Use request tokens to protect POST requests from CSFR

author: thomascube <thomas@roundcube.net> 2009-07-15 09:49:35 +0000
committer: thomascube <thomas@roundcube.net> 2009-07-15 09:49:35 +0000
commit: 57f0c81f2cc0518ed7ab107e16e6cadb8dfc53b0 (patch)
tree: ba2f16627d23c994233042a1cf51676559060914 /program/include/rcmail.php
parent: 19862b5586343205dc381339bfea46915dd498d3 (diff)
1 files changed, 33 insertions, 0 deletions
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index a4f44b8f4..627a8f290 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -852,6 +852,39 @@ class rcmail
   
   
   /**
+   * Generate a unique token to be used in a form request
+   *
+   * @param string Request identifier
+   * @return string The request token
+   */
+  public function get_request_token($key)
+  {
+    if (!$this->request_tokens[$key])
+      $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true));
+    
+    return $this->request_tokens[$key];
+  }
+  
+  
+  /**
+   * Check if the current request contains a valid token
+   *
+   * @param string Request identifier
+   * @return boolean True if request token is valid false if not
+   */
+  public function check_request($key, $mode = RCUBE_INPUT_POST)
+  {
+    $token = get_input_value('_token', $mode);
+    $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token);
+    
+    if ($valid)
+      unset($_SESSION['request_tokens'][$key]);
+    
+    return $valid;
+  }
+  
+  
+  /**
    * Create unique authorization hash
    *
    * @param string Session ID
author	thomascube <thomas@roundcube.net>	2009-07-15 09:49:35 +0000
committer	thomascube <thomas@roundcube.net>	2009-07-15 09:49:35 +0000
commit	57f0c81f2cc0518ed7ab107e16e6cadb8dfc53b0 (patch)
tree	ba2f16627d23c994233042a1cf51676559060914 /program/include/rcmail.php
parent	19862b5586343205dc381339bfea46915dd498d3 (diff)