From 57f0c81f2cc0518ed7ab107e16e6cadb8dfc53b0 Mon Sep 17 00:00:00 2001 From: thomascube Date: Wed, 15 Jul 2009 09:49:35 +0000 Subject: Use request tokens to protect POST requests from CSFR --- program/include/rcmail.php | 33 ++++++++++++++++++++++++++++ program/include/rcube_template.php | 37 ++++++++++++++++++++++++++++++-- program/localization/de_CH/messages.inc | 3 +++ program/localization/de_DE/messages.inc | 1 + program/localization/en_US/messages.inc | 1 + program/steps/addressbook/edit.inc | 33 +++++++++++----------------- program/steps/addressbook/save.inc | 16 +++++++++++--- program/steps/settings/edit_identity.inc | 2 +- program/steps/settings/func.inc | 30 +++++++++++--------------- program/steps/settings/save_identity.inc | 6 ++++++ program/steps/settings/save_prefs.inc | 7 ++++++ 11 files changed, 125 insertions(+), 44 deletions(-) diff --git a/program/include/rcmail.php b/program/include/rcmail.php index a4f44b8f4..627a8f290 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -851,6 +851,39 @@ class rcmail } + /** + * Generate a unique token to be used in a form request + * + * @param string Request identifier + * @return string The request token + */ + public function get_request_token($key) + { + if (!$this->request_tokens[$key]) + $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true)); + + return $this->request_tokens[$key]; + } + + + /** + * Check if the current request contains a valid token + * + * @param string Request identifier + * @return boolean True if request token is valid false if not + */ + public function check_request($key, $mode = RCUBE_INPUT_POST) + { + $token = get_input_value('_token', $mode); + $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token); + + if ($valid) + unset($_SESSION['request_tokens'][$key]); + + return $valid; + } + + /** * Create unique authorization hash * diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php index 382508099..a08f27309 100755 --- a/program/include/rcube_template.php +++ b/program/include/rcube_template.php @@ -925,7 +925,7 @@ class rcube_template extends rcube_html_page */ public function form_tag($attrib, $content = null) { - if ($this->framed) { + if ($this->framed || !empty($_REQUEST['_framed'])) { $hiddenfield = new html_hiddenfield(array('name' => '_framed', 'value' => '1')); $hidden = $hiddenfield->show(); } @@ -935,7 +935,40 @@ class rcube_template extends rcube_html_page return html::tag('form', $attrib + array('action' => "./", 'method' => "get"), - $hidden . $content); + $hidden . $content, + array('id','class','style','name','method','action','enctype','onsubmit')); + } + + + /** + * Build a form tag with a unique request token + * + * @param array Named tag parameters including 'action' and 'task' values which will be put into hidden fields + * @param string Form content + * @return string HTML code for the form + */ + public function request_form($attrib, $content) + { + $hidden = new html_hiddenfield(); + if ($attrib['task']) { + $hidden->add(array('name' => '_task', 'value' => $attrib['task'])); + } + if ($attrib['action']) { + $hidden->add(array('name' => '_action', 'value' => $attrib['action'])); + } + + // generate request token + $request_key = $attrib['request'] ? $attrib['request'] : $attrib['action']; + $hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key))); + + unset($attrib['task'], $attrib['request']); + $attrib['action'] = './'; + + // we already have a
tag + if ($attrib['form']) + return $hidden->show() . $content; + else + return $this->form_tag($attrib, $hidden->show() . $content); } diff --git a/program/localization/de_CH/messages.inc b/program/localization/de_CH/messages.inc index a46c93b17..2c672679b 100644 --- a/program/localization/de_CH/messages.inc +++ b/program/localization/de_CH/messages.inc @@ -22,6 +22,8 @@ $messages['loginfailed'] = 'Login fehlgeschlagen'; $messages['cookiesdisabled'] = 'Ihr Browser akzeptiert keine Cookies'; $messages['sessionerror'] = 'Ihre Session ist ungültig oder abgelaufen'; $messages['imaperror'] = 'Keine Verbindung zum IMAP Server'; +$messages['servererror'] = 'Serverfehler!'; +$messages['invalidrequest'] = 'Ungültige Anfrage! Es wurden keine Daten gespeichert.'; $messages['nomessagesfound'] = 'Keine Nachrichten in diesem Ordner'; $messages['loggedout'] = 'Sie haben Ihre Session erfolgreich beendet. Auf Wiedersehen!'; $messages['mailboxempty'] = 'Ordner ist leer'; @@ -45,6 +47,7 @@ $messages['errorsavingsent'] = 'Ein Fehler ist beim Speichern der gesendeten Nac $messages['errorsaving'] = 'Beim Speichern ist ein Fehler aufgetreten'; $messages['errormoving'] = 'Nachricht konnte nicht verschoben werden'; $messages['errordeleting'] = 