Hello! Michael Orlitzky <[email protected]> schrieb am 08.04.19 um 20:23:20 Uhr:
> On 4/8/19 6:50 PM, Andreas Meyer wrote:
> >
> > What happend here that all of the sudden I don't have a working roundcube
> > anymore? Where does this CSRF problem come from? I just upgraded to version
> > 1.3.9 and the problem remains.
> >
>
> This just happens every once in a while, and nobody has a good answer.
> Our users certainly don't know what to do. They call us, we don't know
> what to do. I started disabling the CSRF protection entirely:
>
> 1. Open program/lib/Roundcube/rcube.php
> 2. Search for "public function check_request"
> 3. Have it always return true.
I fear I don't know how to do that. I don't know much about PHP if at all.
public function check_request($mode = rcube_utils::INPUT_POST)
{
// check secure token in URL if enabled
if ($token = $this->get_secure_url_token()) {
foreach (explode('/', preg_replace('/[?#&].*$/', '',
$_SERVER['REQUEST_URI'])) as $tok) {
if ($tok == $token) {
return true;
}
}
$this->request_status = self::REQUEST_ERROR_URL;
return false;
}
$sess_tok = $this->get_request_token();
// ajax requests
if (rcube_utils::request_header('X-Roundcube-Request') === $sess_tok) {
return true;
}
// skip empty requests
if (($mode == rcube_utils::INPUT_POST && empty($_POST))
|| ($mode == rcube_utils::INPUT_GET && empty($_GET))
) {
return true;
}
// default method of securing requests
$token = rcube_utils::get_input_value('_token', $mode);
$sess_id = $_COOKIE[ini_get('session.name')];
if (empty($sess_id) || $token !== $sess_tok) {
$this->request_status = self::REQUEST_ERROR_TOKEN;
return false;
}
return true;
}
What do I need to change here?
Kind regards
Andreas
--
PGP-Fingerprint: D392 5D21 0299 63D7 5BAE 4562 1E56 B2EA 81A2 59F1
pgpx84o71nQ7y.pgp
Description: Digitale Signatur von OpenPGP
_______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
