From 7948b0e0d337a320cd87078044bc5934e2ed1df6 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Fri, 1 Oct 2010 18:33:07 +0000
Subject: [PATCH] Allow to disable CSRF permission

---
 htdocs/main.inc.php   | 12 ------------
 htdocs/master.inc.php | 18 +++++++++++++++---
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index d7530be3600..797603e578c 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -111,18 +111,6 @@ function analyse_sql_and_script(&$var)
 analyse_sql_and_script($_GET);
 analyse_sql_and_script($_POST);
 
-// Security: CSRF protection
-// This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST'])
-// when we post forms (we allow GET to allow direct link to access a particular page).
-// TODO If CSRF check fails on some setup with proxy rewriting, we need to move this part into master.inc.php after include of conf.php
-if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERVER['HTTP_REFERER']) && ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))
-{
-	//print 'HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
-	print "Access refused by CSRF protection in main.inc.php\n";
-	//print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.";
-	exit;
-}
-
 // This is to make Dolibarr working with Plesk
 set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
 
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index d8786494e7e..2334ac73963 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -64,11 +64,23 @@ error_reporting(E_ALL ^ E_NOTICE);
 
 // Include configuration
 $result=@include_once("conf/conf.php");
-if (! $result && $_SERVER["GATEWAY_INTERFACE"])	// If install not done and we are in a web session
+if (! $result && ! empty($_SERVER["GATEWAY_INTERFACE"]))    // If install not done and we are in a web session
 {
-	header("Location: install/index.php");
-	exit;
+    header("Location: install/index.php");
+    exit;
 }
+
+// Security: CSRF protection
+// This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST'])
+// when we post forms (we allow GET to allow direct link to access a particular page).
+if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERVER['HTTP_REFERER']) && ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))
+{
+    //print 'HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
+    print "Access refused by CSRF protection in main.inc.php\n";
+    print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.";
+    exit;
+}
+
 if (empty($dolibarr_main_db_host))
 {
 	print 'Dolibarr setup was run but was not completed.<br>'."\n";
-- 
GitLab