Fi:x Restore a security system broken by adding alt feature.

2215df18 · Laurent Destailleur · 14e70e6e · 2215df18
Commit 2215df18 authored 14 years ago by Laurent Destailleur
--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@@ -65,7 +65,8 @@ function GETPOST($paramname,$check='',$method=0)


 /**
- *  Return a prefix to use for this Dolibarr instance for session or cookie names
+ *  Return a prefix to use for this Dolibarr instance for session or cookie names.
+ *  This prefix is unique for instance and avoid conflict between multi-instances Dolibarrs.
 *  @return         string      A calculated prefix
 */
 function dol_getprefix()
@@ -73,7 +74,12 @@ function dol_getprefix()
    // Add real path in session name
    $realpath='';
    if (preg_match('/^([^.]+)\/htdocs\//i', realpath($_SERVER["SCRIPT_FILENAME"]), $regs)) $realpath = isset($regs[1])?$regs[1]:'';
-    if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) $realpath=''; // warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another
+    if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT)
+    {
+        $realpath='';
+        // Warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another
+        // FIXME The fix is to use only "root url" as realpath like the one defined into $dolibarr_main_document_root
+    }
    return $realpath;
 }