summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2011-03-22 07:49:43 +0000
committerthomascube <thomas@roundcube.net>2011-03-22 07:49:43 +0000
commitec045b0a24bbb0de2b203961b453a9f5bd640f34 (patch)
tree5e54169b90512bd0a4dda9fc517f21eb518540eb
parenta8d7c659f1b343d2f0d6c954fcd3e0688e512736 (diff)
Revert r4609 and use stateless request tokens; no need to save them in session and thus no keep-alive necessary; fixes #1487829
-rw-r--r--CHANGELOG1
-rw-r--r--index.php6
-rw-r--r--program/include/rcmail.php11
-rw-r--r--program/js/app.js2
4 files changed, 8 insertions, 12 deletions
diff --git a/CHANGELOG b/CHANGELOG
index e43f7e075..c8d7bdf9a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================
+- Stateless request tokens. No keep-alive necessary on login page (#1487829)
- PEAR::Net_SMTP 1.5.1
- Allow multiple concurrent compose sessions
- Force names of unique constraints in PostgreSQL DDL
diff --git a/index.php b/index.php
index 21d5d859a..6cf833e4b 100644
--- a/index.php
+++ b/index.php
@@ -154,9 +154,7 @@ else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action !=
// not logged in -> show login page
if (empty($RCMAIL->user->ID)) {
- if ($RCMAIL->action == 'keep-alive')
- $OUTPUT->send();
- else if ($OUTPUT->ajax_call)
+ if ($OUTPUT->ajax_call)
$OUTPUT->redirect(array(), 2000);
if (!empty($_REQUEST['_framed']))
@@ -184,7 +182,7 @@ else {
// check client X-header to verify request origin
if ($OUTPUT->ajax_call) {
- if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
+ if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) {
header('HTTP/1.1 404 Not Found');
die("Invalid Request");
}
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index d9bb30bbe..0fc744605 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -1106,12 +1106,8 @@ class rcmail
*/
public function get_request_token()
{
- $key = $this->task;
-
- if (!$_SESSION['request_tokens'][$key])
- $_SESSION['request_tokens'][$key] = md5(uniqid($key . mt_rand(), true));
-
- return $_SESSION['request_tokens'][$key];
+ $sess_id = $_COOKIE[ini_get('session.name')];
+ return md5('RT' . $this->task . $this->config->get('des_key') . $sess_id);
}
@@ -1124,7 +1120,8 @@ class rcmail
public function check_request($mode = RCUBE_INPUT_POST)
{
$token = get_input_value('_token', $mode);
- return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token;
+ $sess_id = $_COOKIE[ini_get('session.name')];
+ return !empty($sess_id) && $token == $this->get_request_token();
}
diff --git a/program/js/app.js b/program/js/app.js
index ebbbae24b..384f45f80 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -5431,7 +5431,7 @@ function rcube_webmail()
if (this.env.keep_alive && !this.env.framed && this.task == 'mail' && this.gui_objects.mailboxlist)
this._int = setInterval(function(){ ref.check_for_recent(false); }, this.env.keep_alive * 1000);
- else if (this.env.keep_alive && !this.env.framed && this.env.action != 'print')
+ else if (this.env.keep_alive && !this.env.framed && this.task != 'login' && this.env.action != 'print')
this._int = setInterval(function(){ ref.send_keep_alive(); }, this.env.keep_alive * 1000);
};