diff options
Diffstat (limited to 'program/include/rcmail.php')
-rw-r--r-- | program/include/rcmail.php | 123 |
1 files changed, 75 insertions, 48 deletions
diff --git a/program/include/rcmail.php b/program/include/rcmail.php index 8ea42b600..a16319f72 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -439,7 +439,7 @@ class rcmail extends rcube // add some basic labels to client $this->output->add_label('loading', 'servererror', 'connerror', 'requesttimedout', - 'refreshing', 'windowopenerror'); + 'refreshing', 'windowopenerror', 'uploadingmany'); return $this->output; } @@ -760,49 +760,16 @@ class rcmail extends rcube } /** - * Generate a unique token to be used in a form request - * - * @return string The request token - */ - public function get_request_token() - { - $sess_id = $_COOKIE[ini_get('session.name')]; - - if (!$sess_id) { - $sess_id = session_id(); - } - - $plugin = $this->plugins->exec_hook('request_token', array( - 'value' => md5('RT' . $this->get_user_id() . $this->config->get('des_key') . $sess_id))); - - return $plugin['value']; - } - - /** - * Check if the current request contains a valid token - * - * @param int Request method - * - * @return boolean True if request token is valid false if not - */ - public function check_request($mode = rcube_utils::INPUT_POST) - { - $token = rcube_utils::get_input_value('_token', $mode); - $sess_id = $_COOKIE[ini_get('session.name')]; - - return !empty($sess_id) && $token == $this->get_request_token(); - } - - /** * Build a valid URL to this instance of Roundcube * * @param mixed Either a string with the action or url parameters as key-value pairs * @param boolean Build an URL absolute to document root * @param boolean Create fully qualified URL including http(s):// and hostname + * @param bool Return absolute URL in secure location * * @return string Valid application URL */ - public function url($p, $absolute = false, $full = false) + public function url($p, $absolute = false, $full = false, $secure = false) { if (!is_array($p)) { if (strpos($p, 'http') === 0) { @@ -828,9 +795,23 @@ class rcmail extends rcube } } + $base_path = strval($_SERVER['REDIRECT_SCRIPT_URL'] ?: $_SERVER['SCRIPT_NAME']); + $base_path = preg_replace('![^/]+$!', '', $base_path); + + if ($secure && ($token = $this->get_secure_url_token(true))) { + // add token to the url + $url = $token . '/' . $url; + + // remove old token from the path + $base_path = rtrim($base_path, '/'); + $base_path = preg_replace('/\/[a-f0-9]{' . strlen($token) . '}$/', '', $base_path); + + // this need to be full url to make redirects work + $absolute = true; + } + if ($absolute || $full) { // add base path to this Roundcube installation - $base_path = preg_replace('![^/]+$!', '', strval($_SERVER['SCRIPT_NAME'])); if ($base_path == '') $base_path = '/'; $prefix = $base_path; @@ -880,6 +861,28 @@ class rcmail extends rcube } /** + * CSRF attack prevention code + * + * @param int Request mode + */ + public function request_security_check($mode = rcube_utils::INPUT_POST) + { + // check request token + if (!$this->check_request($mode)) { + self::raise_error(array( + 'code' => 403, 'type' => 'php', + 'message' => "Request security check failed"), false, true); + } + + // check referer if configured + if ($this->config->get('referer_check') && !rcube_utils::check_referer()) { + self::raise_error(array( + 'code' => 403, 'type' => 'php', + 'message' => "Referer check failed"), true, true); + } + } + + /** * Registers action aliases for current task * * @param array $map Alias-to-filename hash array @@ -1958,13 +1961,32 @@ class rcmail extends rcube } if (!empty($params['total'])) { - $params['percent'] = round($status['current']/$status['total']*100); + $total = $this->show_bytes($params['total'], $unit); + switch ($unit) { + case 'GB': + $gb = $params['current']/1073741824; + $current = sprintf($gb >= 10 ? "%d" : "%.1f", $gb); + break; + case 'MB': + $mb = $params['current']/1048576; + $current = sprintf($mb >= 10 ? "%d" : "%.1f", $mb); + break; + case 'KB': + $current = round($params['current']/1024); + break; + case 'B': + default: + $current = $params['current']; + break; + } + + $params['percent'] = round($params['current']/$params['total']*100); $params['text'] = $this->gettext(array( 'name' => 'uploadprogress', 'vars' => array( 'percent' => $params['percent'] . '%', - 'current' => $this->show_bytes($params['current']), - 'total' => $this->show_bytes($params['total']) + 'current' => $current, + 'total' => $total ) )); } @@ -2150,25 +2172,30 @@ class rcmail extends rcube /** * Create a human readable string for a number of bytes * - * @param int Number of bytes + * @param int Number of bytes + * @param string Size unit * * @return string Byte string */ - public function show_bytes($bytes) + public function show_bytes($bytes, &$unit = null) { if ($bytes >= 1073741824) { - $gb = $bytes/1073741824; - $str = sprintf($gb>=10 ? "%d " : "%.1f ", $gb) . $this->gettext('GB'); + $unit = 'GB'; + $gb = $bytes/1073741824; + $str = sprintf($gb >= 10 ? "%d " : "%.1f ", $gb) . $this->gettext($unit); } else if ($bytes >= 1048576) { - $mb = $bytes/1048576; - $str = sprintf($mb>=10 ? "%d " : "%.1f ", $mb) . $this->gettext('MB'); + $unit = 'MB'; + $mb = $bytes/1048576; + $str = sprintf($mb >= 10 ? "%d " : "%.1f ", $mb) . $this->gettext($unit); } else if ($bytes >= 1024) { - $str = sprintf("%d ", round($bytes/1024)) . $this->gettext('KB'); + $unit = 'KB'; + $str = sprintf("%d ", round($bytes/1024)) . $this->gettext($unit); } else { - $str = sprintf('%d ', $bytes) . $this->gettext('B'); + $unit = 'B'; + $str = sprintf('%d ', $bytes) . $this->gettext($unit); } return $str; |