diff options
| author | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-21 16:02:33 +0000 |
|---|---|---|
| committer | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-21 16:02:33 +0000 |
| commit | 06a746b43a418a501e67b47242499a1acd2ba848 (patch) | |
| tree | 8784a3591ac99529265558853d975d30967156b9 /roundcubemail/program/include/rcube_template.php | |
| parent | de9304fe9b1c3fce460ca79395becefa382ba134 (diff) | |
Use global request tokens and automatically protect all POST requests
git-svn-id: https://svn.roundcube.net/trunk@2778 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'roundcubemail/program/include/rcube_template.php')
| -rwxr-xr-x | roundcubemail/program/include/rcube_template.php | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/roundcubemail/program/include/rcube_template.php b/roundcubemail/program/include/rcube_template.php index caf385a69..0947944ad 100755 --- a/roundcubemail/program/include/rcube_template.php +++ b/roundcubemail/program/include/rcube_template.php @@ -59,6 +59,7 @@ class rcube_template extends rcube_html_page //$this->framed = $framed; $this->set_env('task', $task); + $this->set_env('request_token', $this->app->get_request_token()); // load the correct skin (in case user-defined) $this->set_skin($this->config['skin']); @@ -325,6 +326,9 @@ class rcube_template extends rcube_html_page $js = $this->framed ? "if(window.parent) {\n" : ''; $js .= $this->get_js_commands() . ($this->framed ? ' }' : ''); $this->add_script($js, 'head_top'); + + // make sure all <form> tags have a valid request token + $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template); // call super method parent::write($template, $this->config['skin_path']); @@ -514,7 +518,24 @@ class rcube_template extends rcube_html_page */ private function check_condition($condition) { - return eval("return (".$this->parse_expression($condition).");"); + return eval("return (".$this->parse_expression($condition).");"); + } + + + /** + * + */ + private function alter_form_tag($matches) + { + $out = $matches[0]; + $attrib = parse_attrib_string($matches[1]); + + if (strtolower($attrib['method']) == 'post') { + $hidden = new html_hiddenfield(array('name' => '_token', 'value' => $this->app->get_request_token())); + $out .= "\n" . $hidden->show(); + } + + return $out; } @@ -957,10 +978,6 @@ class rcube_template extends rcube_html_page $hidden->add(array('name' => '_action', 'value' => $attrib['action'])); } - // generate request token - $request_key = $attrib['request'] ? $attrib['request'] : $attrib['action']; - $hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key))); - unset($attrib['task'], $attrib['request']); $attrib['action'] = './'; |