summaryrefslogtreecommitdiff
path: root/program/include
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2009-07-21 16:02:33 +0000
committerthomascube <thomas@roundcube.net>2009-07-21 16:02:33 +0000
commit5499336feff22f682448dd99cc00a9b36701fcd1 (patch)
tree84c0fcf73be4f5c51f58c9656aaaefecd3530d9d /program/include
parent61e96cd1f9b32345fd15ae826674f38f0495baa3 (diff)
Use global request tokens and automatically protect all POST requests
Diffstat (limited to 'program/include')
-rw-r--r--program/include/rcmail.php22
-rwxr-xr-xprogram/include/rcube_template.php27
2 files changed, 31 insertions, 18 deletions
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index a508e1718..39edee4a1 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -872,33 +872,29 @@ class rcmail
/**
* Generate a unique token to be used in a form request
*
- * @param string Request identifier
* @return string The request token
*/
- public function get_request_token($key)
+ public function get_request_token()
{
- if (!$this->request_tokens[$key])
- $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true));
+ $key = $this->task;
- return $this->request_tokens[$key];
+ if (!$_SESSION['request_tokens'][$key])
+ $_SESSION['request_tokens'][$key] = md5(uniqid($key . rand(), true));
+
+ return $_SESSION['request_tokens'][$key];
}
/**
* Check if the current request contains a valid token
*
- * @param string Request identifier
+ * @param int Request method
* @return boolean True if request token is valid false if not
*/
- public function check_request($key, $mode = RCUBE_INPUT_POST)
+ public function check_request($mode = RCUBE_INPUT_POST)
{
$token = get_input_value('_token', $mode);
- $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token);
-
- if ($valid)
- unset($_SESSION['request_tokens'][$key]);
-
- return $valid;
+ return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token;
}
diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php
index caf385a69..0947944ad 100755
--- a/program/include/rcube_template.php
+++ b/program/include/rcube_template.php
@@ -59,6 +59,7 @@ class rcube_template extends rcube_html_page
//$this->framed = $framed;
$this->set_env('task', $task);
+ $this->set_env('request_token', $this->app->get_request_token());
// load the correct skin (in case user-defined)
$this->set_skin($this->config['skin']);
@@ -325,6 +326,9 @@ class rcube_template extends rcube_html_page
$js = $this->framed ? "if(window.parent) {\n" : '';
$js .= $this->get_js_commands() . ($this->framed ? ' }' : '');
$this->add_script($js, 'head_top');
+
+ // make sure all <form> tags have a valid request token
+ $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template);
// call super method
parent::write($template, $this->config['skin_path']);
@@ -514,7 +518,24 @@ class rcube_template extends rcube_html_page
*/
private function check_condition($condition)
{
- return eval("return (".$this->parse_expression($condition).");");
+ return eval("return (".$this->parse_expression($condition).");");
+ }
+
+
+ /**
+ *
+ */
+ private function alter_form_tag($matches)
+ {
+ $out = $matches[0];
+ $attrib = parse_attrib_string($matches[1]);
+
+ if (strtolower($attrib['method']) == 'post') {
+ $hidden = new html_hiddenfield(array('name' => '_token', 'value' => $this->app->get_request_token()));
+ $out .= "\n" . $hidden->show();
+ }
+
+ return $out;
}
@@ -957,10 +978,6 @@ class rcube_template extends rcube_html_page
$hidden->add(array('name' => '_action', 'value' => $attrib['action']));
}
- // generate request token
- $request_key = $attrib['request'] ? $attrib['request'] : $attrib['action'];
- $hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key)));
-
unset($attrib['task'], $attrib['request']);
$attrib['action'] = './';