Fix csrf on referrer is duplicate with csrf on token. We keep token only

nateogroup-antoine · Feb 6, 2023 · 5bddb31 · 5bddb31
1 parent ec9e8d3
commit 5bddb31
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/htdocs/conf/conf.php.example b/htdocs/conf/conf.php.example
@@ -302,7 +302,7 @@ $dolibarr_main_restrict_ip='';
 // This might be required if you access Dolibarr behind a proxy that make bad URL rewriting, to avoid false alarms.
 // In most cases, you should always keep this to 0.
 // Default value: 0
-// Possible values: 0 or 1
+// Possible values: 0 or 1 (no strict CSRF test, only test on referer) or 2 (no CSRF test at all)
 // Examples:
 // $dolibarr_nocsrfcheck='0';
 //

diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
@@ -206,7 +206,7 @@
 // when we post forms (we allow GET and HEAD to accept direct link from a particular page).
 // Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
 // See also CSRF protections done into main.inc.php
-if (!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)) {
+if (!defined('NOCSRFCHECK') && isset($dolibarr_nocsrfcheck) && $dolibarr_nocsrfcheck == 1) {    // If $dolibarr_nocsrfcheck is 0, there is a strict CSRF test with token in main
 	if (!empty($_SERVER['REQUEST_METHOD']) && !in_array($_SERVER['REQUEST_METHOD'], array('GET', 'HEAD')) && !empty($_SERVER['HTTP_HOST'])) {
 		$csrfattack = false;
 		if (empty($_SERVER['HTTP_REFERER'])) {