diff --git a/index.php b/index.php index 2767277f7..c5a1049e9 100644 --- a/index.php +++ b/index.php @@ -2,7 +2,7 @@ /* +-------------------------------------------------------------------------+ | RoundCube Webmail IMAP Client | - | Version 0.3-20090702 | + | Version 0.3-20090721 | | | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | | @@ -143,11 +143,16 @@ else if ($RCMAIL->action != 'login' && $_SESSION['user_id'] && $RCMAIL->action ! // check client X-header to verify request origin if ($OUTPUT->ajax_call) { - if (!$RCMAIL->config->get('devel_mode') && !rc_request_header('X-RoundCube-Referer')) { + if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-RoundCube-Request') != $RCMAIL->get_request_token()) { header('HTTP/1.1 404 Not Found'); die("Invalid Request"); } } +// check request token in POST form submissions +else if (!empty($_POST) && !$RCMAIL->check_request()) { + $OUTPUT->show_message('invalidrequest', 'error'); + $OUTPUT->send($RCMAIL->task); +} // not logged in -> show login page diff --git a/program/include/rcmail.php b/program/include/rcmail.php index a508e1718..39edee4a1 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -872,33 +872,29 @@ class rcmail /** * Generate a unique token to be used in a form request * - * @param string Request identifier * @return string The request token */ - public function get_request_token($key) + public function get_request_token() { - if (!$this->request_tokens[$key]) - $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true)); + $key = $this->task; - return $this->request_tokens[$key]; + if (!$_SESSION['request_tokens'][$key]) + $_SESSION['request_tokens'][$key] = md5(uniqid($key . rand(), true)); + + return $_SESSION['request_tokens'][$key]; } /** * Check if the current request contains a valid token * - * @param string Request identifier + * @param int Request method * @return boolean True if request token is valid false if not */ - public function check_request($key, $mode = RCUBE_INPUT_POST) + public function check_request($mode = RCUBE_INPUT_POST) { $token = get_input_value('_token', $mode); - $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token); - - if ($valid) - unset($_SESSION['request_tokens'][$key]); - - return $valid; + return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token; } diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php index caf385a69..0947944ad 100755 --- a/program/include/rcube_template.php +++ b/program/include/rcube_template.php @@ -59,6 +59,7 @@ class rcube_template extends rcube_html_page //$this->framed = $framed; $this->set_env('task', $task); + $this->set_env('request_token', $this->app->get_request_token()); // load the correct skin (in case user-defined) $this->set_skin($this->config['skin']); @@ -325,6 +326,9 @@ class rcube_template extends rcube_html_page $js = $this->framed ? "if(window.parent) {\n" : ''; $js .= $this->get_js_commands() . ($this->framed ? ' }' : ''); $this->add_script($js, 'head_top'); + + // make sure all