Changeset ec045b0 in github

Timestamp:

Mar 22, 2011 3:49:43 AM (2 years ago)

Author:

thomascube <thomas@…>

Branches:

master, HEAD, courier-fix, dev-browser-capabilities, pdo, release-0.6, release-0.7, release-0.8

Children:

4380ebe

Parents:

a8d7c65

Message:

Revert r4609 and use stateless request tokens; no need to save them in session and thus no keep-alive necessary; fixes #1487829

Files:

• CHANGELOG (modified) (1 diff)
• index.php (modified) (2 diffs)
• program/include/rcmail.php (modified) (2 diffs)
• program/js/app.js (modified) (1 diff)

CHANGELOG

@@ -2 +2 @@
 ===========================
 
+- Stateless request tokens. No keep-alive necessary on login page (#1487829)
 - PEAR::Net_SMTP 1.5.1
 - Allow multiple concurrent compose sessions

index.php

@@ -155 +155 @@
 // not logged in -> show login page
 if (empty($RCMAIL->user->ID)) {
-  if ($RCMAIL->action == 'keep-alive')
-    $OUTPUT->send();
-  else if ($OUTPUT->ajax_call)
+  if ($OUTPUT->ajax_call)
     $OUTPUT->redirect(array(), 2000);
 
@@ -185 +183 @@
   // check client X-header to verify request origin
   if ($OUTPUT->ajax_call) {
-    if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
+    if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) {
       header('HTTP/1.1 404 Not Found');
       die("Invalid Request");

program/include/rcmail.php

@@ -1107 +1107 @@
   public function get_request_token()
   {
-    $key = $this->task;
-
-    if (!$_SESSION['request_tokens'][$key])
-      $_SESSION['request_tokens'][$key] = md5(uniqid($key . mt_rand(), true));
-
-    return $_SESSION['request_tokens'][$key];
+    $sess_id = $_COOKIE[ini_get('session.name')];
+    return md5('RT' . $this->task . $this->config->get('des_key') . $sess_id);
   }
 
@@ -1125 +1121 @@
   {
     $token = get_input_value('_token', $mode);
-    return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token;
+    $sess_id = $_COOKIE[ini_get('session.name')];
+    return !empty($sess_id) && $token == $this->get_request_token();
   }
 

program/js/app.js

@@ -5432 +5432 @@
     if (this.env.keep_alive && !this.env.framed && this.task == 'mail' && this.gui_objects.mailboxlist)
       this._int = setInterval(function(){ ref.check_for_recent(false); }, this.env.keep_alive * 1000);
-    else if (this.env.keep_alive && !this.env.framed && this.env.action != 'print')
+    else if (this.env.keep_alive && !this.env.framed && this.task != 'login' && this.env.action != 'print')
       this._int = setInterval(function(){ ref.send_keep_alive(); }, this.env.keep_alive * 1000);
   };