diff options
author | thomascube <thomas@roundcube.net> | 2009-07-21 16:02:33 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2009-07-21 16:02:33 +0000 |
commit | 5499336feff22f682448dd99cc00a9b36701fcd1 (patch) | |
tree | 84c0fcf73be4f5c51f58c9656aaaefecd3530d9d /program/include/rcmail.php | |
parent | 61e96cd1f9b32345fd15ae826674f38f0495baa3 (diff) |
Use global request tokens and automatically protect all POST requests
Diffstat (limited to 'program/include/rcmail.php')
-rw-r--r-- | program/include/rcmail.php | 22 |
1 files changed, 9 insertions, 13 deletions
diff --git a/program/include/rcmail.php b/program/include/rcmail.php index a508e1718..39edee4a1 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -872,33 +872,29 @@ class rcmail /** * Generate a unique token to be used in a form request * - * @param string Request identifier * @return string The request token */ - public function get_request_token($key) + public function get_request_token() { - if (!$this->request_tokens[$key]) - $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true)); + $key = $this->task; - return $this->request_tokens[$key]; + if (!$_SESSION['request_tokens'][$key]) + $_SESSION['request_tokens'][$key] = md5(uniqid($key . rand(), true)); + + return $_SESSION['request_tokens'][$key]; } /** * Check if the current request contains a valid token * - * @param string Request identifier + * @param int Request method * @return boolean True if request token is valid false if not */ - public function check_request($key, $mode = RCUBE_INPUT_POST) + public function check_request($mode = RCUBE_INPUT_POST) { $token = get_input_value('_token', $mode); - $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token); - - if ($valid) - unset($_SESSION['request_tokens'][$key]); - - return $valid; + return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token; } |