random "access to this resource is secured against CSRF" message at logout

[rcubetrac]

Reported by telnetsrl on 15 Jan 2016 14:26 UTC as Trac ticket #1490641

After upgrading my PHP (and forgetting to load the openssl module) very often instead of logging out correctly I get the CSRF warning message. It's pretty gross how I nailed it, but adding

echo ("ST $sess_tok<br>TK $token");

just before

if (empty($sess_id) || $token != $sess_tok) {

in program/lib/Roundcube/rcube.php

I was able to quickly understand why the comparison was failing:

ST Bla$=BlahBlahBlahBlahBla+=BlahBl
TK Bla$=BlahBlahBlahBlahBla =BlahBl

ST Bla_$Bla_BlahB*Blah&%Blah&BlahBl
TK Bla_$Bla_BlahB*Blah               

Instead of auditing lots of lines of code seeking for a perfect encode/decode path, the most immediate fix is to generate random bytes that encode to themselves (or to load mod_openssl.so in php :)
Here is my proposed patch,
regards

Keywords: csrf token urldecode openssl
Migrated-From: http://trac.roundcube.net/ticket/1490641

[rcubetrac]

Owner changed by @alecpl on 15 Jan 2016 17:47 UTC

=> alec

[rcubetrac]

Milestone changed by @alecpl on 15 Jan 2016 17:47 UTC

later => 1.1.5

[rcubetrac]

Comment by @alecpl on 16 Jan 2016 11:16 UTC

Fixed in 3f6fbdc.

[rcubetrac]

Status changed by @alecpl on 16 Jan 2016 11:16 UTC

new => closed