diff options
| author | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-15 09:49:35 +0000 |
|---|---|---|
| committer | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-15 09:49:35 +0000 |
| commit | 94486f4f3e94367a148c762648eb0c3ed84014d6 (patch) | |
| tree | 044ef51b29ced112d0791f0aa000fe39d6ffa64e /roundcubemail/program/include/rcmail.php | |
| parent | 03cfead1d42ca546e148516fd5750af7a47ea278 (diff) | |
Use request tokens to protect POST requests from CSFR
git-svn-id: https://svn.roundcube.net/trunk@2755 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'roundcubemail/program/include/rcmail.php')
| -rw-r--r-- | roundcubemail/program/include/rcmail.php | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/roundcubemail/program/include/rcmail.php b/roundcubemail/program/include/rcmail.php index a4f44b8f4..627a8f290 100644 --- a/roundcubemail/program/include/rcmail.php +++ b/roundcubemail/program/include/rcmail.php @@ -852,6 +852,39 @@ class rcmail /** + * Generate a unique token to be used in a form request + * + * @param string Request identifier + * @return string The request token + */ + public function get_request_token($key) + { + if (!$this->request_tokens[$key]) + $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true)); + + return $this->request_tokens[$key]; + } + + + /** + * Check if the current request contains a valid token + * + * @param string Request identifier + * @return boolean True if request token is valid false if not + */ + public function check_request($key, $mode = RCUBE_INPUT_POST) + { + $token = get_input_value('_token', $mode); + $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token); + + if ($valid) + unset($_SESSION['request_tokens'][$key]); + + return $valid; + } + + + /** * Create unique authorization hash * * @param string Session ID |