From 85635cdeea66b032013a1fccafa79692f00925df Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Fri, 1 Oct 2010 18:48:00 +0000
Subject: [PATCH] Allow to disable CSRF permission

---
 htdocs/conf/conf.php.example |  9 +++++++++
 htdocs/master.inc.php        | 11 +++++------
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/htdocs/conf/conf.php.example b/htdocs/conf/conf.php.example
index 69523435ff1..7064cc61ff8 100644
--- a/htdocs/conf/conf.php.example
+++ b/htdocs/conf/conf.php.example
@@ -181,6 +181,15 @@ $dolibarr_main_authentication='dolibarr';
 #
 $dolibarr_main_force_https='0';
 
+# dolibarr_nocsrfcheck
+# This parameter can be used to disable CSRF protection.
+# This might be required if you access Dolibarr behind a proxy that make
+# URL rewriting to avoid false alarms.
+# Default value: 0
+# Possible values: 0 or 1
+# Examples:
+# $dolibarr_nocsrfcheck='0';
+# 
 
 
 ##################
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index 2334ac73963..a17b55e7ead 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -76,22 +76,21 @@ if (! $result && ! empty($_SERVER["GATEWAY_INTERFACE"]))    // If install not do
 if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERVER['HTTP_REFERER']) && ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))
 {
     //print 'HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
-    print "Access refused by CSRF protection in main.inc.php\n";
-    print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.";
-    exit;
+    print "Access refused by CSRF protection in main.inc.php.\n";
+    print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.\n";
+    die;
 }
-
 if (empty($dolibarr_main_db_host))
 {
 	print 'Dolibarr setup was run but was not completed.<br>'."\n";
 	print 'Please, click <a href="install/index.php">here to finish Dolibarr install process</a> ...'."\n";
-	exit;
+	die;
 }
 if (empty($dolibarr_main_url_root))
 {
 	print 'Value for parameter \'dolibarr_main_url_root\' is not defined in your \'htdocs\conf\conf.php\' file.<br>'."\n";
 	print 'You must add this parameter with your full Dolibarr root Url (Example: http://myvirtualdomain/ or http://mydomain/mydolibarrurl/)'."\n";
-	exit;
+	die;
 }
 if (empty($dolibarr_main_db_type)) $dolibarr_main_db_type='mysql';   // Pour compatibilite avec anciennes configs, si non defini, on prend 'mysql'
 if (empty($dolibarr_main_data_root))
-- 
GitLab