Changeset 4490 in subversion


Ignore:
Timestamp:
Feb 3, 2011 5:08:03 PM (2 years ago)
Author:
thomasb
Message:

protect login form submission from CSRF using a request token

Location:
trunk/roundcubemail
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/roundcubemail/CHANGELOG

    r4489 r4490  
    22=========================== 
    33 
     4- Security: protect login form submission from CSRF 
    45- Security: prevent from relaying malicious requests through modcss.inc 
    56- Fix handling of non-image attachments in multipart/related messages (#1487750) 

  • trunk/roundcubemail/index.php

    r4466 r4490  
    7676// try to log in 
    7777if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { 
     78  $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(RCUBE_INPUT_POST, 'login'); 
     79 
    7880  // purge the session in case of new login when a session already exists  
    7981  $RCMAIL->kill_session(); 
     
    8587       $RCMAIL->config->get('password_charset', 'ISO-8859-1')), 
    8688    'cookiecheck' => true, 
     89    'valid' => $request_valid, 
    8790  )); 
    8891 
     
    9194    $OUTPUT->show_message("cookiesdisabled", 'warning'); 
    9295  } 
    93   else if ($_SESSION['temp'] && !$auth['abort'] && 
     96  else if ($auth['valid'] && !$auth['abort'] && 
    9497        !empty($auth['host']) && !empty($auth['user']) && 
    9598        $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) { 
     
    124127    $error_code = is_object($IMAP) ? $IMAP->get_error_code() : -1; 
    125128 
    126     $OUTPUT->show_message($error_code < -1 ? 'imaperror' : 'loginfailed', 'warning'); 
     129    $OUTPUT->show_message($error_code < -1 ? 'imaperror' : (!$auth['valid'] ? 'invalidrequest' : 'loginfailed'), 'warning'); 
    127130    $RCMAIL->plugins->exec_hook('login_failed', array( 
    128131      'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user'])); 
     
    168171  } 
    169172 
    170   $OUTPUT->set_env('task', 'login'); 
     173  $RCMAIL->set_task('login'); 
    171174  $OUTPUT->send('login'); 
    172175} 

  • trunk/roundcubemail/program/include/rcube_session.php

    r4480 r4490  
    254254  public function kill() 
    255255  { 
     256    $this->vars = false; 
    256257    $this->destroy(session_id()); 
    257258    rcmail::setcookie($this->cookiename, '-del-', time() - 60); 
Note: See TracChangeset for help on using the changeset viewer.