diff --git a/htdocs/api/index.php b/htdocs/api/index.php
index 63fb87835305f10c69e967a1358669d3ed7f1fe7..31f3a97ff68a9da3a5de6fbe9a10f9b336383bb4 100644
--- a/htdocs/api/index.php
+++ b/htdocs/api/index.php
@@ -22,10 +22,10 @@
* \file htdocs/api/indexphp
*
* @todo User authentication with api_key
- *
- *
*/
+
if (! defined("NOLOGIN")) define("NOLOGIN",'1');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
$res=0;
if (! $res && file_exists("../main.inc.php")) $res=include '../main.inc.php';
diff --git a/htdocs/core/photos_resize.php b/htdocs/core/photos_resize.php
index 8a22e159cc71b4710b7026a9e9ea44634af85344..85f98918530cb50333abd3de2d11678b278ff248 100644
--- a/htdocs/core/photos_resize.php
+++ b/htdocs/core/photos_resize.php
@@ -23,17 +23,6 @@
* \brief File of page to resize photos
*/
-//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1');
-//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1');
-//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1');
-//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
-//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1');
-//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1');
-//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no menu to show
-//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php
-//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
-//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session)
-
require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/product.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php';
diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index 5ff5535ac10788c02a43e8ae662f543166ba19ff..e7f407acfd2d8f85c6ed5a043a0c63271891925f 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -162,9 +162,12 @@ if (empty($multicompany_force_entity)) $multicompany_force_entity=0; // To force
// Security: CSRF protection
// This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST'])
// when we post forms (we allow GET to allow direct link to access a particular page).
-if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERVER['HTTP_REFERER']) && ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))
+// Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
+if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)
+ && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
+ && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
{
- //print 'HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
+ //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
print "Access refused by CSRF protection in main.inc.php.\n";
print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.\n";
die;
diff --git a/htdocs/index.php b/htdocs/index.php
index faa2eb9dcee7977a266b009cef8e22db1d15dbec..86733c21bcb27bda4caf64066778b5c37077403b 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -24,7 +24,7 @@
* \brief Dolibarr home page
*/
-define('NOCSRFCHECK',1); // This is login page. We must be able to go on it from another web site.
+define('NOCSRFCHECK',1); // This is main home and login page. We must be able to go on it from another web site.
require 'main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php';
diff --git a/htdocs/product/stock/productlot_card.php b/htdocs/product/stock/productlot_card.php
index b750db872342eba7e45bd65573b7407c9e2ed2c0..8cfeb8617378fc0e11728f820ec499c3f2dd5d44 100644
--- a/htdocs/product/stock/productlot_card.php
+++ b/htdocs/product/stock/productlot_card.php
@@ -23,18 +23,6 @@
* Initialy built by build_class_from_table on 2016-05-17 12:22
*/
-//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1');
-//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1');
-//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1');
-//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
-//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check anti CSRF attack test
-//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data
-//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not check anti POST attack test
-//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu
-//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php
-//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
-//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session)
-
// Change this following line to use the correct relative path (../, ../../, etc)
$res=0;
if (! $res && file_exists("../main.inc.php")) $res=@include '../main.inc.php'; // to work if your module directory is into dolibarr root htdocs directory
diff --git a/htdocs/product/stock/productlot_list.php b/htdocs/product/stock/productlot_list.php
index a4ea70f9c2d81c0196d74c997d2b934bf4ea038f..6c3cdc22f6f32b531a00e69e5987fea1f60f97cd 100644
