banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use request tokens to protect POST requests from CSFR

Browse Source
release-0.6
thomascube 15 years ago
parent 19862b5586
commit 57f0c81f2c
11 changed files with 125 additions and 44 deletions
Show Stats Download Patch File Download Diff File

33
program/include/rcmail.php
Unescape Escape View File

@ -851,6 +851,39 @@ class rcmail
} }
/**
* Generate a unique token to be used in a form request
*
* @param string Request identifier
* @return string The request token
*/
public function get_request_token($key)
{
if (!$this->request_tokens[$key])
$_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true));
return $this->request_tokens[$key];
}
/**
* Check if the current request contains a valid token
*
* @param string Request identifier
* @return boolean True if request token is valid false if not
*/
public function check_request($key, $mode = RCUBE_INPUT_POST)
{
$token = get_input_value('_token', $mode);
$valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token);
if ($valid)
unset($_SESSION['request_tokens'][$key]);
return $valid;
}
/** /**
* Create unique authorization hash * Create unique authorization hash
* *

37
program/include/rcube_template.php
Unescape Escape View File

@ -925,7 +925,7 @@ class rcube_template extends rcube_html_page
*/ */
public function form_tag($attrib, $content = null) public function form_tag($attrib, $content = null)
{ {
if ($this->framed) { if ($this->framed || !empty($_REQUEST['_framed'])) {
$hiddenfield = new html_hiddenfield(array('name' => '_framed', 'value' => '1')); $hiddenfield = new html_hiddenfield(array('name' => '_framed', 'value' => '1'));
$hidden = $hiddenfield->show(); $hidden = $hiddenfield->show();
} }
@ -935,7 +935,40 @@ class rcube_template extends rcube_html_page
return html::tag('form', return html::tag('form',
$attrib + array('action' => "./", 'method' => "get"), $attrib + array('action' => "./", 'method' => "get"),
$hidden . $content); $hidden . $content,
array('id','class','style','name','method','action','enctype','onsubmit'));
}
/**
* Build a form tag with a unique request token
*
* @param array Named tag parameters including 'action' and 'task' values which will be put into hidden fields
* @param string Form content
* @return string HTML code for the form
*/
public function request_form($attrib, $content)
{
$hidden = new html_hiddenfield();
if ($attrib['task']) {
$hidden->add(array('name' => '_task', 'value' => $attrib['task']));
}
if ($attrib['action']) {
$hidden->add(array('name' => '_action', 'value' => $attrib['action']));
}
// generate request token
$request_key = $attrib['request'] ? $attrib['request'] : $attrib['action'];
$hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key)));
unset($attrib['task'], $attrib['request']);
$attrib['action'] = './';
// we already have a <form> tag
if ($attrib['form'])
return $hidden->show() . $content;
else
return $this->form_tag($attrib, $hidden->show() . $content);
} }

3
program/localization/de_CH/messages.inc
Unescape Escape View File

@ -22,6 +22,8 @@ $messages['loginfailed'] = 'Login fehlgeschlagen';
$messages['cookiesdisabled'] = 'Ihr Browser akzeptiert keine Cookies'; $messages['cookiesdisabled'] = 'Ihr Browser akzeptiert keine Cookies';
$messages['sessionerror'] = 'Ihre Session ist ungültig oder abgelaufen'; $messages['sessionerror'] = 'Ihre Session ist ungültig oder abgelaufen';
$messages['imaperror'] = 'Keine Verbindung zum IMAP Server'; $messages['imaperror'] = 'Keine Verbindung zum IMAP Server';
$messages['servererror'] = 'Serverfehler!';
$messages['invalidrequest'] = 'Ungültige Anfrage! Es wurden keine Daten gespeichert.';
$messages['nomessagesfound'] = 'Keine Nachrichten in diesem Ordner'; $messages['nomessagesfound'] = 'Keine Nachrichten in diesem Ordner';
$messages['loggedout'] = 'Sie haben Ihre Session erfolgreich beendet. Auf Wiedersehen!'; $messages['loggedout'] = 'Sie haben Ihre Session erfolgreich beendet. Auf Wiedersehen!';
$messages['mailboxempty'] = 'Ordner ist leer'; $messages['mailboxempty'] = 'Ordner ist leer';
@ -45,6 +47,7 @@ $messages['errorsavingsent'] = 'Ein Fehler ist beim Speichern der gesendeten Nac
$messages['errorsaving'] = 'Beim Speichern ist ein Fehler aufgetreten'; $messages['errorsaving'] = 'Beim Speichern ist ein Fehler aufgetreten';
$messages['errormoving'] = 'Nachricht konnte nicht verschoben werden'; $messages['errormoving'] = 'Nachricht konnte nicht verschoben werden';
$messages['errordeleting'] = 'Nachricht konnte nicht gelöscht werden'; $messages['errordeleting'] = 'Nachricht konnte nicht gelöscht werden';
$messages['errormarking'] = 'Nachricht konnte nicht markiert werden';
$messages['deletecontactconfirm'] = 'Wollen Sie die ausgewählten Kontakte wirklich löschen'; $messages['deletecontactconfirm'] = 'Wollen Sie die ausgewählten Kontakte wirklich löschen';
$messages['deletemessagesconfirm'] = 'Wollen Sie die ausgewählten Nachrichten wirklich löschen?'; $messages['deletemessagesconfirm'] = 'Wollen Sie die ausgewählten Nachrichten wirklich löschen?';
$messages['deletefolderconfirm'] = 'Wollen Sie diesen Ordner wirklich löschen?'; $messages['deletefolderconfirm'] = 'Wollen Sie diesen Ordner wirklich löschen?';

1
program/localization/de_DE/messages.inc
Unescape Escape View File

@ -23,6 +23,7 @@ $messages['cookiesdisabled'] = 'Ihr Browser akzeptiert keine Cookies';
$messages['sessionerror'] = 'Ihre Session ist ungültig oder abgelaufen'; $messages['sessionerror'] = 'Ihre Session ist ungültig oder abgelaufen';
$messages['imaperror'] = 'Keine Verbindung zum IMAP-Server'; $messages['imaperror'] = 'Keine Verbindung zum IMAP-Server';
$messages['servererror'] = 'Serverfehler!'; $messages['servererror'] = 'Serverfehler!';
$messages['invalidrequest'] = 'Ungültige Anfrage! Es wurden keine Daten gespeichert.';
$messages['nomessagesfound'] = 'Keine Nachrichten in diesem Ordner'; $messages['nomessagesfound'] = 'Keine Nachrichten in diesem Ordner';
$messages['loggedout'] = 'Sie haben Ihre Session erfolgreich beendet. Auf Wiedersehen!'; $messages['loggedout'] = 'Sie haben Ihre Session erfolgreich beendet. Auf Wiedersehen!';
$messages['mailboxempty'] = 'Ordner ist leer'; $messages['mailboxempty'] = 'Ordner ist leer';

1
program/localization/en_US/messages.inc
Unescape Escape View File

@ -23,6 +23,7 @@ $messages['cookiesdisabled'] = 'Your browser does not accept cookies';
$messages['sessionerror'] = 'Your session is invalid or expired'; $messages['sessionerror'] = 'Your session is invalid or expired';
$messages['imaperror'] = 'Connection to IMAP server failed'; $messages['imaperror'] = 'Connection to IMAP server failed';
$messages['servererror'] = 'Server Error!'; $messages['servererror'] = 'Server Error!';
$messages['invalidrequest'] = 'Invalid request! No data was saved.';
$messages['nomessagesfound'] = 'No messages found in this mailbox'; $messages['nomessagesfound'] = 'No messages found in this mailbox';
$messages['loggedout'] = 'You have successfully terminated the session. Good bye!'; $messages['loggedout'] = 'You have successfully terminated the session. Good bye!';
$messages['mailboxempty'] = 'Mailbox is empty'; $messages['mailboxempty'] = 'Mailbox is empty';

33
program/steps/addressbook/edit.inc
Unescape Escape View File

@ -81,36 +81,27 @@ $OUTPUT->add_handler('contacteditform', 'rcmail_contact_editform');
// similar function as in /steps/settings/edit_identity.inc // similar function as in /steps/settings/edit_identity.inc
function get_form_tags($attrib) function get_form_tags($attrib)
{ {
global $CONTACTS, $EDIT_FORM, $RCMAIL; global $CONTACTS, $EDIT_FORM, $RCMAIL;
$result = $CONTACTS->get_result(); $form_start = $form_end = '';
$form_start = '';
if (!strlen($EDIT_FORM)) if (empty($EDIT_FORM)) {
{ $hiddenfields = new html_hiddenfield(array('name' => '_source', 'value' => get_input_value('_source', RCUBE_INPUT_GPC)));
$hiddenfields = new html_hiddenfield(array('name' => '_task', 'value' => $RCMAIL->task));
$hiddenfields->add(array('name' => '_action', 'value' => 'save'));
$hiddenfields->add(array('name' => '_source', 'value' => get_input_value('_source', RCUBE_INPUT_GPC)));
$hiddenfields->add(array('name' => '_framed', 'value' => (empty($_REQUEST['_framed']) ? 0 : 1)));
if (($result = $CONTACTS->get_result()) && ($record = $result->first())) if (($result = $CONTACTS->get_result()) && ($record = $result->first()))
$hiddenfields->add(array('name' => '_cid', 'value' => $record['ID'])); $hiddenfields->add(array('name' => '_cid', 'value' => $record['ID']));
$form_start = !strlen($attrib['form']) ? $RCMAIL->output->form_tag(array('name' => "form", 'method' => "post")) : ''; $form_start = $RCMAIL->output->request_form(array('name' => "form", 'method' => "post", 'task' => $RCMAIL->task, 'action' => 'save', 'request' => 'save.'.intval($record['ID']), 'noclose' => true) + $attrib, $hiddenfields->show());
$form_start .= $hiddenfields->show(); $form_end = !strlen($attrib['form']) ? '</form>' : '';
}
$form_end = (strlen($EDIT_FORM) && !strlen($attrib['form'])) ? '</form>' : '';
$form_name = strlen($attrib['form']) ? $attrib['form'] : 'form';
if (!strlen($EDIT_FORM))
$RCMAIL->output->add_gui_object('editform', $form_name);
$EDIT_FORM = $form_name;
return array($form_start, $form_end); $EDIT_FORM = !empty($attrib['form']) ? $attrib['form'] : 'form';
$RCMAIL->output->add_gui_object('editform', $EDIT_FORM);
} }
return array($form_start, $form_end);
}
if (!$CONTACTS->get_result() && $OUTPUT->template_exists('addcontact')) if (!$CONTACTS->get_result() && $OUTPUT->template_exists('addcontact'))

16
program/steps/addressbook/save.inc
Unescape Escape View File

@ -19,11 +19,22 @@
*/ */
$cid = get_input_value('_cid', RCUBE_INPUT_POST);
$return_action = empty($cid) ? 'add' : 'show';
// check request token and exit if invalid
if (!$RCMAIL->check_request('save.'.intval($cid), RCUBE_INPUT_POST))
{
$OUTPUT->show_message('invalidrequest', 'error');
rcmail_overwrite_action($return_action);
return;
}
// cannot edit record // cannot edit record
if ($CONTACTS->readonly) if ($CONTACTS->readonly)
{ {
$OUTPUT->show_message('contactreadonly', 'error'); $OUTPUT->show_message('contactreadonly', 'error');
rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show'); rcmail_overwrite_action($return_action);
return; return;
} }
@ -31,7 +42,7 @@ if ($CONTACTS->readonly)
if ((!get_input_value('_name', RCUBE_INPUT_POST) || !get_input_value('_email', RCUBE_INPUT_POST))) if ((!get_input_value('_name', RCUBE_INPUT_POST) || !get_input_value('_email', RCUBE_INPUT_POST)))
{ {
$OUTPUT->show_message('formincomplete', 'warning'); $OUTPUT->show_message('formincomplete', 'warning');
rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show'); rcmail_overwrite_action($return_action);
return; return;
} }
@ -39,7 +50,6 @@ if ((!get_input_value('_name', RCUBE_INPUT_POST) || !get_input_value('_email', R
// setup some vars we need // setup some vars we need
$a_save_cols = array('name', 'firstname', 'surname', 'email'); $a_save_cols = array('name', 'firstname', 'surname', 'email');
$a_record = array(); $a_record = array();
$cid = get_input_value('_cid', RCUBE_INPUT_POST);
// read POST values into hash array // read POST values into hash array
foreach ($a_save_cols as $col) foreach ($a_save_cols as $col)

