Ignore:
Timestamp:
Jul 15, 2009 5:49:35 AM (4 years ago)
Author:
thomascube <thomas@…>
Branches:
master, HEAD, courier-fix, dev-browser-capabilities, pdo, release-0.6, release-0.7, release-0.8
Children:
3db3fd8
Parents:
19862b55
Message:

Use request tokens to protect POST requests from CSFR

File:
1 edited

Legend:

Unmodified
Added
Removed

  • program/include/rcube_template.php

    ra366a32 r57f0c81  
    926926    public function form_tag($attrib, $content = null) 
    927927    { 
    928       if ($this->framed) { 
     928      if ($this->framed || !empty($_REQUEST['_framed'])) { 
    929929        $hiddenfield = new html_hiddenfield(array('name' => '_framed', 'value' => '1')); 
    930930        $hidden = $hiddenfield->show(); 
     
    936936      return html::tag('form', 
    937937        $attrib + array('action' => "./", 'method' => "get"), 
    938         $hidden . $content); 
     938        $hidden . $content, 
     939        array('id','class','style','name','method','action','enctype','onsubmit')); 
     940    } 
     941     
     942     
     943    /** 
     944     * Build a form tag with a unique request token 
     945     * 
     946     * @param array Named tag parameters including 'action' and 'task' values which will be put into hidden fields 
     947     * @param string Form content 
     948     * @return string HTML code for the form 
     949     */ 
     950    public function request_form($attrib, $content) 
     951    { 
     952        $hidden = new html_hiddenfield(); 
     953        if ($attrib['task']) { 
     954            $hidden->add(array('name' => '_task', 'value' => $attrib['task'])); 
     955        } 
     956        if ($attrib['action']) { 
     957            $hidden->add(array('name' => '_action', 'value' => $attrib['action'])); 
     958        } 
     959       
     960        // generate request token 
     961        $request_key = $attrib['request'] ? $attrib['request'] : $attrib['action']; 
     962        $hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key))); 
     963       
     964        unset($attrib['task'], $attrib['request']); 
     965        $attrib['action'] = './'; 
     966       
     967        // we already have a <form> tag 
     968        if ($attrib['form']) 
     969            return $hidden->show() . $content; 
     970        else 
     971            return $this->form_tag($attrib, $hidden->show() . $content); 
    939972    } 
    940973 
Note: See TracChangeset for help on using the changeset viewer.