diff options
author | thomascube <thomas@roundcube.net> | 2011-03-22 07:49:43 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2011-03-22 07:49:43 +0000 |
commit | ec045b0a24bbb0de2b203961b453a9f5bd640f34 (patch) | |
tree | 5e54169b90512bd0a4dda9fc517f21eb518540eb | |
parent | a8d7c659f1b343d2f0d6c954fcd3e0688e512736 (diff) |
Revert r4609 and use stateless request tokens; no need to save them in session and thus no keep-alive necessary; fixes #1487829
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | index.php | 6 | ||||
-rw-r--r-- | program/include/rcmail.php | 11 | ||||
-rw-r--r-- | program/js/app.js | 2 |
4 files changed, 8 insertions, 12 deletions
@@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Stateless request tokens. No keep-alive necessary on login page (#1487829) - PEAR::Net_SMTP 1.5.1 - Allow multiple concurrent compose sessions - Force names of unique constraints in PostgreSQL DDL @@ -154,9 +154,7 @@ else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action != // not logged in -> show login page if (empty($RCMAIL->user->ID)) { - if ($RCMAIL->action == 'keep-alive') - $OUTPUT->send(); - else if ($OUTPUT->ajax_call) + if ($OUTPUT->ajax_call) $OUTPUT->redirect(array(), 2000); if (!empty($_REQUEST['_framed'])) @@ -184,7 +182,7 @@ else { // check client X-header to verify request origin if ($OUTPUT->ajax_call) { - if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) { + if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) { header('HTTP/1.1 404 Not Found'); die("Invalid Request"); } diff --git a/program/include/rcmail.php b/program/include/rcmail.php index d9bb30bbe..0fc744605 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -1106,12 +1106,8 @@ class rcmail */ public function get_request_token() { - $key = $this->task; - - if (!$_SESSION['request_tokens'][$key]) - $_SESSION['request_tokens'][$key] = md5(uniqid($key . mt_rand(), true)); - - return $_SESSION['request_tokens'][$key]; + $sess_id = $_COOKIE[ini_get('session.name')]; + return md5('RT' . $this->task . $this->config->get('des_key') . $sess_id); } @@ -1124,7 +1120,8 @@ class rcmail public function check_request($mode = RCUBE_INPUT_POST) { $token = get_input_value('_token', $mode); - return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token; + $sess_id = $_COOKIE[ini_get('session.name')]; + return !empty($sess_id) && $token == $this->get_request_token(); } diff --git a/program/js/app.js b/program/js/app.js index ebbbae24b..384f45f80 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -5431,7 +5431,7 @@ function rcube_webmail() if (this.env.keep_alive && !this.env.framed && this.task == 'mail' && this.gui_objects.mailboxlist) this._int = setInterval(function(){ ref.check_for_recent(false); }, this.env.keep_alive * 1000); - else if (this.env.keep_alive && !this.env.framed && this.env.action != 'print') + else if (this.env.keep_alive && !this.env.framed && this.task != 'login' && this.env.action != 'print') this._int = setInterval(function(){ ref.send_keep_alive(); }, this.env.keep_alive * 1000); }; |