Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-05 15:54:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use global request tokens and automatically protect all POST requests

Browse Source
This commit is contained in:
thomascube
2009-07-21 16:02:33 +00:00
parent 61e96cd1f9
commit 5499336fef
7 changed files with 42 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
program/include/rcmail.php
View File

@@ -872,33 +872,29 @@ class rcmail
/**
* Generate a unique token to be used in a form request
*
* @param string Request identifier
* @return string The request token
*/
public function get_request_token($key)
public function get_request_token()
{
if (!$this->request_tokens[$key])
$_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true));
$key = $this->task;
return $this->request_tokens[$key];
if (!$_SESSION['request_tokens'][$key])
$_SESSION['request_tokens'][$key] = md5(uniqid($key . rand(), true));
return $_SESSION['request_tokens'][$key];
}
/**
* Check if the current request contains a valid token
*
* @param string Request identifier
* @param int Request method
* @return boolean True if request token is valid false if not
*/
public function check_request($key, $mode = RCUBE_INPUT_POST)
public function check_request($mode = RCUBE_INPUT_POST)
{
$token = get_input_value('_token', $mode);
$valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token);
if ($valid)
unset($_SESSION['request_tokens'][$key]);
return $valid;
return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token;
}