diff options
author | thomascube <thomas@roundcube.net> | 2009-07-21 16:02:33 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2009-07-21 16:02:33 +0000 |
commit | 5499336feff22f682448dd99cc00a9b36701fcd1 (patch) | |
tree | 84c0fcf73be4f5c51f58c9656aaaefecd3530d9d /program/include | |
parent | 61e96cd1f9b32345fd15ae826674f38f0495baa3 (diff) |
Use global request tokens and automatically protect all POST requests
Diffstat (limited to 'program/include')
-rw-r--r-- | program/include/rcmail.php | 22 | ||||
-rwxr-xr-x | program/include/rcube_template.php | 27 |
2 files changed, 31 insertions, 18 deletions
diff --git a/program/include/rcmail.php b/program/include/rcmail.php index a508e1718..39edee4a1 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -872,33 +872,29 @@ class rcmail /** * Generate a unique token to be used in a form request * - * @param string Request identifier * @return string The request token */ - public function get_request_token($key) + public function get_request_token() { - if (!$this->request_tokens[$key]) - $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true)); + $key = $this->task; - return $this->request_tokens[$key]; + if (!$_SESSION['request_tokens'][$key]) + $_SESSION['request_tokens'][$key] = md5(uniqid($key . rand(), true)); + + return $_SESSION['request_tokens'][$key]; } /** * Check if the current request contains a valid token * - * @param string Request identifier + * @param int Request method * @return boolean True if request token is valid false if not */ - public function check_request($key, $mode = RCUBE_INPUT_POST) + public function check_request($mode = RCUBE_INPUT_POST) { $token = get_input_value('_token', $mode); - $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token); - - if ($valid) - unset($_SESSION['request_tokens'][$key]); - - return $valid; + return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token; } diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php index caf385a69..0947944ad 100755 --- a/program/include/rcube_template.php +++ b/program/include/rcube_template.php @@ -59,6 +59,7 @@ class rcube_template extends rcube_html_page //$this->framed = $framed; $this->set_env('task', $task); + $this->set_env('request_token', $this->app->get_request_token()); // load the correct skin (in case user-defined) $this->set_skin($this->config['skin']); @@ -325,6 +326,9 @@ class rcube_template extends rcube_html_page $js = $this->framed ? "if(window.parent) {\n" : ''; $js .= $this->get_js_commands() . ($this->framed ? ' }' : ''); $this->add_script($js, 'head_top'); + + // make sure all <form> tags have a valid request token + $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template); // call super method parent::write($template, $this->config['skin_path']); @@ -514,7 +518,24 @@ class rcube_template extends rcube_html_page */ private function check_condition($condition) { - return eval("return (".$this->parse_expression($condition).");"); + return eval("return (".$this->parse_expression($condition).");"); + } + + + /** + * + */ + private function alter_form_tag($matches) + { + $out = $matches[0]; + $attrib = parse_attrib_string($matches[1]); + + if (strtolower($attrib['method']) == 'post') { + $hidden = new html_hiddenfield(array('name' => '_token', 'value' => $this->app->get_request_token())); + $out .= "\n" . $hidden->show(); + } + + return $out; } @@ -957,10 +978,6 @@ class rcube_template extends rcube_html_page $hidden->add(array('name' => '_action', 'value' => $attrib['action'])); } - // generate request token - $request_key = $attrib['request'] ? $attrib['request'] : $attrib['action']; - $hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key))); - unset($attrib['task'], $attrib['request']); $attrib['action'] = './'; |