diff options
author | thomascube <thomas@roundcube.net> | 2009-07-15 09:49:35 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2009-07-15 09:49:35 +0000 |
commit | 57f0c81f2cc0518ed7ab107e16e6cadb8dfc53b0 (patch) | |
tree | ba2f16627d23c994233042a1cf51676559060914 /program/include | |
parent | 19862b5586343205dc381339bfea46915dd498d3 (diff) |
Use request tokens to protect POST requests from CSFR
Diffstat (limited to 'program/include')
-rw-r--r-- | program/include/rcmail.php | 33 | ||||
-rwxr-xr-x | program/include/rcube_template.php | 37 |
2 files changed, 68 insertions, 2 deletions
diff --git a/program/include/rcmail.php b/program/include/rcmail.php index a4f44b8f4..627a8f290 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -852,6 +852,39 @@ class rcmail /** + * Generate a unique token to be used in a form request + * + * @param string Request identifier + * @return string The request token + */ + public function get_request_token($key) + { + if (!$this->request_tokens[$key]) + $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true)); + + return $this->request_tokens[$key]; + } + + + /** + * Check if the current request contains a valid token + * + * @param string Request identifier + * @return boolean True if request token is valid false if not + */ + public function check_request($key, $mode = RCUBE_INPUT_POST) + { + $token = get_input_value('_token', $mode); + $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token); + + if ($valid) + unset($_SESSION['request_tokens'][$key]); + + return $valid; + } + + + /** * Create unique authorization hash * * @param string Session ID diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php index 382508099..a08f27309 100755 --- a/program/include/rcube_template.php +++ b/program/include/rcube_template.php @@ -925,7 +925,7 @@ class rcube_template extends rcube_html_page */ public function form_tag($attrib, $content = null) { - if ($this->framed) { + if ($this->framed || !empty($_REQUEST['_framed'])) { $hiddenfield = new html_hiddenfield(array('name' => '_framed', 'value' => '1')); $hidden = $hiddenfield->show(); } @@ -935,7 +935,40 @@ class rcube_template extends rcube_html_page return html::tag('form', $attrib + array('action' => "./", 'method' => "get"), - $hidden . $content); + $hidden . $content, + array('id','class','style','name','method','action','enctype','onsubmit')); + } + + + /** + * Build a form tag with a unique request token + * + * @param array Named tag parameters including 'action' and 'task' values which will be put into hidden fields + * @param string Form content + * @return string HTML code for the form + */ + public function request_form($attrib, $content) + { + $hidden = new html_hiddenfield(); + if ($attrib['task']) { + $hidden->add(array('name' => '_task', 'value' => $attrib['task'])); + } + if ($attrib['action']) { + $hidden->add(array('name' => '_action', 'value' => $attrib['action'])); + } + + // generate request token + $request_key = $attrib['request'] ? $attrib['request'] : $attrib['action']; + $hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key))); + + unset($attrib['task'], $attrib['request']); + $attrib['action'] = './'; + + // we already have a <form> tag + if ($attrib['form']) + return $hidden->show() . $content; + else + return $this->form_tag($attrib, $hidden->show() . $content); } |