2
program/steps/settings/edit_identity.inc
Unescape Escape View File

@ -60,7 +60,7 @@ function rcube_identity_form($attrib)
$t_rows = !empty($attrib['textarearows']) ? $attrib['textarearows'] : 6; $t_rows = !empty($attrib['textarearows']) ? $attrib['textarearows'] : 6;
$t_cols = !empty($attrib['textareacols']) ? $attrib['textareacols'] : 40; $t_cols = !empty($attrib['textareacols']) ? $attrib['textareacols'] : 40;
list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id'])); list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', intval($IDENTITY_RECORD['identity_id']), array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id']));
unset($attrib['form']); unset($attrib['form']);
// list of available cols // list of available cols

30
program/steps/settings/func.inc
Unescape Escape View File

@ -431,30 +431,26 @@ function rcmail_identities_list($attrib)
// similar function as in /steps/addressbook/edit.inc // similar function as in /steps/addressbook/edit.inc
function get_form_tags($attrib, $action, $add_hidden=array()) function get_form_tags($attrib, $action, $id = null, $hidden = null)
{ {
global $EDIT_FORM, $RCMAIL; global $EDIT_FORM, $RCMAIL;
$form_start = ''; $form_start = $form_end = '';
if (!strlen($EDIT_FORM))
{ if (empty($EDIT_FORM)) {
$hiddenfields = new html_hiddenfield(array('name' => '_task', 'value' => $RCMAIL->task)); $request_key = $action . (isset($id) ? '.'.$id : '');
$hiddenfields->add(array('name' => '_action', 'value' => $action)); $form_start = $RCMAIL->output->request_form(array('name' => "form", 'method' => "post", 'task' => $RCMAIL->task, 'action' => $action, 'request' => $request_key, 'noclose' => true) + $attrib);
if ($add_hidden)
$hiddenfields->add($add_hidden);
$form_start = !strlen($attrib['form']) ? $RCMAIL->output->form_tag(array('name' => "form", 'method' => "post")) : ''; if (is_array($hidden)) {
$form_start .= $hiddenfields->show(); $hiddenfields = new html_hiddenfield($hidden);
$form_start .= $hiddenfields->show();
} }
$form_end = (!strlen($EDIT_FORM) && !strlen($attrib['form'])) ? '</form>' : ''; $form_end = !strlen($attrib['form']) ? '</form>' : '';
$form_name = strlen($attrib['form']) ? $attrib['form'] : 'form';
if (!strlen($EDIT_FORM)) $EDIT_FORM = !empty($attrib['form']) ? $attrib['form'] : 'form';
$RCMAIL->output->add_gui_object('editform', $form_name); $RCMAIL->output->add_gui_object('editform', $EDIT_FORM);
}
$EDIT_FORM = $form_name;
return array($form_start, $form_end); return array($form_start, $form_end);
} }

6
program/steps/settings/save_identity.inc
Unescape Escape View File

@ -26,6 +26,12 @@ $a_html_cols = array('signature');
$a_boolean_cols = array('standard', 'html_signature'); $a_boolean_cols = array('standard', 'html_signature');
$updated = $default_id = false; $updated = $default_id = false;
// check request token
if (!$RCMAIL->check_request('save-identity.'.intval(get_input_value('_iid', RCUBE_INPUT_POST)), RCUBE_INPUT_POST)) {
$OUTPUT->show_message('invalidrequest', 'error');
rcmail_overwrite_action('identities');
return;
}
// check input // check input
if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3)) if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3))
{ {

7
program/steps/settings/save_prefs.inc
Unescape Escape View File

@ -19,6 +19,13 @@
*/ */
// check request token and exit if invalid
if (!$RCMAIL->check_request('save-prefs', RCUBE_INPUT_POST)) {
$OUTPUT->show_message('invalidrequest', 'error');
rcmail_overwrite_action('preferences');
return;
}
$a_user_prefs = array( $a_user_prefs = array(
'language' => isset($_POST['_language']) ? get_input_value('_language', RCUBE_INPUT_POST) : $CONFIG['language'], 'language' => isset($_POST['_language']) ? get_input_value('_language', RCUBE_INPUT_POST) : $CONFIG['language'],
'timezone' => isset($_POST['_timezone']) ? (is_numeric($_POST['_timezone']) ? floatval($_POST['_timezone']) : get_input_value('_timezone', RCUBE_INPUT_POST)) : $CONFIG['timezone'], 'timezone' => isset($_POST['_timezone']) ? (is_numeric($_POST['_timezone']) ? floatval($_POST['_timezone']) : get_input_value('_timezone', RCUBE_INPUT_POST)) : $CONFIG['timezone'],

Write Preview
Loading…
Cancel
Save