From 57f0c81f2cc0518ed7ab107e16e6cadb8dfc53b0 Mon Sep 17 00:00:00 2001 From: thomascube Date: Wed, 15 Jul 2009 09:49:35 +0000 Subject: Use request tokens to protect POST requests from CSFR --- program/steps/addressbook/edit.inc | 33 ++++++++++++--------------------- program/steps/addressbook/save.inc | 16 +++++++++++++--- 2 files changed, 25 insertions(+), 24 deletions(-) (limited to 'program/steps/addressbook') diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc index 410a09b14..fa97bc0a2 100644 --- a/program/steps/addressbook/edit.inc +++ b/program/steps/addressbook/edit.inc @@ -81,36 +81,27 @@ $OUTPUT->add_handler('contacteditform', 'rcmail_contact_editform'); // similar function as in /steps/settings/edit_identity.inc function get_form_tags($attrib) - { +{ global $CONTACTS, $EDIT_FORM, $RCMAIL; - $result = $CONTACTS->get_result(); - $form_start = ''; - if (!strlen($EDIT_FORM)) - { - $hiddenfields = new html_hiddenfield(array('name' => '_task', 'value' => $RCMAIL->task)); - $hiddenfields->add(array('name' => '_action', 'value' => 'save')); - $hiddenfields->add(array('name' => '_source', 'value' => get_input_value('_source', RCUBE_INPUT_GPC))); - $hiddenfields->add(array('name' => '_framed', 'value' => (empty($_REQUEST['_framed']) ? 0 : 1))); + $form_start = $form_end = ''; + + if (empty($EDIT_FORM)) { + $hiddenfields = new html_hiddenfield(array('name' => '_source', 'value' => get_input_value('_source', RCUBE_INPUT_GPC))); if (($result = $CONTACTS->get_result()) && ($record = $result->first())) $hiddenfields->add(array('name' => '_cid', 'value' => $record['ID'])); - $form_start = !strlen($attrib['form']) ? $RCMAIL->output->form_tag(array('name' => "form", 'method' => "post")) : ''; - $form_start .= $hiddenfields->show(); - } - - $form_end = (strlen($EDIT_FORM) && !strlen($attrib['form'])) ? '' : ''; - $form_name = strlen($attrib['form']) ? $attrib['form'] : 'form'; - - if (!strlen($EDIT_FORM)) - $RCMAIL->output->add_gui_object('editform', $form_name); - - $EDIT_FORM = $form_name; + $form_start = $RCMAIL->output->request_form(array('name' => "form", 'method' => "post", 'task' => $RCMAIL->task, 'action' => 'save', 'request' => 'save.'.intval($record['ID']), 'noclose' => true) + $attrib, $hiddenfields->show()); + $form_end = !strlen($attrib['form']) ? '' : ''; - return array($form_start, $form_end); + $EDIT_FORM = !empty($attrib['form']) ? $attrib['form'] : 'form'; + $RCMAIL->output->add_gui_object('editform', $EDIT_FORM); } + return array($form_start, $form_end); +} + if (!$CONTACTS->get_result() && $OUTPUT->template_exists('addcontact')) diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc index 3b01a9be7..45cb6387e 100644 --- a/program/steps/addressbook/save.inc +++ b/program/steps/addressbook/save.inc @@ -19,11 +19,22 @@ */ +$cid = get_input_value('_cid', RCUBE_INPUT_POST); +$return_action = empty($cid) ? 'add' : 'show'; + +// check request token and exit if invalid +if (!$RCMAIL->check_request('save.'.intval($cid), RCUBE_INPUT_POST)) +{ + $OUTPUT->show_message('invalidrequest', 'error'); + rcmail_overwrite_action($return_action); + return; +} + // cannot edit record if ($CONTACTS->readonly) { $OUTPUT->show_message('contactreadonly', 'error'); - rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show'); + rcmail_overwrite_action($return_action); return; } @@ -31,7 +42,7 @@ if ($CONTACTS->readonly) if ((!get_input_value('_name', RCUBE_INPUT_POST) || !get_input_value('_email', RCUBE_INPUT_POST))) { $OUTPUT->show_message('formincomplete', 'warning'); - rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show'); + rcmail_overwrite_action($return_action); return; } @@ -39,7 +50,6 @@ if ((!get_input_value('_name', RCUBE_INPUT_POST) || !get_input_value('_email', R // setup some vars we need $a_save_cols = array('name', 'firstname', 'surname', 'email'); $a_record = array(); -$cid = get_input_value('_cid', RCUBE_INPUT_POST); // read POST values into hash array foreach ($a_save_cols as $col) -- cgit v1.2.3