From 681ba6fc3c296cd6cd11050531b8f4e785141786 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Tue, 16 Dec 2014 13:28:48 +0100 Subject: Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests --- program/js/app.js | 24 ++++++++++++++++++++---- program/js/editor.js | 5 +++-- 2 files changed, 23 insertions(+), 6 deletions(-) (limited to 'program/js') diff --git a/program/js/app.js b/program/js/app.js index e0a6d26e3..4e65a9c6d 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -58,7 +58,6 @@ function rcube_webmail() request_timeout: 180, // seconds draft_autosave: 0, // seconds comm_path: './', - blankpage: 'program/resources/blank.gif', recipients_separator: ',', recipients_delimiter: ', ', popup_width: 1150, @@ -163,6 +162,9 @@ function rcube_webmail() return; } + if (!this.env.blankpage) + this.env.blankpage = this.assets_path('program/resources/blank.gif'); + // find all registered gui containers for (n in this.gui_containers) this.gui_containers[n] = $('#'+this.gui_containers[n]); @@ -1406,8 +1408,10 @@ function rcube_webmail() if (task == 'mail') url += '&_mbox=INBOX'; - else if (task == 'logout' && !this.env.server_error) + else if (task == 'logout' && !this.env.server_error) { + url += '&_token=' + this.env.request_token; this.clear_compose_data(); + } this.redirect(url); }; @@ -1417,7 +1421,10 @@ function rcube_webmail() if (!url) url = this.env.comm_path; - return url.replace(/_task=[a-z0-9_-]+/i, '_task='+task); + if (url.match(/[?&]_task=[a-zA-Z0-9_-]+/)) + return url.replace(/_task=[a-zA-Z0-9_-]+/, '_task=' + task); + else + return url.replace(/\?.*$/, '') + '?_task=' + task; }; this.reload = function(delay) @@ -8039,7 +8046,7 @@ function rcube_webmail() img.onload = function() { ref.env.browser_capabilities.tif = 1; }; img.onerror = function() { ref.env.browser_capabilities.tif = 0; }; - img.src = 'program/resources/blank.tif'; + img.src = this.assets_path('program/resources/blank.tif'); }; this.pdf_support_check = function() @@ -8096,6 +8103,15 @@ function rcube_webmail() return 0; }; + this.assets_path = function(path) + { + if (this.env.assets_path && !path.startsWith(this.env.assets_path)) { + path = this.env.assets_path + path; + } + + return path; + }; + // Cookie setter this.set_cookie = function(name, value, expires) { diff --git a/program/js/editor.js b/program/js/editor.js index 3dac5f371..2fc3429ab 100644 --- a/program/js/editor.js +++ b/program/js/editor.js @@ -36,12 +36,13 @@ function rcube_text_editor(config, id) { var ref = this, + abs_url = location.href.replace(/[?#].*$/, '').replace(/\/$/, ''), conf = { selector: '#' + ($('#' + id).is('.mce_editor') ? id : 'fake-editor-id'), cache_suffix: 's=4010700', theme: 'modern', language: config.lang, - content_css: 'program/js/tinymce/roundcube/content.css', + content_css: rcmail.assets_path('program/js/tinymce/roundcube/content.css'), menubar: false, statusbar: false, toolbar_items_size: 'small', @@ -83,7 +84,7 @@ function rcube_text_editor(config, id) toolbar: 'bold italic underline | alignleft aligncenter alignright alignjustify' + ' | bullist numlist outdent indent ltr rtl blockquote | forecolor backcolor | fontselect fontsizeselect' + ' | link unlink table | emoticons charmap image media | code searchreplace undo redo', - spellchecker_rpc_url: '../../../../../?_task=utils&_action=spell_html&_remote=1', + spellchecker_rpc_url: abs_url + '/?_task=utils&_action=spell_html&_remote=1', spellchecker_language: rcmail.env.spell_lang, accessibility_focus: false, file_browser_callback: function(name, url, type, win) { ref.file_browser_callback(name, url, type); }, -- cgit v1.2.3