Changeset 57f0c81 in github for program/include/rcmail.php

Timestamp:

Jul 15, 2009 5:49:35 AM (4 years ago)

Author:

thomascube <thomas@…>

Branches:

master, HEAD, courier-fix, dev-browser-capabilities, pdo, release-0.6, release-0.7, release-0.8

Children:

3db3fd8

Parents:

19862b55

Message:

Use request tokens to protect POST requests from CSFR

File:

• program/include/rcmail.php (modified) (1 diff)

program/include/rcmail.php

@@ -853 +853 @@
   
   /**
+   * Generate a unique token to be used in a form request
+   *
+   * @param string Request identifier
+   * @return string The request token
+   */
+  public function get_request_token($key)
+  {
+    if (!$this->request_tokens[$key])
+      $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true));
+    
+    return $this->request_tokens[$key];
+  }
+  
+  
+  /**
+   * Check if the current request contains a valid token
+   *
+   * @param string Request identifier
+   * @return boolean True if request token is valid false if not
+   */
+  public function check_request($key, $mode = RCUBE_INPUT_POST)
+  {
+    $token = get_input_value('_token', $mode);
+    $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token);
+    
+    if ($valid)
+      unset($_SESSION['request_tokens'][$key]);
+    
+    return $valid;
+  }
+  
+  
+  /**
    * Create unique authorization hash
    *