New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CSRF attack that can cause an authenticated user to be logged out #7302
Conversation
A login POST request without a valid token deleted the active session. The login code should not run if the session is already authenticated. A logout POST request succeeded without a valid token as the token checking code only considers GET. Logging out should therefore be restricted to GET.
|
I have no objections to the second part of the patch, but I'm not sure about the first. I have unfortunately no better idea. I'd say that we should check the token instead, but some plugins may already implement their own validation in 'authenticate' hook. Moving kill_session() call after the hook may also make some problems, or maybe not? @thomascube I need a second pair of eyes on this. |
|
I hesitate to accept the Regarding the logout GET request: the proper solution would be to use POST requests for this action. But for now it might already be enough to consider the actual request method in the call to |
|
That first part is a real PITA. Killing the session after authenticate hook will break some plugins (e.g. kolab_auth). Adding --- a/index.php
+++ b/index.php
@@ -106,7 +106,9 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
$pass_charset = $RCMAIL->config->get('password_charset', 'UTF-8');
// purge the session in case of new login when a session already exists
- $RCMAIL->kill_session();
+ if ($request_valid) {
+ $RCMAIL->kill_session();
+ }
$auth = $RCMAIL->plugins->exec_hook('authenticate', array(
'host' => $RCMAIL->autoselect_host(),
@@ -154,7 +156,7 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
// send redirect
$OUTPUT->redirect($redir, 0, true);
}
- else {
+ else if (!isset($_SESSION['user_id'])) {-- correction: I would move that It still might be a regression for plugins that use the 'authenticate' hook, and require to kill the session on their side, but it might be still the best approach. @thomascube ? |
|
@alecpl I'd suggest to move the |
|
@thomascube, as I said, this will break kolab_auth plugin which sets some session vars. Of course, I can fix that plugin, but we're considering BC breaks here. You think this would be the best approach? |
|
OK, I agree to your suggestion. |
|
Fixed with 8344f07. |
A login POST request without a valid token deleted the active session. The login
code should not run if the session is already authenticated.
A logout POST request succeeded without a valid token as the token checking code
only considers GET. Logging out should therefore be restricted to GET.
A simple proof of concept: