From 57f0c81f2cc0518ed7ab107e16e6cadb8dfc53b0 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Wed, 15 Jul 2009 05:49:35 -0400
Subject: [PATCH] Use request tokens to protect POST requests from CSFR

---
 program/include/rcmail.php |   45 +++++++++++++++++++++++++++++++++++++++++----
 1 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index afcc33a..627a8f2 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -301,10 +301,6 @@
     if (!($this->output instanceof rcube_template))
       $this->output = new rcube_template($this->task, $framed);
 
-    foreach (array('flag_for_deletion','read_when_deleted') as $js_config_var) {
-      $this->output->set_env($js_config_var, $this->config->get($js_config_var));
-    }
-    
     // set keep-alive/check-recent interval
     if ($keep_alive = $this->config->get('keep_alive')) {
       // be sure that it's less than session lifetime
@@ -370,6 +366,7 @@
       'imap' => $this->config->get('imap_auth_type', 'check'),
       'delimiter' => isset($_SESSION['imap_delimiter']) ? $_SESSION['imap_delimiter'] : $this->config->get('imap_delimiter'),
       'rootdir' => isset($_SESSION['imap_root']) ? $_SESSION['imap_root'] : $this->config->get('imap_root'),
+      'debug_mode' => (bool) $this->config->get('imap_debug', 0),
     );
 
     $this->imap->set_options($options);
@@ -800,6 +797,8 @@
    */
   public function kill_session()
   {
+    $this->plugins->exec_hook('kill_session');
+    
     rcube_sess_unset();
     $_SESSION = array('language' => $this->user->language, 'auth_time' => time(), 'temp' => true);
     rcmail::setcookie('sessauth', '-del-', time() - 60);
@@ -853,6 +852,39 @@
   
   
   /**
+   * Generate a unique token to be used in a form request
+   *
+   * @param string Request identifier
+   * @return string The request token
+   */
+  public function get_request_token($key)
+  {
+    if (!$this->request_tokens[$key])
+      $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true));
+    
+    return $this->request_tokens[$key];
+  }
+  
+  
+  /**
+   * Check if the current request contains a valid token
+   *
+   * @param string Request identifier
+   * @return boolean True if request token is valid false if not
+   */
+  public function check_request($key, $mode = RCUBE_INPUT_POST)
+  {
+    $token = get_input_value('_token', $mode);
+    $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token);
+    
+    if ($valid)
+      unset($_SESSION['request_tokens'][$key]);
+    
+    return $valid;
+  }
+  
+  
+  /**
    * Create unique authorization hash
    *
    * @param string Session ID
@@ -885,6 +917,8 @@
    */
   public function encrypt($clear, $key = 'des_key', $base64 = true)
   {
+    if (!$clear)
+      return '';
     /*-
      * Add a single canary byte to the end of the clear text, which
      * will help find out how much of padding will need to be removed
@@ -933,6 +967,9 @@
    */
   public function decrypt($cipher, $key = 'des_key', $base64 = true)
   {
+    if (!$cipher)
+      return '';
+  
     $cipher = $base64 ? base64_decode($cipher) : $cipher;
 
     if (function_exists('mcrypt_module_open') &&

--
Gitblit v1.9.1