Revert r4609 and use stateless request tokens; no need to save them in session and thus no keep-alive necessary; fixes #1487829
| | |
| | | CHANGELOG Roundcube Webmail |
| | | =========================== |
| | | |
| | | - Stateless request tokens. No keep-alive necessary on login page (#1487829) |
| | | - PEAR::Net_SMTP 1.5.1 |
| | | - Allow multiple concurrent compose sessions |
| | | - Force names of unique constraints in PostgreSQL DDL |
| | |
| | | |
| | | // not logged in -> show login page |
| | | if (empty($RCMAIL->user->ID)) { |
| | | if ($RCMAIL->action == 'keep-alive') |
| | | $OUTPUT->send(); |
| | | else if ($OUTPUT->ajax_call) |
| | | if ($OUTPUT->ajax_call) |
| | | $OUTPUT->redirect(array(), 2000); |
| | | |
| | | if (!empty($_REQUEST['_framed'])) |
| | |
| | | |
| | | // check client X-header to verify request origin |
| | | if ($OUTPUT->ajax_call) { |
| | | if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) { |
| | | if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) { |
| | | header('HTTP/1.1 404 Not Found'); |
| | | die("Invalid Request"); |
| | | } |
| | |
| | | */ |
| | | public function get_request_token() |
| | | { |
| | | $key = $this->task; |
| | | |
| | | if (!$_SESSION['request_tokens'][$key]) |
| | | $_SESSION['request_tokens'][$key] = md5(uniqid($key . mt_rand(), true)); |
| | | |
| | | return $_SESSION['request_tokens'][$key]; |
| | | $sess_id = $_COOKIE[ini_get('session.name')]; |
| | | return md5('RT' . $this->task . $this->config->get('des_key') . $sess_id); |
| | | } |
| | | |
| | | |
| | |
| | | public function check_request($mode = RCUBE_INPUT_POST) |
| | | { |
| | | $token = get_input_value('_token', $mode); |
| | | return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token; |
| | | $sess_id = $_COOKIE[ini_get('session.name')]; |
| | | return !empty($sess_id) && $token == $this->get_request_token(); |
| | | } |
| | | |
| | | |
| | |
| | | |
| | | if (this.env.keep_alive && !this.env.framed && this.task == 'mail' && this.gui_objects.mailboxlist) |
| | | this._int = setInterval(function(){ ref.check_for_recent(false); }, this.env.keep_alive * 1000); |
| | | else if (this.env.keep_alive && !this.env.framed && this.env.action != 'print') |
| | | else if (this.env.keep_alive && !this.env.framed && this.task != 'login' && this.env.action != 'print') |
| | | this._int = setInterval(function(){ ref.send_keep_alive(); }, this.env.keep_alive * 1000); |
| | | }; |
| | | |