Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-12 11:06:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use global request tokens and automatically protect all POST requests

Browse Source
This commit is contained in:
thomascube
2009-07-21 16:02:33 +00:00
parent 61e96cd1f9
commit 5499336fef
7 changed files with 42 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
program/include/rcube_template.php
View File

@@ -59,6 +59,7 @@ class rcube_template extends rcube_html_page
//$this->framed = $framed;
$this->set_env('task', $task);
$this->set_env('request_token', $this->app->get_request_token());
// load the correct skin (in case user-defined)
$this->set_skin($this->config['skin']);
@@ -325,6 +326,9 @@ class rcube_template extends rcube_html_page
$js = $this->framed ? "if(window.parent) {\n" : '';
$js .= $this->get_js_commands() . ($this->framed ? ' }' : '');
$this->add_script($js, 'head_top');
// make sure all <form> tags have a valid request token
$template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template);
// call super method
parent::write($template, $this->config['skin_path']);
@@ -514,7 +518,24 @@ class rcube_template extends rcube_html_page
*/
private function check_condition($condition)
{
return eval("return (".$this->parse_expression($condition).");");
return eval("return (".$this->parse_expression($condition).");");
}
/**
*
*/
private function alter_form_tag($matches)
{
$out = $matches[0];
$attrib = parse_attrib_string($matches[1]);
if (strtolower($attrib['method']) == 'post') {
$hidden = new html_hiddenfield(array('name' => '_token', 'value' => $this->app->get_request_token()));
$out .= "\n" . $hidden->show();
}
return $out;
}
@@ -957,10 +978,6 @@ class rcube_template extends rcube_html_page
$hidden->add(array('name' => '_action', 'value' => $attrib['action']));
}
// generate request token
$request_key = $attrib['request'] ? $attrib['request'] : $attrib['action'];
$hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key)));
unset($attrib['task'], $attrib['request']);
$attrib['action'] = './';