Fix CSRF bypass that could be used to log out an authenticated user (#7302)

pull/7357/head
Aleksander Machniak 5 years ago
parent 219e353ac1
commit 8344f07d7f

@ -44,6 +44,7 @@ CHANGELOG Roundcube Webmail
- Security: Fix XSS issue in handling of CDATA in HTML messages - Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings - Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option - Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
RELEASE 1.4.3 RELEASE 1.4.3
------------- -------------

@ -106,7 +106,9 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
$pass_charset = $RCMAIL->config->get('password_charset', 'UTF-8'); $pass_charset = $RCMAIL->config->get('password_charset', 'UTF-8');
// purge the session in case of new login when a session already exists // purge the session in case of new login when a session already exists
$RCMAIL->kill_session(); if ($request_valid) {
$RCMAIL->kill_session();
}
$auth = $RCMAIL->plugins->exec_hook('authenticate', array( $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
'host' => $RCMAIL->autoselect_host(), 'host' => $RCMAIL->autoselect_host(),
@ -180,13 +182,15 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
$RCMAIL->plugins->exec_hook('login_failed', array( $RCMAIL->plugins->exec_hook('login_failed', array(
'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user'])); 'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
$RCMAIL->kill_session(); if (!isset($_SESSION['user_id'])) {
$RCMAIL->kill_session();
}
} }
} }
// end session // end session
else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) { else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
$RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET); $RCMAIL->request_security_check(rcube_utils::INPUT_GET | rcube_utils::INPUT_POST);
$userdata = array( $userdata = array(
'user' => $_SESSION['username'], 'user' => $_SESSION['username'],

Loading…
Cancel
Save