Use global request tokens and automatically protect all POST requests

2026-03-06 08:14:08 +01:00 · 2009-07-21 16:02:33 +00:00
parent 61e96cd1f9
commit 5499336fef
7 changed files with 42 additions and 45 deletions
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -872,33 +872,29 @@ class rcmail
  /**
   * Generate a unique token to be used in a form request
   *
-   * @param string Request identifier
   * @return string The request token
   */
-  public function get_request_token($key)
+  public function get_request_token()
  {
-    if (!$this->request_tokens[$key])
-      $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true));
+    $key = $this->task;
    
-    return $this->request_tokens[$key];
+    if (!$_SESSION['request_tokens'][$key])
+      $_SESSION['request_tokens'][$key] = md5(uniqid($key . rand(), true));
+    
+    return $_SESSION['request_tokens'][$key];
  }
  
  
  /**
   * Check if the current request contains a valid token
   *
-   * @param string Request identifier
+   * @param int Request method
   * @return boolean True if request token is valid false if not
   */
-  public function check_request($key, $mode = RCUBE_INPUT_POST)
+  public function check_request($mode = RCUBE_INPUT_POST)
  {
    $token = get_input_value('_token', $mode);
-    $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token);
-    
-    if ($valid)
-      unset($_SESSION['request_tokens'][$key]);
-    
-    return $valid;
+    return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token;
  }
  
  
--- a/program/include/rcube_template.php
+++ b/program/include/rcube_template.php
@@ -59,6 +59,7 @@ class rcube_template extends rcube_html_page
        
        //$this->framed = $framed;
        $this->set_env('task', $task);
+        $this->set_env('request_token', $this->app->get_request_token());

        // load the correct skin (in case user-defined)
        $this->set_skin($this->config['skin']);
@@ -325,6 +326,9 @@ class rcube_template extends rcube_html_page
        $js = $this->framed ? "if(window.parent) {\n" : '';
        $js .= $this->get_js_commands() . ($this->framed ? ' }' : '');
        $this->add_script($js, 'head_top');
+        
+        // make sure all <form> tags have a valid request token
+        $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template);

        // call super method
        parent::write($template, $this->config['skin_path']);
@@ -514,7 +518,24 @@ class rcube_template extends rcube_html_page
     */
    private function check_condition($condition)
    {
-            return eval("return (".$this->parse_expression($condition).");");
+        return eval("return (".$this->parse_expression($condition).");");
+    }
+    
+    
+    /**
+     *
+     */
+    private function alter_form_tag($matches)
+    {
+        $out = $matches[0];
+        $attrib  = parse_attrib_string($matches[1]);
+      
+        if (strtolower($attrib['method']) == 'post') {
+            $hidden = new html_hiddenfield(array('name' => '_token', 'value' => $this->app->get_request_token()));
+            $out .= "\n" . $hidden->show();
+        }
+      
+        return $out;
    }


@@ -957,10 +978,6 @@ class rcube_template extends rcube_html_page
            $hidden->add(array('name' => '_action', 'value' => $attrib['action']));
        }
      
-        // generate request token
-        $request_key = $attrib['request'] ? $attrib['request'] : $attrib['action'];
-        $hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key)));
-      
        unset($attrib['task'], $attrib['request']);
        $attrib['action'] = './';