Use request tokens to protect POST requests from CSFR

6 files changed, 52 insertions, 42 deletions

diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc
index 410a09b14..fa97bc0a2 100644
--- a/program/steps/addressbook/edit.inc
+++ b/program/steps/addressbook/edit.inc
@@ -81,36 +81,27 @@ $OUTPUT->add_handler('contacteditform', 'rcmail_contact_editform');
 
 // similar function as in /steps/settings/edit_identity.inc
 function get_form_tags($attrib)
-  {
+{
   global $CONTACTS, $EDIT_FORM, $RCMAIL;
 
-  $result = $CONTACTS->get_result();
-  $form_start = '';
-  if (!strlen($EDIT_FORM))
-    {
-    $hiddenfields = new html_hiddenfield(array('name' => '_task', 'value' => $RCMAIL->task));
-    $hiddenfields->add(array('name' => '_action', 'value' => 'save'));
-    $hiddenfields->add(array('name' => '_source', 'value' => get_input_value('_source', RCUBE_INPUT_GPC)));
-    $hiddenfields->add(array('name' => '_framed', 'value' => (empty($_REQUEST['_framed']) ? 0 : 1)));
+  $form_start = $form_end = '';
+  
+  if (empty($EDIT_FORM)) {
+    $hiddenfields = new html_hiddenfield(array('name' => '_source', 'value' => get_input_value('_source', RCUBE_INPUT_GPC)));
     
     if (($result = $CONTACTS->get_result()) && ($record = $result->first()))
       $hiddenfields->add(array('name' => '_cid', 'value' => $record['ID']));
     
-    $form_start = !strlen($attrib['form']) ? $RCMAIL->output->form_tag(array('name' => "form", 'method' => "post")) : '';
-    $form_start .= $hiddenfields->show();
-    }
-    
-  $form_end = (strlen($EDIT_FORM) && !strlen($attrib['form'])) ? '</form>' : '';
-  $form_name = strlen($attrib['form']) ? $attrib['form'] : 'form';
-  
-  if (!strlen($EDIT_FORM))
-    $RCMAIL->output->add_gui_object('editform', $form_name);
-  
-  $EDIT_FORM = $form_name;
+    $form_start = $RCMAIL->output->request_form(array('name' => "form", 'method' => "post", 'task' => $RCMAIL->task, 'action' => 'save', 'request' => 'save.'.intval($record['ID']), 'noclose' => true) + $attrib, $hiddenfields->show());
+    $form_end = !strlen($attrib['form']) ? '</form>' : '';
 
-  return array($form_start, $form_end); 
+    $EDIT_FORM = !empty($attrib['form']) ? $attrib['form'] : 'form';
+    $RCMAIL->output->add_gui_object('editform', $EDIT_FORM);
   }
 
+  return array($form_start, $form_end); 
+}
+
 
 
 if (!$CONTACTS->get_result() && $OUTPUT->template_exists('addcontact'))
diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc
index 3b01a9be7..45cb6387e 100644
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@@ -19,11 +19,22 @@
 
 */
 
+$cid = get_input_value('_cid', RCUBE_INPUT_POST);
+$return_action = empty($cid) ? 'add' : 'show';
+
+// check request token and exit if invalid
+if (!$RCMAIL->check_request('save.'.intval($cid), RCUBE_INPUT_POST))
+{
+  $OUTPUT->show_message('invalidrequest', 'error');
+  rcmail_overwrite_action($return_action);
+  return;
+}
+
 // cannot edit record
 if ($CONTACTS->readonly)
 {
   $OUTPUT->show_message('contactreadonly', 'error');
-  rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show');
+  rcmail_overwrite_action($return_action);
   return;
 }
 
@@ -31,7 +42,7 @@ if ($CONTACTS->readonly)
 if ((!get_input_value('_name', RCUBE_INPUT_POST) || !get_input_value('_email', RCUBE_INPUT_POST)))
 {
   $OUTPUT->show_message('formincomplete', 'warning');
-  rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show');
+  rcmail_overwrite_action($return_action);
   return;
 }
 
@@ -39,7 +50,6 @@ if ((!get_input_value('_name', RCUBE_INPUT_POST) || !get_input_value('_email', R
 // setup some vars we need
 $a_save_cols = array('name', 'firstname', 'surname', 'email');
 $a_record = array();
-$cid = get_input_value('_cid', RCUBE_INPUT_POST);
 