--- a/htdocs/product/stock/productlot_list.php
+++ b/htdocs/product/stock/productlot_list.php
@@ -22,18 +22,6 @@
* Initialy built by build_class_from_table on 2016-05-17 12:22
*/
-//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1');
-//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1');
-//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1');
-//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
-//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check anti CSRF attack test
-//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data
-//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not check anti POST attack test
-//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu
-//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php
-//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
-//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session)
-
// Change this following line to use the correct relative path (../, ../../, etc)
$res=0;
if (! $res && file_exists("../main.inc.php")) $res=@include '../main.inc.php'; // to work if your module directory is into dolibarr root htdocs directory
diff --git a/htdocs/webservices/server_actioncomm.php b/htdocs/webservices/server_actioncomm.php
index a5df31c2a7ec905195502cf1bd11a8954ae978c6..99e8ea59e6f92028134816767a21d0c2a033c543 100644
--- a/htdocs/webservices/server_actioncomm.php
+++ b/htdocs/webservices/server_actioncomm.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2006-2011 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2012 Florian Henry <florian.henry@open-concept.pro>
*
* This program is free software; you can redistribute it and/or modify
@@ -14,16 +14,16 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Path to WSDL is: http://localhost/dolibarr/webservices/server_actioncomm.php?wsdl
*/
/**
* \file htdocs/webservices/server_actioncomm.php
* \brief File that is entry point to call Dolibarr WebServices
- * \version $Id: server_actioncomm.php,v 1.7 2010/12/19 11:49:37 eldy Exp $
*/
-// This is to make Dolibarr working with Plesk
-set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
require_once("../master.inc.php");
require_once(NUSOAP_PATH.'/nusoap.php'); // Include SOAP
diff --git a/htdocs/webservices/server_category.php b/htdocs/webservices/server_category.php
index 2bf914ebd384003e5ffa47a8571f2319f23ab9c8..9ef07dda9521abf9e8d619894346d34422828a81 100644
--- a/htdocs/webservices/server_category.php
+++ b/htdocs/webservices/server_category.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2012 JF FERRY <jfefe@aternatik.fr>
*
* This program is free software; you can redistribute it and/or modify
@@ -21,8 +21,7 @@
* \brief File that is entry point to call Dolibarr WebServices
*/
-// This is to make Dolibarr working with Plesk
-set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
require_once("../master.inc.php");
require_once(NUSOAP_PATH.'/nusoap.php'); // Include SOAP
diff --git a/htdocs/webservices/server_contact.php b/htdocs/webservices/server_contact.php
index 8a12c288d559e39b0e7d34c5c180610920cc1966..cab58268f57667cffea00bd723f8c893ce3802d6 100644
--- a/htdocs/webservices/server_contact.php
+++ b/htdocs/webservices/server_contact.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2006-2011 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2012 JF FERRY <jfefe@aternatik.fr>
*
* This program is free software; you can redistribute it and/or modify
@@ -21,8 +21,7 @@
* \brief File that is entry point to call Dolibarr WebServices
*/
-// This is to make Dolibarr working with Plesk
-set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
require_once("../master.inc.php");
require_once(NUSOAP_PATH.'/nusoap.php'); // Include SOAP
diff --git a/htdocs/webservices/server_invoice.php b/htdocs/webservices/server_invoice.php
index 04ce0c3cf48b199e8ffc8fc4d31e2a2973dbeb72..54f5e3c564c388b2216519e27153fac68d6feafa 100644
--- a/htdocs/webservices/server_invoice.php
+++ b/htdocs/webservices/server_invoice.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2016 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
@@ -21,8 +21,7 @@
* \brief File that is entry point to call Dolibarr WebServices
*/
-// This is to make Dolibarr working with Plesk
-set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
require_once '../master.inc.php';
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
diff --git a/htdocs/webservices/server_order.php b/htdocs/webservices/server_order.php
index de72af93b615b169d922aa81c0b499b2afe0700b..f477ccfed9cf66d2a3f0366b168f964d98ef2637 100644
--- a/htdocs/webservices/server_order.php
