Also protect GET request from CSRF

16 years ago · 2a5d02ab8e
parent 5499336fef
commit 2a5d02ab8e
3 changed files with 17 additions and 6 deletions
--- a/1
+++ b/1
@ -3,6 +3,7 @@ CHANGELOG RoundCube Webmail

 - Fix import of vCard entries with params (#1485453)
 - Fix HTML messages output with empty block elements (#1485974)
+- Use request tokens to protect POST requests from CSFR
 - Added hook when killing a session
 - Added hook to write_log function (#1485971)
 - Performance improvements by use UID commands (#1485690)
--- a/program/js/app.js
+++ b/program/js/app.js
@ -2969,8 +2969,9 @@ function rcube_webmail()
    if (!id)
      id = this.env.iid ? this.env.iid : selection[0];

-    // if (this.env.framed && id)
-    this.goto_url('delete-identity', '_iid='+id, true);
+    // append token to request
+    this.goto_url('delete-identity', '_iid='+id+'&_token='+this.env.request_token, true);
+    
    return true;
    };

--- a/program/steps/settings/delete_identity.inc
+++ b/program/steps/settings/delete_identity.inc
@ -5,7 +5,7 @@
 | program/steps/settings/delete_identity.inc                            |
 |                                                                       |
 | This file is part of the RoundCube Webmail client                     |
- | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |
+ | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland                 |
 | Licensed under the GNU GPL                                            |
 |                                                                       |
 | PURPOSE:                                                              |
@ -19,11 +19,20 @@

 */

-if (($ids = get_input_value('_iid', RCUBE_INPUT_GET)) && preg_match('/^[0-9]+(,[0-9]+)*$/', $ids))
+$iid = get_input_value('_iid', RCUBE_INPUT_GPC);
+
+// check request token
+if (!$OUTPUT->ajax_call && !$RCMAIL->check_request(RCUBE_INPUT_GPC)) {
+  $OUTPUT->show_message('invalidrequest', 'error');
+  rcmail_overwrite_action('identities');
+  return;
+}
+
+if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid))
 {
-  $plugin = $RCMAIL->plugins->exec_hook('delete_identity', array('id' => $ids));
+  $plugin = $RCMAIL->plugins->exec_hook('delete_identity', array('id' => $iid));
  
-  if (!$plugin['abort'] && $USER->delete_identity($ids)) {
+  if (!$plugin['abort'] && $USER->delete_identity($iid)) {
    $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false);
  }
  else {