Skip to content

Commit 9bbda42

Browse files
committed
Fix CSRF bypass that could be used to log out an authenticated user (#7302)
1 parent 814eadb commit 9bbda42

File tree

2 files changed

+8
-3
lines changed

2 files changed

+8
-3
lines changed

Diff for: CHANGELOG

+1
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ CHANGELOG Roundcube Webmail
2828
- Security: Fix XSS issue in handling of CDATA in HTML messages
2929
- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
3030
- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
31+
- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
3132

3233
RELEASE 1.4.3
3334
-------------

Diff for: index.php

+7-3
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,9 @@
106106
$pass_charset = $RCMAIL->config->get('password_charset', 'UTF-8');
107107

108108
// purge the session in case of new login when a session already exists
109-
$RCMAIL->kill_session();
109+
if ($request_valid) {
110+
$RCMAIL->kill_session();
111+
}
110112

111113
$auth = $RCMAIL->plugins->exec_hook('authenticate', array(
112114
'host' => $RCMAIL->autoselect_host(),
@@ -180,13 +182,15 @@
180182
$RCMAIL->plugins->exec_hook('login_failed', array(
181183
'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
182184

183-
$RCMAIL->kill_session();
185+
if (!isset($_SESSION['user_id'])) {
186+
$RCMAIL->kill_session();
187+
}
184188
}
185189
}
186190

187191
// end session
188192
else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
189-
$RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET);
193+
$RCMAIL->request_security_check(rcube_utils::INPUT_GET | rcube_utils::INPUT_POST);
190194

191195
$userdata = array(
192196
'user' => $_SESSION['username'],

0 commit comments

Comments
 (0)