+++ b/htdocs/webservices/server_order.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2012 JF FERRY <jfefe@aternatik.fr>
* Copyright (C) 2012 Regis Houssin <regis.houssin@capnetworks.com>
*
@@ -22,9 +22,7 @@
* \brief File that is entry point to call Dolibarr WebServices
*/
-
-// This is to make Dolibarr working with Plesk
-set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
require_once '../master.inc.php';
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
diff --git a/htdocs/webservices/server_other.php b/htdocs/webservices/server_other.php
index ba948d463eadea4608badce26cb00f534309dc92..8ac519ae87e61545f3245dcb8fa4cf681e0c327e 100644
--- a/htdocs/webservices/server_other.php
+++ b/htdocs/webservices/server_other.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -20,8 +20,7 @@
* \brief File that is entry point to call Dolibarr WebServices
*/
-// This is to make Dolibarr working with Plesk
-set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
require_once '../master.inc.php';
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
diff --git a/htdocs/webservices/server_productorservice.php b/htdocs/webservices/server_productorservice.php
index aa43dbb185c0ed1e3d24d00ab364001cc5f65446..385c7dc3b9584099d3c70b18c1d9340bf07e4659 100644
--- a/htdocs/webservices/server_productorservice.php
+++ b/htdocs/webservices/server_productorservice.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2012 JF FERRY <jfefe@aternatik.fr>
*
* This program is free software; you can redistribute it and/or modify
@@ -23,8 +23,7 @@
* \brief File that is entry point to call Dolibarr WebServices
*/
-// This is to make Dolibarr working with Plesk
-set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
require_once '../master.inc.php';
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
diff --git a/htdocs/webservices/server_project.php b/htdocs/webservices/server_project.php
index 8838f726d630728b8caf125af351312d54f871a7..5400e069c3fe07d9ca4db974ef734545bbaadecf 100644
--- a/htdocs/webservices/server_project.php
+++ b/htdocs/webservices/server_project.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2016 Ion Agorria <ion@agorria.com>
*
* This program is free software; you can redistribute it and/or modify
@@ -21,8 +21,7 @@
* \brief File that is entry point to call Dolibarr WebServices
*/
-// This is to make Dolibarr working with Plesk
-set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
require_once '../master.inc.php';
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
diff --git a/htdocs/webservices/server_supplier_invoice.php b/htdocs/webservices/server_supplier_invoice.php
index fea871ac077561c2409c654bd4e363997575be17..ea162ef2a8bae97bf781560ba39375fe7f03b3dd 100644
--- a/htdocs/webservices/server_supplier_invoice.php
+++ b/htdocs/webservices/server_supplier_invoice.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2006-2011 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -20,8 +20,7 @@
* \brief File that is entry point to call Dolibarr WebServices
*/
-// This is to make Dolibarr working with Plesk
-set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
require_once '../master.inc.php';
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
diff --git a/htdocs/webservices/server_thirdparty.php b/htdocs/webservices/server_thirdparty.php
index 50b8e80e363e8c2505d430358da6fab0664d018f..6b2c94a36fd1ebf341c4e94c0f11a5e03a47653c 100644
--- a/htdocs/webservices/server_thirdparty.php
+++ b/htdocs/webservices/server_thirdparty.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -20,8 +20,7 @@
* \brief File that is entry point to call Dolibarr WebServices
*/
-// This is to make Dolibarr working with Plesk
-set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
require_once '../master.inc.php';
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP
diff --git a/htdocs/webservices/server_user.php b/htdocs/webservices/server_user.php
index 6339486922fc144cf7a76a7c164d4d7c3908b393..c4d8ce08724e0752d92f4a571288174968b52a85 100644
--- a/htdocs/webservices/server_user.php
+++ b/htdocs/webservices/server_user.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2006-2011 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -18,11 +18,9 @@
/**
* \file htdocs/webservices/server_user.php
* \brief File that is entry point to call Dolibarr WebServices
- * \version $Id: server_user.php,v 1.7 2010/12/19 11:49:37 eldy Exp $
*/
-// This is to make Dolibarr working with Plesk
-set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
+if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1');
require_once '../master.inc.php';
require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP