diff options
| author | thomascube <thomas@roundcube.net> | 2011-02-03 22:08:03 +0000 |
|---|---|---|
| committer | thomascube <thomas@roundcube.net> | 2011-02-03 22:08:03 +0000 |
| commit | 784a425e07f8b249b44137eadfe2a5dfe436aaeb (patch) | |
| tree | f20c33632b6e0f69319601c78dd86b70291d92da | |
| parent | 6ec4658f7230424245a6441fc910108866be26ab (diff) | |
protect login form submission from CSRF using a request token
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | index.php | 9 | ||||
| -rw-r--r-- | program/include/rcube_session.php | 1 |
3 files changed, 8 insertions, 3 deletions
@@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Security: protect login form submission from CSRF - Security: prevent from relaying malicious requests through modcss.inc - Fix handling of non-image attachments in multipart/related messages (#1487750) - Fix IDNA support when IDN/INTL modules are in use (#1487742) @@ -75,6 +75,8 @@ $RCMAIL->action = $startup['action']; // try to log in if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { + $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(RCUBE_INPUT_POST, 'login'); + // purge the session in case of new login when a session already exists $RCMAIL->kill_session(); @@ -84,13 +86,14 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { 'pass' => get_input_value('_pass', RCUBE_INPUT_POST, true, $RCMAIL->config->get('password_charset', 'ISO-8859-1')), 'cookiecheck' => true, + 'valid' => $request_valid, )); // check if client supports cookies if ($auth['cookiecheck'] && empty($_COOKIE)) { $OUTPUT->show_message("cookiesdisabled", 'warning'); } - else if ($_SESSION['temp'] && !$auth['abort'] && + else if ($auth['valid'] && !$auth['abort'] && !empty($auth['host']) && !empty($auth['user']) && $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) { // create new session ID @@ -123,7 +126,7 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { else { $error_code = is_object($IMAP) ? $IMAP->get_error_code() : -1; - $OUTPUT->show_message($error_code < -1 ? 'imaperror' : 'loginfailed', 'warning'); + $OUTPUT->show_message($error_code < -1 ? 'imaperror' : (!$auth['valid'] ? 'invalidrequest' : 'loginfailed'), 'warning'); $RCMAIL->plugins->exec_hook('login_failed', array( 'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user'])); $RCMAIL->kill_session(); @@ -167,7 +170,7 @@ if (empty($RCMAIL->user->ID)) { ); } - $OUTPUT->set_env('task', 'login'); + $RCMAIL->set_task('login'); $OUTPUT->send('login'); } // CSRF prevention diff --git a/program/include/rcube_session.php b/program/include/rcube_session.php index 7384af39c..2bd663c83 100644 --- a/program/include/rcube_session.php +++ b/program/include/rcube_session.php @@ -253,6 +253,7 @@ class rcube_session */ public function kill() { + $this->vars = false; $this->destroy(session_id()); rcmail::setcookie($this->cookiename, '-del-', time() - 60); } |