''; // warning, using alt feature is a security hole because path is not in session name
-
 	// Set cookie for timeout management
-	$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath);
+    $prefix=dol_getprefix();
+	$sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
 	if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", '', 0);
 
 	if (GETPOST("urlfrom")) $_SESSION["urlfrom"]=GETPOST("urlfrom");
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 779da407a86..847e1a4fe56 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -120,8 +120,9 @@ analyse_sql_and_script($_POST,0);
 set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
 
 // Init session. Name of session is specific to Dolibarr instance.
-$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
-$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+$prefix=dol_getprefix();
+$sessionname='DOLSESSID_'.$prefix;
+$sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
 if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]);
 session_name($sessionname);
 session_start();
@@ -548,7 +549,9 @@ if (! defined('NOLOGIN'))
 			include_once(DOL_DOCUMENT_ROOT."/core/class/cookie.class.php");
 
 			$entity = $_SESSION["dol_login"].'|'.$_POST["entity"];
-			$entityCookieName = 'DOLENTITYID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+
+			$prefix=dol_getprefix();
+			$entityCookieName = 'DOLENTITYID_'.$prefix;
 			// TTL : is defined in the config page multicompany
 			$ttl = (! empty($conf->global->MAIN_MULTICOMPANY_COOKIE_TTL) ? $conf->global->MAIN_MULTICOMPANY_COOKIE_TTL : time()+60*60*8 );
 			// Cryptkey : will be created randomly in the config page multicompany
@@ -1065,7 +1068,7 @@ function top_menu($head, $title='', $target='', $disablejs=0, $disablehead=0, $a
 		if ($user->admin && ! $user->entity)
 		{
 			$res=@dol_include_once('/multicompany/class/actions_multicompany.class.php');
-		
+
 			if ($res)
 			{
 				//$mc = new ActionsMulticompany($db);
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index 405e60515e9..1a3f38e6156 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -293,7 +293,8 @@ if (! defined('NOREQUIREDB'))
 	}
 	else
 	{
-		$entityCookieName = 'DOLENTITYID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+		$prefix=dol_getprefix();
+	    $entityCookieName = 'DOLENTITYID_'.$prefix;
 		if (! empty($_COOKIE[$entityCookieName]) && ! empty($conf->file->cookie_cryptkey)) 						// Just for view specific login page
 		{
 			include_once(DOL_DOCUMENT_ROOT."/core/class/cookie.class.php");
diff --git a/htdocs/user/logout.php b/htdocs/user/logout.php
index 2f29efe61aa..ef9dd2c408a 100644
--- a/htdocs/user/logout.php
+++ b/htdocs/user/logout.php
@@ -63,8 +63,9 @@ unset($_SESSION['dol_login']);
 unset($_SESSION['dol_entity']);
 
 // Destroy session
-$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
-$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+$prefix=dol_getprefix();
+$sessionname='DOLSESSID_'.$prefix;
+$sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
 if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]);
 session_name($sessionname);
 session_destroy();
-- 
GitLab