'Nachricht konnte nicht gelöscht werden'; +$messages['errormarking'] = 'Nachricht konnte nicht markiert werden'; $messages['deletecontactconfirm'] = 'Wollen Sie die ausgewählten Kontakte wirklich löschen'; $messages['deletemessagesconfirm'] = 'Wollen Sie die ausgewählten Nachrichten wirklich löschen?'; $messages['deletefolderconfirm'] = 'Wollen Sie diesen Ordner wirklich löschen?'; diff --git a/program/localization/de_DE/messages.inc b/program/localization/de_DE/messages.inc index 0e73017ba..0f681690b 100644 --- a/program/localization/de_DE/messages.inc +++ b/program/localization/de_DE/messages.inc @@ -23,6 +23,7 @@ $messages['cookiesdisabled'] = 'Ihr Browser akzeptiert keine Cookies'; $messages['sessionerror'] = 'Ihre Session ist ungültig oder abgelaufen'; $messages['imaperror'] = 'Keine Verbindung zum IMAP-Server'; $messages['servererror'] = 'Serverfehler!'; +$messages['invalidrequest'] = 'Ungültige Anfrage! Es wurden keine Daten gespeichert.'; $messages['nomessagesfound'] = 'Keine Nachrichten in diesem Ordner'; $messages['loggedout'] = 'Sie haben Ihre Session erfolgreich beendet. Auf Wiedersehen!'; $messages['mailboxempty'] = 'Ordner ist leer'; diff --git a/program/localization/en_US/messages.inc b/program/localization/en_US/messages.inc index fa0b30711..a9d2d6759 100644 --- a/program/localization/en_US/messages.inc +++ b/program/localization/en_US/messages.inc @@ -23,6 +23,7 @@ $messages['cookiesdisabled'] = 'Your browser does not accept cookies'; $messages['sessionerror'] = 'Your session is invalid or expired'; $messages['imaperror'] = 'Connection to IMAP server failed'; $messages['servererror'] = 'Server Error!'; +$messages['invalidrequest'] = 'Invalid request! No data was saved.'; $messages['nomessagesfound'] = 'No messages found in this mailbox'; $messages['loggedout'] = 'You have successfully terminated the session. Good bye!'; $messages['mailboxempty'] = 'Mailbox is empty'; diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc index 410a09b14..fa97bc0a2 100644 --- a/program/steps/addressbook/edit.inc +++ b/program/steps/addressbook/edit.inc @@ -81,36 +81,27 @@ $OUTPUT->add_handler('contacteditform', 'rcmail_contact_editform'); // similar function as in /steps/settings/edit_identity.inc function get_form_tags($attrib) - { +{ global $CONTACTS, $EDIT_FORM, $RCMAIL; - $result = $CONTACTS->get_result(); - $form_start = ''; - if (!strlen($EDIT_FORM)) - { - $hiddenfields = new html_hiddenfield(array('name' => '_task', 'value' => $RCMAIL->task)); - $hiddenfields->add(array('name' => '_action', 'value' => 'save')); - $hiddenfields->add(array('name' => '_source', 'value' => get_input_value('_source', RCUBE_INPUT_GPC))); - $hiddenfields->add(array('name' => '_framed', 'value' => (empty($_REQUEST['_framed']) ? 0 : 1))); + $form_start = $form_end = ''; + + if (empty($EDIT_FORM)) { + $hiddenfields = new html_hiddenfield(array('name' => '_source', 'value' => get_input_value('_source', RCUBE_INPUT_GPC))); if (($result = $CONTACTS->get_result()) && ($record = $result->first())) $hiddenfields->add(array('name' => '_cid', 'value' => $record['ID'])); - $form_start = !strlen($attrib['form']) ? $RCMAIL->output->form_tag(array('name' => "form", 'method' => "post")) : ''; - $form_start .= $hiddenfields->show(); - } - - $form_end = (strlen($EDIT_FORM) && !strlen($attrib['form'])) ? '
' : ''; - $form_name = strlen($attrib['form']) ? $attrib['form'] : 'form'; - - if (!strlen($EDIT_FORM)) - $RCMAIL->output->add_gui_object('editform', $form_name); - - $EDIT_FORM = $form_name; + $form_start = $RCMAIL->output->request_form(array('name' => "form", 'method' => "post", 'task' => $RCMAIL->task, 'action' => 'save', 'request' => 'save.'.intval($record['ID']), 'noclose' => true) + $attrib, $hiddenfields->show()); + $form_end = !strlen($attrib['form']) ? '' : ''; - return array($form_start, $form_end); + $EDIT_FORM = !empty($attrib['form']) ? $attrib['form'] : 'form'; + $RCMAIL->output->add_gui_object('editform', $EDIT_FORM); } + return array($form_start, $form_end); +} + if (!$CONTACTS->get_result() && $OUTPUT->template_exists('addcontact')) diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc index 3b01a9be7..45cb6387e 100644 --- a/program/steps/addressbook/save.inc +++ b/program/steps/addressbook/save.inc @@ -19,11 +19,22 @@ */ +$cid = get_input_value('_cid', RCUBE_INPUT_POST); +$return_action = empty($cid) ? 'add' : 'show'; + +// check request token and exit if invalid +if (!$RCMAIL->check_request('save.'