diff options
author | thomascube <thomas@roundcube.net> | 2009-07-15 09:49:35 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2009-07-15 09:49:35 +0000 |
commit | 57f0c81f2cc0518ed7ab107e16e6cadb8dfc53b0 (patch) | |
tree | ba2f16627d23c994233042a1cf51676559060914 /program/steps/settings | |
parent | 19862b5586343205dc381339bfea46915dd498d3 (diff) |
Use request tokens to protect POST requests from CSFR
Diffstat (limited to 'program/steps/settings')
-rw-r--r-- | program/steps/settings/edit_identity.inc | 2 | ||||
-rw-r--r-- | program/steps/settings/func.inc | 30 | ||||
-rw-r--r-- | program/steps/settings/save_identity.inc | 6 | ||||
-rw-r--r-- | program/steps/settings/save_prefs.inc | 7 |
4 files changed, 27 insertions, 18 deletions
diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc index 4129409bb..bf3777f2d 100644 --- a/program/steps/settings/edit_identity.inc +++ b/program/steps/settings/edit_identity.inc @@ -60,7 +60,7 @@ function rcube_identity_form($attrib) $t_rows = !empty($attrib['textarearows']) ? $attrib['textarearows'] : 6; $t_cols = !empty($attrib['textareacols']) ? $attrib['textareacols'] : 40; - list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id'])); + list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', intval($IDENTITY_RECORD['identity_id']), array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id'])); unset($attrib['form']); // list of available cols diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc index ba98a2cec..f72b437c9 100644 --- a/program/steps/settings/func.inc +++ b/program/steps/settings/func.inc @@ -431,30 +431,26 @@ function rcmail_identities_list($attrib) // similar function as in /steps/addressbook/edit.inc -function get_form_tags($attrib, $action, $add_hidden=array()) +function get_form_tags($attrib, $action, $id = null, $hidden = null) { global $EDIT_FORM, $RCMAIL; - $form_start = ''; - if (!strlen($EDIT_FORM)) - { - $hiddenfields = new html_hiddenfield(array('name' => '_task', 'value' => $RCMAIL->task)); - $hiddenfields->add(array('name' => '_action', 'value' => $action)); - - if ($add_hidden) - $hiddenfields->add($add_hidden); + $form_start = $form_end = ''; + + if (empty($EDIT_FORM)) { + $request_key = $action . (isset($id) ? '.'.$id : ''); + $form_start = $RCMAIL->output->request_form(array('name' => "form", 'method' => "post", 'task' => $RCMAIL->task, 'action' => $action, 'request' => $request_key, 'noclose' => true) + $attrib); - $form_start = !strlen($attrib['form']) ? $RCMAIL->output->form_tag(array('name' => "form", 'method' => "post")) : ''; - $form_start .= $hiddenfields->show(); + if (is_array($hidden)) { + $hiddenfields = new html_hiddenfield($hidden); + $form_start .= $hiddenfields->show(); } - $form_end = (!strlen($EDIT_FORM) && !strlen($attrib['form'])) ? '</form>' : ''; - $form_name = strlen($attrib['form']) ? $attrib['form'] : 'form'; + $form_end = !strlen($attrib['form']) ? '</form>' : ''; - if (!strlen($EDIT_FORM)) - $RCMAIL->output->add_gui_object('editform', $form_name); - - $EDIT_FORM = $form_name; + $EDIT_FORM = !empty($attrib['form']) ? $attrib['form'] : 'form'; + $RCMAIL->output->add_gui_object('editform', $EDIT_FORM); + } return array($form_start, $form_end); } diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 900c2d3d9..86ff263d2 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -26,6 +26,12 @@ $a_html_cols = array('signature'); $a_boolean_cols = array('standard', 'html_signature'); $updated = $default_id = false; +// check request token +if (!$RCMAIL->check_request('save-identity.'.intval(get_input_value('_iid', RCUBE_INPUT_POST)), RCUBE_INPUT_POST)) { + $OUTPUT->show_message('invalidrequest', 'error'); + rcmail_overwrite_action('identities'); + return; +} // check input if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3)) { diff --git a/program/steps/settings/save_prefs.inc b/program/steps/settings/save_prefs.inc index c5afd5b0c..7444a8b53 100644 --- a/program/steps/settings/save_prefs.inc +++ b/program/steps/settings/save_prefs.inc @@ -19,6 +19,13 @@ */ +// check request token and exit if invalid +if (!$RCMAIL->check_request('save-prefs', RCUBE_INPUT_POST)) { + $OUTPUT->show_message('invalidrequest', 'error'); + rcmail_overwrite_action('preferences'); + return; +} + $a_user_prefs = array( 'language' => isset($_POST['_language']) ? get_input_value('_language', RCUBE_INPUT_POST) : $CONFIG['language'], 'timezone' => isset($_POST['_timezone']) ? (is_numeric($_POST['_timezone']) ? floatval($_POST['_timezone']) : get_input_value('_timezone', RCUBE_INPUT_POST)) : $CONFIG['timezone'], |