[RCU] Problem with CSRF

Andreas Meyer a.meyer at nimmini.de
Tue Apr 9 11:08:22 CEST 2019


Hello!

Michael Orlitzky <michael at orlitzky.com> schrieb am 08.04.19 um 20:23:20 Uhr:

> On 4/8/19 6:50 PM, Andreas Meyer wrote:
> > 
> > What happend here that all of the sudden I don't have a working roundcube
> > anymore? Where does this CSRF problem come from? I just upgraded to version
> > 1.3.9 and the problem remains.
> >   
> 
> This just happens every once in a while, and nobody has a good answer.
> Our users certainly don't know what to do. They call us, we don't know
> what to do. I started disabling the CSRF protection entirely:
> 
>   1. Open program/lib/Roundcube/rcube.php
>   2. Search for "public function check_request"
>   3. Have it always return true.

I fear I don't know how to do that. I don't know much about PHP if at all.

   public function check_request($mode = rcube_utils::INPUT_POST)
    {
        // check secure token in URL if enabled
        if ($token = $this->get_secure_url_token()) {
            foreach (explode('/', preg_replace('/[?#&].*$/', '', $_SERVER['REQUEST_URI'])) as $tok) {
                if ($tok == $token) {
                    return true;
                }
            }

            $this->request_status = self::REQUEST_ERROR_URL;

            return false;
        }

        $sess_tok = $this->get_request_token();

        // ajax requests
        if (rcube_utils::request_header('X-Roundcube-Request') === $sess_tok) {
            return true;
        }

        // skip empty requests
        if (($mode == rcube_utils::INPUT_POST && empty($_POST))
            || ($mode == rcube_utils::INPUT_GET && empty($_GET))
        ) {
            return true;
        }

        // default method of securing requests
        $token   = rcube_utils::get_input_value('_token', $mode);
        $sess_id = $_COOKIE[ini_get('session.name')];

        if (empty($sess_id) || $token !== $sess_tok) {
            $this->request_status = self::REQUEST_ERROR_TOKEN;
            return false;
        }

        return true;
    }


What do I need to change here?

Kind regards

  Andreas
-- 
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1
-------------- n?chster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : nicht verfügbar
Dateityp    : application/pgp-signature
Dateigröße  : 228 bytes
Beschreibung: Digitale Signatur von OpenPGP
URL         : <http://lists.roundcube.net/pipermail/users/attachments/20190409/db1f6c92/attachment.sig>


More information about the users mailing list