Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix CSRF bypass that could be used to log out an authenticated user (#…
  • Loading branch information
alecpl committed Apr 26, 2020
1 parent 814eadb commit 9bbda42
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 3 deletions.
1 change: 1 addition & 0 deletions CHANGELOG
Expand Up @@ -28,6 +28,7 @@ CHANGELOG Roundcube Webmail
- Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

RELEASE 1.4.3
-------------
Expand Down
10 changes: 7 additions & 3 deletions index.php
Expand Up @@ -106,7 +106,9 @@
$pass_charset = $RCMAIL->config->get('password_charset', 'UTF-8');

// purge the session in case of new login when a session already exists
$RCMAIL->kill_session();
if ($request_valid) {
$RCMAIL->kill_session();
}

$auth = $RCMAIL->plugins->exec_hook('authenticate', array(
'host' => $RCMAIL->autoselect_host(),
Expand Down Expand Up @@ -180,13 +182,15 @@
$RCMAIL->plugins->exec_hook('login_failed', array(
'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));

$RCMAIL->kill_session();
if (!isset($_SESSION['user_id'])) {
$RCMAIL->kill_session();
}
}
}

// end session
else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
$RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET);
$RCMAIL->request_security_check(rcube_utils::INPUT_GET | rcube_utils::INPUT_POST);

$userdata = array(
'user' => $_SESSION['username'],
Expand Down

0 comments on commit 9bbda42

Please sign in to comment.