File tree 2 files changed +8
-3
lines changed
2 files changed +8
-3
lines changed Original file line number Diff line number Diff line change @@ -28,6 +28,7 @@ CHANGELOG Roundcube Webmail
2828- Security: Fix XSS issue in handling of CDATA in HTML messages
2929- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
3030- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
31+ - Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
3132
3233RELEASE 1.4.3
3334-------------
Original file line number Diff line number Diff line change 106106 $ pass_charset = $ RCMAIL ->config ->get ('password_charset ' , 'UTF-8 ' );
107107
108108 // purge the session in case of new login when a session already exists
109- $ RCMAIL ->kill_session ();
109+ if ($ request_valid ) {
110+ $ RCMAIL ->kill_session ();
111+ }
110112
111113 $ auth = $ RCMAIL ->plugins ->exec_hook ('authenticate ' , array (
112114 'host ' => $ RCMAIL ->autoselect_host (),
180182 $ RCMAIL ->plugins ->exec_hook ('login_failed ' , array (
181183 'code ' => $ error_code , 'host ' => $ auth ['host ' ], 'user ' => $ auth ['user ' ]));
182184
183- $ RCMAIL ->kill_session ();
185+ if (!isset ($ _SESSION ['user_id ' ])) {
186+ $ RCMAIL ->kill_session ();
187+ }
184188 }
185189}
186190
187191// end session
188192else if ($ RCMAIL ->task == 'logout ' && isset ($ _SESSION ['user_id ' ])) {
189- $ RCMAIL ->request_security_check ($ mode = rcube_utils::INPUT_GET );
193+ $ RCMAIL ->request_security_check (rcube_utils:: INPUT_GET | rcube_utils::INPUT_POST );
190194
191195 $ userdata = array (
192196 'user ' => $ _SESSION ['username ' ],
You can’t perform that action at this time.
0 commit comments