From 5499336feff22f682448dd99cc00a9b36701fcd1 Mon Sep 17 00:00:00 2001 From: thomascube Date: Tue, 21 Jul 2009 16:02:33 +0000 Subject: [PATCH] Use global request tokens and automatically protect all POST requests --- index.php | 9 ++++++-- program/include/rcmail.php | 22 ++++++++----------- program/include/rcube_template.php | 27 +++++++++++++++++++----- program/js/app.js | 2 +- program/steps/addressbook/save.inc | 10 +-------- program/steps/settings/save_identity.inc | 8 +------ program/steps/settings/save_prefs.inc | 9 +------- 7 files changed, 42 insertions(+), 45 deletions(-) diff --git a/index.php b/index.php index 2767277f7..c5a1049e9 100644 --- a/index.php +++ b/index.php @@ -2,7 +2,7 @@ /* +-------------------------------------------------------------------------+ | RoundCube Webmail IMAP Client | - | Version 0.3-20090702 | + | Version 0.3-20090721 | | | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | | @@ -143,11 +143,16 @@ else if ($RCMAIL->action != 'login' && $_SESSION['user_id'] && $RCMAIL->action ! // check client X-header to verify request origin if ($OUTPUT->ajax_call) { - if (!$RCMAIL->config->get('devel_mode') && !rc_request_header('X-RoundCube-Referer')) { + if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-RoundCube-Request') != $RCMAIL->get_request_token()) { header('HTTP/1.1 404 Not Found'); die("Invalid Request"); } } +// check request token in POST form submissions +else if (!empty($_POST) && !$RCMAIL->check_request()) { + $OUTPUT->show_message('invalidrequest', 'error'); + $OUTPUT->send($RCMAIL->task); +} // not logged in -> show login page diff --git a/program/include/rcmail.php b/program/include/rcmail.php index a508e1718..39edee4a1 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -872,33 +872,29 @@ class rcmail /** * Generate a unique token to be used in a form request * - * @param string Request identifier * @return string The request token */ - public function get_request_token($key) + public function get_request_token() { - if (!$this->request_tokens[$key]) - $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true)); + $key = $this->task; - return $this->request_tokens[$key]; + if (!$_SESSION['request_tokens'][$key]) + $_SESSION['request_tokens'][$key] = md5(uniqid($key . rand(), true)); + + return $_SESSION['request_tokens'][$key]; } /** * Check if the current request contains a valid token * - * @param string Request identifier + * @param int Request method * @return boolean True if request token is valid false if not */ - public function check_request($key, $mode = RCUBE_INPUT_POST) + public function check_request($mode = RCUBE_INPUT_POST) { $token = get_input_value('_token', $mode); - $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token); - - if ($valid) - unset($_SESSION['request_tokens'][$key]); - - return $valid; + return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token; } diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php index caf385a69..0947944ad 100755 --- a/program/include/rcube_template.php +++ b/program/include/rcube_template.php @@ -59,6 +59,7 @@ class rcube_template extends rcube_html_page //$this->framed = $framed; $this->set_env('task', $task); + $this->set_env('request_token', $this->app->get_request_token()); // load the correct skin (in case user-defined) $this->set_skin($this->config['skin']); @@ -325,6 +326,9 @@ class rcube_template extends rcube_html_page $js = $this->framed ? "if(window.parent) {\n" : ''; $js .= $this->get_js_commands() . ($this->framed ? ' }' : ''); $this->add_script($js, 'head_top'); + + // make sure all
tags have a valid request token + $template = preg_replace_callback('/]+)>/Ui', array($this, 'alter_form_tag'), $template); // call super method parent::write($template, $this->config['skin_path']); @@ -514,7 +518,24 @@ class rcube_template extends rcube_html_page */ private function check_condition($condition) { - return eval("return (".$this->parse_expression($condition).");"); + return eval("return (".$this->parse_expression($condition).");"); + } + + + /** + * + */ + private function alter_form_tag($matches) + { + $out = $matches[0]; + $attrib = parse_attrib_string($matches[1]); + + if (strtolower($attrib['method']) == 'post') { + $hidden = new html_hiddenfield(array('name' => '_token', 'value' => $this->app->get_request_token())); + $out .= "\n" . $hidden->show(); + } + + return $out; } @@ -957,10 +978,6 @@ class rcube_template extends rcube_html_page $hidden->add(array('name' => '_action', 'value' => $attrib['action'])); } - // generate request token - $request_key = $attrib['request'] ? $attrib['request'] : $attrib['action']; - $hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key))); - unset($attrib['task'], $attrib['request']); $attrib['action'] = './'; diff --git a/program/js/app.js b/program/js/app.js index 332ee877c..4ce354665 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -55,7 +55,7 @@ function rcube_webmail() // set jQuery ajax options jQuery.ajaxSetup({ cache:false, error:function(request, status, err){ ref.http_error(request, status, err); }, - beforeSend:function(xmlhttp){ xmlhttp.setRequestHeader('X-RoundCube-Referer', bw.get_cookie('roundcube_sessid')); } + beforeSend:function(xmlhttp){ xmlhttp.setRequestHeader('X-RoundCube-Request', ref.env.request_token); } }); // set environment variable(s) diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc index 45cb6387e..639e0f2d1 100644 --- a/program/steps/addressbook/save.inc +++ b/program/steps/addressbook/save.inc @@ -5,7 +5,7 @@ | program/steps/addressbook/save.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -22,14 +22,6 @@ $cid = get_input_value('_cid', RCUBE_INPUT_POST); $return_action = empty($cid) ? 'add' : 'show'; -// check request token and exit if invalid -if (!$RCMAIL->check_request('save.'.intval($cid), RCUBE_INPUT_POST)) -{ - $OUTPUT->show_message('invalidrequest', 'error'); - rcmail_overwrite_action($return_action); - return; -} - // cannot edit record if ($CONTACTS->readonly) { diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 86ff263d2..d36114cd0 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -5,7 +5,7 @@ | program/steps/settings/save_identity.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -26,12 +26,6 @@ $a_html_cols = array('signature'); $a_boolean_cols = array('standard', 'html_signature'); $updated = $default_id = false; -// check request token -if (!$RCMAIL->check_request('save-identity.'.intval(get_input_value('_iid', RCUBE_INPUT_POST)), RCUBE_INPUT_POST)) { - $OUTPUT->show_message('invalidrequest', 'error'); - rcmail_overwrite_action('identities'); - return; -} // check input if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3)) { diff --git a/program/steps/settings/save_prefs.inc b/program/steps/settings/save_prefs.inc index 7444a8b53..8430ffd88 100644 --- a/program/steps/settings/save_prefs.inc +++ b/program/steps/settings/save_prefs.inc @@ -5,7 +5,7 @@ | program/steps/settings/save_prefs.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -19,13 +19,6 @@ */ -// check request token and exit if invalid -if (!$RCMAIL->check_request('save-prefs', RCUBE_INPUT_POST)) { - $OUTPUT->show_message('invalidrequest', 'error'); - rcmail_overwrite_action('preferences'); - return; -} - $a_user_prefs = array( 'language' => isset($_POST['_language']) ? get_input_value('_language', RCUBE_INPUT_POST) : $CONFIG['language'], 'timezone' => isset($_POST['_timezone']) ? (is_numeric($_POST['_timezone']) ? floatval($_POST['_timezone']) : get_input_value('_timezone', RCUBE_INPUT_POST)) : $CONFIG['timezone'],