From 681ba6fc3c296cd6cd11050531b8f4e785141786 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Tue, 16 Dec 2014 13:28:48 +0100 Subject: Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests --- program/steps/addressbook/delete.inc | 5 +++-- program/steps/addressbook/func.inc | 11 ++++++----- program/steps/addressbook/photo.inc | 10 ++++++++-- program/steps/mail/compose.inc | 2 +- program/steps/mail/show.inc | 8 ++++---- program/steps/settings/func.inc | 18 ++++++++++++------ program/steps/utils/error.inc | 12 ++++++++++-- 7 files changed, 44 insertions(+), 22 deletions(-) (limited to 'program/steps') diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index f5b8e4eb5..9a23c59bb 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -20,10 +20,11 @@ */ // process ajax requests only -if (!$OUTPUT->ajax_call) +if (!$OUTPUT->ajax_call) { return; +} -$cids = rcmail_get_cids(); +$cids = rcmail_get_cids(null, rcube_utils::INPUT_POST); $delcnt = 0; // remove previous deletes diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc index 008d20174..c40b517dc 100644 --- a/program/steps/addressbook/func.inc +++ b/program/steps/addressbook/func.inc @@ -785,11 +785,12 @@ function rcmail_contact_photo($attrib) if ($result = $CONTACTS->get_result()) $record = $result->first(); - $photo_img = $attrib['placeholder'] ? $RCMAIL->output->get_skin_file($attrib['placeholder']) : 'program/resources/blank.gif'; + $photo_img = $attrib['placeholder'] ? $RCMAIL->output->abs_url($attrib['placeholder'], true) : 'program/resources/blank.gif'; if ($record['_type'] == 'group' && $attrib['placeholdergroup']) - $photo_img = $RCMAIL->output->get_skin_file($attrib['placeholdergroup']); + $photo_img = $RCMAIL->output->abs_url($attrib['placeholdergroup'], true); + + $RCMAIL->output->set_env('photo_placeholder', $RCMAIL->output->asset_url($photo_img)); - $RCMAIL->output->set_env('photo_placeholder', $photo_img); unset($attrib['placeholder']); $plugin = $RCMAIL->plugins->exec_hook('contact_photo', array('record' => $record, 'data' => $record['photo'])); @@ -896,13 +897,13 @@ function rcmail_search_update($return = false) * * @return array List of contact IDs per-source */ -function rcmail_get_cids($filter = null) +function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC) { // contact ID (or comma-separated list of IDs) is provided in two // forms. If _source is an empty string then the ID is a string // containing contact ID and source name in form: - - $cid = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC); + $cid = rcube_utils::get_input_value('_cid', $request_type); $source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC); if (is_array($cid)) { diff --git a/program/steps/addressbook/photo.inc b/program/steps/addressbook/photo.inc index 30d09ffcc..962ca3126 100644 --- a/program/steps/addressbook/photo.inc +++ b/program/steps/addressbook/photo.inc @@ -90,6 +90,12 @@ if (!$cid && $email) { $RCMAIL->output->future_expire_header(86400); } -header('Content-Type: ' . rcube_mime::image_content_type($data)); -echo $data ? $data : file_get_contents('program/resources/blank.gif'); +if ($data) { + header('Content-Type: ' . rcube_mime::image_content_type($data)); + echo $data; +} +else { + header('Content-Type: image/gif'); + echo base64_decode(rcmail_output::BLANK_GIF); +} exit; diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index 5492f390d..fd25cf402 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -951,7 +951,7 @@ function rcmail_compose_body($attrib) "googie.setCurrentLanguage('%s');\n". "googie.setDecoration(false);\n". "googie.decorateTextarea('%s');\n", - $RCMAIL->output->get_skin_path(), + $RCMAIL->output->asset_url($RCMAIL->output->get_skin_path()), $RCMAIL->url(array('_task' => 'utils', '_action' => 'spell', '_remote' => 1)), !empty($dictionary) ? 