.intval($cid), RCUBE_INPUT_POST)) +{ + $OUTPUT->show_message('invalidrequest', 'error'); + rcmail_overwrite_action($return_action); + return; +} + // cannot edit record if ($CONTACTS->readonly) { $OUTPUT->show_message('contactreadonly', 'error'); - rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show'); + rcmail_overwrite_action($return_action); return; } @@ -31,7 +42,7 @@ if ($CONTACTS->readonly) if ((!get_input_value('_name', RCUBE_INPUT_POST) || !get_input_value('_email', RCUBE_INPUT_POST))) { $OUTPUT->show_message('formincomplete', 'warning'); - rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show'); + rcmail_overwrite_action($return_action); return; } @@ -39,7 +50,6 @@ if ((!get_input_value('_name', RCUBE_INPUT_POST) || !get_input_value('_email', R // setup some vars we need $a_save_cols = array('name', 'firstname', 'surname', 'email'); $a_record = array(); -$cid = get_input_value('_cid', RCUBE_INPUT_POST); // read POST values into hash array foreach ($a_save_cols as $col) diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc index 4129409bb..bf3777f2d 100644 --- a/program/steps/settings/edit_identity.inc +++ b/program/steps/settings/edit_identity.inc @@ -60,7 +60,7 @@ function rcube_identity_form($attrib) $t_rows = !empty($attrib['textarearows']) ? $attrib['textarearows'] : 6; $t_cols = !empty($attrib['textareacols']) ? $attrib['textareacols'] : 40; - list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id'])); + list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', intval($IDENTITY_RECORD['identity_id']), array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id'])); unset($attrib['form']); // list of available cols diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc index ba98a2cec..f72b437c9 100644 --- a/program/steps/settings/func.inc +++ b/program/steps/settings/func.inc @@ -431,30 +431,26 @@ function rcmail_identities_list($attrib) // similar function as in /steps/addressbook/edit.inc -function get_form_tags($attrib, $action, $add_hidden=array()) +function get_form_tags($attrib, $action, $id = null, $hidden = null) { global $EDIT_FORM, $RCMAIL; - $form_start = ''; - if (!strlen($EDIT_FORM)) - { - $hiddenfields = new html_hiddenfield(array('name' => '_task', 'value' => $RCMAIL->task)); - $hiddenfields->add(array('name' => '_action', 'value' => $action)); - - if ($add_hidden) - $hiddenfields->add($add_hidden); + $form_start = $form_end = ''; + + if (empty($EDIT_FORM)) { + $request_key = $action . (isset($id) ? '.'.$id : ''); + $form_start = $RCMAIL->output->request_form(array('name' => "form", 'method' => "post", 'task' => $RCMAIL->task, 'action' => $action, 'request' => $request_key, 'noclose' => true) + $attrib); - $form_start = !strlen($attrib['form']) ? $RCMAIL->output->form_tag(array('name' => "form", 'method' => "post")) : ''; - $form_start .= $hiddenfields->show(); + if (is_array($hidden)) { + $hiddenfields = new html_hiddenfield($hidden); + $form_start .= $hiddenfields->show(); } - $form_end = (!strlen($EDIT_FORM) && !strlen($attrib['form'])) ? '' : ''; - $form_name = strlen($attrib['form']) ? $attrib['form'] : 'form'; + $form_end = !strlen($attrib['form']) ? '' : ''; - if (!strlen($EDIT_FORM)) - $RCMAIL->output->add_gui_object('editform', $form_name); - - $EDIT_FORM = $form_name; + $EDIT_FORM = !empty($attrib['form']) ? $attrib['form'] : 'form'; + $RCMAIL->output->add_gui_object('editform', $EDIT_FORM); + } return array($form_start, $form_end); } diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 900c2d3d9..86ff263d2 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -26,6 +26,12 @@ $a_html_cols = array('signature'); $a_boolean_cols = array('standard', 'html_signature'); $updated = $default_id = false; +// check request token +if (!$RCMAIL->check_request('save-identity.'.intval(get_input_value('_iid', RCUBE_INPUT_POST)), RCUBE_INPUT_POST)) { + $OUTPUT->show_message('invalidrequest', 'error'); + rcmail_overwrite_action('identities'); + return; +} // check input if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3)) { diff --git a/program/steps/settings/save_prefs.inc b/program/steps/settings/save_prefs.inc index c5afd5b0c..7444a8b53 100644 --- a/program/steps/settings/save_prefs.inc +++ b/program/steps/settings/save_prefs.inc @@ -19,6 +19,13 @@ */ +// check request token and exit if invalid +if (!$RCMAIL->check_request('save-prefs', RCUBE_INPUT_POST)) { + $OUTPUT->show_message('invalidrequest', 'error'); + rcmail_overwrite_action('preferences'); + return; +} + $a_user_prefs = array( 'language' => isset($_POST['_language']) ? get_input_value('_language', RCUBE_INPUT_POST) : $CONFIG['language'], 'timezone' => isset($_POST['_timezone']) ? (is_numeric($_POST['_timezone']) ? floatval($_POST['_timezone']) : get_input_value('_timezone', RCUBE_INPUT_POST)) : $CONFIG['timezone'], -- cgit v1.2.3