summaryrefslogtreecommitdiff
path: root/program/include
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2009-07-15 09:49:35 +0000
committerthomascube <thomas@roundcube.net>2009-07-15 09:49:35 +0000
commit57f0c81f2cc0518ed7ab107e16e6cadb8dfc53b0 (patch)
treeba2f16627d23c994233042a1cf51676559060914 /program/include
parent19862b5586343205dc381339bfea46915dd498d3 (diff)
Use request tokens to protect POST requests from CSFR
Diffstat (limited to 'program/include')
-rw-r--r--program/include/rcmail.php33
-rwxr-xr-xprogram/include/rcube_template.php37
2 files changed, 68 insertions, 2 deletions
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index a4f44b8f4..627a8f290 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -852,6 +852,39 @@ class rcmail
/**
+ * Generate a unique token to be used in a form request
+ *
+ * @param string Request identifier
+ * @return string The request token
+ */
+ public function get_request_token($key)
+ {
+ if (!$this->request_tokens[$key])
+ $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true));
+
+ return $this->request_tokens[$key];
+ }
+
+
+ /**
+ * Check if the current request contains a valid token
+ *
+ * @param string Request identifier
+ * @return boolean True if request token is valid false if not
+ */
+ public function check_request($key, $mode = RCUBE_INPUT_POST)
+ {
+ $token = get_input_value('_token', $mode);
+ $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token);
+
+ if ($valid)
+ unset($_SESSION['request_tokens'][$key]);
+
+ return $valid;
+ }
+
+
+ /**
* Create unique authorization hash
*
* @param string Session ID
diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php
index 382508099..a08f27309 100755
--- a/program/include/rcube_template.php
+++ b/program/include/rcube_template.php
@@ -925,7 +925,7 @@ class rcube_template extends rcube_html_page
*/
public function form_tag($attrib, $content = null)
{
- if ($this->framed) {
+ if ($this->framed || !empty($_REQUEST['_framed'])) {
$hiddenfield = new html_hiddenfield(array('name' => '_framed', 'value' => '1'));
$hidden = $hiddenfield->show();
}
@@ -935,7 +935,40 @@ class rcube_template extends rcube_html_page
return html::tag('form',
$attrib + array('action' => "./", 'method' => "get"),
- $hidden . $content);
+ $hidden . $content,
+ array('id','class','style','name','method','action','enctype','onsubmit'));
+ }
+
+
+ /**
+ * Build a form tag with a unique request token
+ *
+ * @param array Named tag parameters including 'action' and 'task' values which will be put into hidden fields
+ * @param string Form content
+ * @return string HTML code for the form
+ */
+ public function request_form($attrib, $content)
+ {
+ $hidden = new html_hiddenfield();
+ if ($attrib['task']) {
+ $hidden->add(array('name' => '_task', 'value' => $attrib['task']));
+ }
+ if ($attrib['action']) {
+ $hidden->add(array('name' => '_action', 'value' => $attrib['action']));
+ }
+
+ // generate request token
+ $request_key = $attrib['request'] ? $attrib['request'] : $attrib['action'];
+ $hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key)));
+
+ unset($attrib['task'], $attrib['request']);
+ $attrib['action'] = './';
+
+ // we already have a <form> tag
+ if ($attrib['form'])
+ return $hidden->show() . $content;
+ else
+ return $this->form_tag($attrib, $hidden->show() . $content);
}