From 784a425e07f8b249b44137eadfe2a5dfe436aaeb Mon Sep 17 00:00:00 2001 From: thomascube Date: Thu, 3 Feb 2011 22:08:03 +0000 Subject: protect login form submission from CSRF using a request token --- index.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'index.php') diff --git a/index.php b/index.php index a80e76d68..bf38874d0 100644 --- a/index.php +++ b/index.php @@ -75,6 +75,8 @@ $RCMAIL->action = $startup['action']; // try to log in if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { + $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(RCUBE_INPUT_POST, 'login'); + // purge the session in case of new login when a session already exists $RCMAIL->kill_session(); @@ -84,13 +86,14 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { 'pass' => get_input_value('_pass', RCUBE_INPUT_POST, true, $RCMAIL->config->get('password_charset', 'ISO-8859-1')), 'cookiecheck' => true, + 'valid' => $request_valid, )); // check if client supports cookies if ($auth['cookiecheck'] && empty($_COOKIE)) { $OUTPUT->show_message("cookiesdisabled", 'warning'); } - else if ($_SESSION['temp'] && !$auth['abort'] && + else if ($auth['valid'] && !$auth['abort'] && !empty($auth['host']) && !empty($auth['user']) && $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) { // create new session ID @@ -123,7 +126,7 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { else { $error_code = is_object($IMAP) ? $IMAP->get_error_code() : -1; - $OUTPUT->show_message($error_code < -1 ? 'imaperror' : 'loginfailed', 'warning'); + $OUTPUT->show_message($error_code < -1 ? 'imaperror' : (!$auth['valid'] ? 'invalidrequest' : 'loginfailed'), 'warning'); $RCMAIL->plugins->exec_hook('login_failed', array( 'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user'])); $RCMAIL->kill_session(); @@ -167,7 +170,7 @@ if (empty($RCMAIL->user->ID)) { ); } - $OUTPUT->set_env('task', 'login'); + $RCMAIL->set_task('login'); $OUTPUT->send('login'); } // CSRF prevention -- cgit v1.2.3