'true' : 'false', rcube::JQ(rcube::Q($RCMAIL->gettext('checkspelling'))), diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc index 5adc97900..d9233a923 100644 --- a/program/steps/mail/show.inc +++ b/program/steps/mail/show.inc @@ -341,20 +341,20 @@ function rcmail_message_contactphoto($attrib) { global $RCMAIL, $MESSAGE; - $placeholder = $attrib['placeholder'] ? $RCMAIL->config->get('skin_path') . $attrib['placeholder'] : null; + $placeholder = $attrib['placeholder'] ? $RCMAIL->output->abs_url($attrib['placeholder'], true) : null; + $placeholder = $RCMAIL->output->asset_url($placeholder ? $placeholder : 'program/resources/blank.gif'); if ($MESSAGE->sender) { $photo_img = $RCMAIL->url(array( '_task' => 'addressbook', '_action' => 'photo', '_email' => $MESSAGE->sender['mailto'], - '_alt' => $placeholder, )); - $attrib['onerror'] = "this.src = '" . ($placeholder ? $placeholder : 'program/resources/blank.gif') . "'"; + $attrib['onerror'] = "this.src = '$placeholder'"; } else { - $photo_img = $placeholder ? $placeholder : 'program/resources/blank.gif'; + $photo_img = $placeholder; } return html::img(array('src' => $photo_img, 'alt' => $RCMAIL->gettext('contactphoto')) + $attrib); diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc index f700e4f77..486e679c9 100644 --- a/program/steps/settings/func.inc +++ b/program/steps/settings/func.inc @@ -334,13 +334,10 @@ function rcmail_user_prefs($current = null) $input = new html_radiobutton(array('name'=>'_skin')); foreach ($skins as $skin) { - $thumbnail = "./skins/$skin/thumbnail.png"; - if (!is_file($thumbnail)) - $thumbnail = './program/resources/blank.gif'; - + $thumbnail = "skins/$skin/thumbnail.png"; $skinname = ucfirst($skin); $author_link = $license_link = ''; - $meta = @json_decode(@file_get_contents("./skins/$skin/meta.json"), true); + $meta = @json_decode(@file_get_contents(INSTALL_PATH . "skins/$skin/meta.json"), true); if (is_array($meta) && $meta['name']) { $skinname = $meta['name']; @@ -348,10 +345,19 @@ function rcmail_user_prefs($current = null) $license_link = $meta['license-url'] ? html::a(array('href' => $meta['license-url'], 'target' => '_blank', 'tabindex' => '-1'), rcube::Q($meta['license'])) : rcube::Q($meta['license']); } + $img = html::img(array( + 'src' => $thumbnail, + 'class' => 'skinthumbnail', + 'alt' => $skin, + 'width' => 64, + 'height' => 64, + 'onerror' => "this.src = rcmail.assets_path('program/resources/blank.gif')", + )); + $skinnames[] = mb_strtolower($skinname); $blocks['skin']['options'][$skin]['content'] = html::label(array('class' => 'skinselection'), html::span('skinitem', $input->show($config['skin'], array('value' => $skin, 'id' => $field_id.$skin))) . - html::span('skinitem', html::img(array('src' => $thumbnail, 'class' => 'skinthumbnail', 'alt' => $skin, 'width' => 64, 'height' => 64))) . + html::span('skinitem', $img) . html::span('skinitem', html::span('skinname', rcube::Q($skinname)) . html::br() . html::span('skinauthor', $author_link ? 'by ' . $author_link : '') . html::br() . html::span('skinlicense', $license_link ? $RCMAIL->gettext('license').': ' . $license_link : '')) diff --git a/program/steps/utils/error.inc b/program/steps/utils/error.inc index ec0d038f4..6bbc57fda 100644 --- a/program/steps/utils/error.inc +++ b/program/steps/utils/error.inc @@ -50,9 +50,17 @@ else if ($ERROR_CODE == 401) { // forbidden due to request check else if ($ERROR_CODE == 403) { + if ($_SERVER['REQUEST_METHOD'] == 'GET' && $rcmail->request_status == rcube::REQUEST_ERROR_URL) { + parse_str($_SERVER['QUERY_STRING'], $url); + $url = $rcmail->url($url, true, false, true); + $add = "
Click here to try again."; + } + else { + $add = "Please contact your server-administrator."; + } + $__error_title = "REQUEST CHECK FAILED"; - $__error_text = "Access to this service was denied due to failing security checks!
\n" - . "Please contact your server-administrator."; + $__error_text = "Access to this service was denied due to failing security checks!
\n$add"; } // failed request (wrong step in URL) -- cgit v1.2.3