 // read POST values into hash array
 foreach ($a_save_cols as $col)
diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc
index 4129409bb..bf3777f2d 100644
--- a/program/steps/settings/edit_identity.inc
+++ b/program/steps/settings/edit_identity.inc
@@ -60,7 +60,7 @@ function rcube_identity_form($attrib)
   $t_rows = !empty($attrib['textarearows']) ? $attrib['textarearows'] : 6;
   $t_cols = !empty($attrib['textareacols']) ? $attrib['textareacols'] : 40;
 
-  list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id']));
+  list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', intval($IDENTITY_RECORD['identity_id']), array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id']));
   unset($attrib['form']);
 
   // list of available cols
diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc
index ba98a2cec..f72b437c9 100644
--- a/program/steps/settings/func.inc
+++ b/program/steps/settings/func.inc
@@ -431,30 +431,26 @@ function rcmail_identities_list($attrib)
 
 
 // similar function as in /steps/addressbook/edit.inc
-function get_form_tags($attrib, $action, $add_hidden=array())
+function get_form_tags($attrib, $action, $id = null, $hidden = null)
   {
   global $EDIT_FORM, $RCMAIL;
 
-  $form_start = '';
-  if (!strlen($EDIT_FORM))
-    {
-    $hiddenfields = new html_hiddenfield(array('name' => '_task', 'value' => $RCMAIL->task));
-    $hiddenfields->add(array('name' => '_action', 'value' => $action));
-    
-    if ($add_hidden)
-      $hiddenfields->add($add_hidden);
+  $form_start = $form_end = '';
+  
+  if (empty($EDIT_FORM)) {
+    $request_key = $action . (isset($id) ? '.'.$id : '');
+    $form_start = $RCMAIL->output->request_form(array('name' => "form", 'method' => "post", 'task' => $RCMAIL->task, 'action' => $action, 'request' => $request_key, 'noclose' => true) + $attrib);
     
-    $form_start = !strlen($attrib['form']) ? $RCMAIL->output->form_tag(array('name' => "form", 'method' => "post")) : '';
-    $form_start .= $hiddenfields->show();
+    if (is_array($hidden)) {
+      $hiddenfields = new html_hiddenfield($hidden);
+      $form_start .= $hiddenfields->show();
     }
     
-  $form_end = (!strlen($EDIT_FORM) && !strlen($attrib['form'])) ? '</form>' : '';
-  $form_name = strlen($attrib['form']) ? $attrib['form'] : 'form';
+    $form_end = !strlen($attrib['form']) ? '</form>' : '';
 
-  if (!strlen($EDIT_FORM))
-    $RCMAIL->output->add_gui_object('editform', $form_name);
-  
-  $EDIT_FORM = $form_name;
+    $EDIT_FORM = !empty($attrib['form']) ? $attrib['form'] : 'form';
+    $RCMAIL->output->add_gui_object('editform', $EDIT_FORM);
+  }
 
   return array($form_start, $form_end);
   }
diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc
index 900c2d3d9..86ff263d2 100644
--- a/program/steps/settings/save_identity.inc
+++ b/program/steps/settings/save_identity.inc
@@ -26,6 +26,12 @@ $a_html_cols = array('signature');
 $a_boolean_cols = array('standard', 'html_signature');
 $updated = $default_id = false;
 
+// check request token
+if (!$RCMAIL->check_request('save-identity.'.intval(get_input_value('_iid', RCUBE_INPUT_POST)), RCUBE_INPUT_POST)) {
+  $OUTPUT->show_message('invalidrequest', 'error');
+  rcmail_overwrite_action('identities');
+  return;
+}
 // check input
 if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3))
   {
diff --git a/program/steps/settings/save_prefs.inc b/program/steps/settings/save_prefs.inc
index c5afd5b0c..7444a8b53 100644
--- a/program/steps/settings/save_prefs.inc
+++ b/program/steps/settings/save_prefs.inc
@@ -19,6 +19,13 @@
 
 */
 
+// check request token and exit if invalid
+if (!$RCMAIL->check_request('save-prefs', RCUBE_INPUT_POST)) {
+  $OUTPUT->show_message('invalidrequest', 'error');
+  rcmail_overwrite_action('preferences');
+  return;
+}
+
 $a_user_prefs = array(
   'language'     => isset($_POST['_language']) ? get_input_value('_language', RCUBE_INPUT_POST) : $CONFIG['language'],
   'timezone'     => isset($_POST['_timezone']) ? (is_numeric($_POST['_timezone']) ? floatval($_POST['_timezone']) : get_input_value('_timezone', RCUBE_INPUT_POST)) : $CONFIG['timezone'],