From d29968a15f3fbac82e37755bd4dd1f9285764950 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Fri, 1 Oct 2010 18:26:48 +0000
Subject: [PATCH] Comment to tell how disable CSRF check

---
 htdocs/main.inc.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 392f3210924..d7530be3600 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -114,10 +114,12 @@ analyse_sql_and_script($_POST);
 // Security: CSRF protection
 // This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST'])
 // when we post forms (we allow GET to allow direct link to access a particular page).
-if (! defined('NOCSRFCHECK') && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERVER['HTTP_REFERER']) && ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))
+// TODO If CSRF check fails on some setup with proxy rewriting, we need to move this part into master.inc.php after include of conf.php
+if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERVER['HTTP_REFERER']) && ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))
 {
 	//print 'HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
-	print 'Access refused by CSRF protection in main.inc.php.';
+	print "Access refused by CSRF protection in main.inc.php\n";
+	//print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.";
 	exit;
 }
 
-- 
GitLab