From ab0b51a1fef87bcc643c3aaf2e635c811b28ccd8 Mon Sep 17 00:00:00 2001 From: alecpl <alec@alec.pl> Date: Tue, 15 Feb 2011 06:10:59 -0500 Subject: [PATCH] - Use only one from IMAP authentication methods to prevent login delays (1487784) --- index.php | 96 ++++++++++++++++++----------------------------- 1 files changed, 37 insertions(+), 59 deletions(-) diff --git a/index.php b/index.php index a46c415..1b15226 100644 --- a/index.php +++ b/index.php @@ -2,9 +2,9 @@ /* +-------------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 0.4-20100807 | + | Version 0.6-svn | | | - | Copyright (C) 2005-2010, Roundcube Dev. - Switzerland | + | Copyright (C) 2005-2011, The Roundcube Dev Team | | | | This program is free software; you can redistribute it and/or modify | | it under the terms of the GNU General Public License version 2 | @@ -75,24 +75,25 @@ // try to log in if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { + $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(RCUBE_INPUT_POST, 'login'); + // purge the session in case of new login when a session already exists $RCMAIL->kill_session(); - + $auth = $RCMAIL->plugins->exec_hook('authenticate', array( 'host' => $RCMAIL->autoselect_host(), 'user' => trim(get_input_value('_user', RCUBE_INPUT_POST)), + 'pass' => get_input_value('_pass', RCUBE_INPUT_POST, true, + $RCMAIL->config->get('password_charset', 'ISO-8859-1')), 'cookiecheck' => true, + 'valid' => $request_valid, )); - - if (!isset($auth['pass'])) - $auth['pass'] = get_input_value('_pass', RCUBE_INPUT_POST, true, - $RCMAIL->config->get('password_charset', 'ISO-8859-1')); // check if client supports cookies if ($auth['cookiecheck'] && empty($_COOKIE)) { $OUTPUT->show_message("cookiesdisabled", 'warning'); } - else if ($_SESSION['temp'] && !$auth['abort'] && + else if ($auth['valid'] && !$auth['abort'] && !empty($auth['host']) && !empty($auth['user']) && $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) { // create new session ID @@ -100,32 +101,40 @@ $RCMAIL->session->regenerate_id(); // send auth cookie if necessary - $RCMAIL->authenticate_session(); + $RCMAIL->session->set_auth_cookie(); // log successful login rcmail_log_login(); // restore original request parameters $query = array(); - if ($url = get_input_value('_url', RCUBE_INPUT_POST)) + if ($url = get_input_value('_url', RCUBE_INPUT_POST)) { parse_str($url, $query); + + // prevent endless looping on login page + if ($query['_task'] == 'login') + unset($query['_task']); + } // allow plugins to control the redirect url after login success - $redir = $RCMAIL->plugins->exec_hook('login_after', $query); + $redir = $RCMAIL->plugins->exec_hook('login_after', $query + array('_task' => 'mail')); unset($redir['abort']); // send redirect $OUTPUT->redirect($redir); } else { - $OUTPUT->show_message($IMAP->error_code < -1 ? 'imaperror' : 'loginfailed', 'warning'); - $RCMAIL->plugins->exec_hook('login_failed', array('code' => $IMAP->error_code, 'host' => $auth['host'], 'user' => $auth['user'])); + $error_code = is_object($IMAP) ? $IMAP->get_error_code() : -1; + + $OUTPUT->show_message($error_code < -1 ? 'imaperror' : (!$auth['valid'] ? 'invalidrequest' : 'loginfailed'), 'warning'); + $RCMAIL->plugins->exec_hook('login_failed', array( + 'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user'])); $RCMAIL->kill_session(); } } -// end session -else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) { +// end session (after optional referer check) +else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) && (!$RCMAIL->config->get('referer_check') || rcube_check_referer())) { $userdata = array('user' => $_SESSION['username'], 'host' => $_SESSION['imap_host'], 'lang' => $RCMAIL->user->language); $OUTPUT->show_message('loggedout'); $RCMAIL->logout_actions(); @@ -135,7 +144,7 @@ // check session and auth cookie else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') { - if (!$RCMAIL->authenticate_session()) { + if (!$RCMAIL->session->check_auth()) { $OUTPUT->show_message('sessionerror', 'error'); $RCMAIL->kill_session(); } @@ -161,7 +170,7 @@ ); } - $OUTPUT->set_env('task', 'login'); + $RCMAIL->set_task('login'); $OUTPUT->send('login'); } // CSRF prevention @@ -181,6 +190,14 @@ $OUTPUT->show_message('invalidrequest', 'error'); $OUTPUT->send($RCMAIL->task); } + + // check referer if configured + if (!$request_check_whitelist[$RCMAIL->action] && $RCMAIL->config->get('referer_check') && !rcube_check_referer()) { + raise_error(array( + 'code' => 403, + 'type' => 'php', + 'message' => "Referer check failed"), true, true); + } } // handle special actions @@ -193,44 +210,6 @@ } -// map task/action to a certain include file -$action_map = array( - 'mail' => array( - 'preview' => 'show.inc', - 'print' => 'show.inc', - 'moveto' => 'move_del.inc', - 'delete' => 'move_del.inc', - 'send' => 'sendmail.inc', - 'expunge' => 'folders.inc', - 'purge' => 'folders.inc', - 'remove-attachment' => 'attachments.inc', - 'display-attachment' => 'attachments.inc', - 'upload' => 'attachments.inc', - 'group-expand' => 'autocomplete.inc', - ), - - 'addressbook' => array( - 'add' => 'edit.inc', - 'group-create' => 'groups.inc', - 'group-rename' => 'groups.inc', - 'group-delete' => 'groups.inc', - 'group-addmembers' => 'groups.inc', - 'group-delmembers' => 'groups.inc', - ), - - 'settings' => array( - 'folders' => 'manage_folders.inc', - 'create-folder' => 'manage_folders.inc', - 'rename-folder' => 'manage_folders.inc', - 'delete-folder' => 'manage_folders.inc', - 'subscribe' => 'manage_folders.inc', - 'unsubscribe' => 'manage_folders.inc', - 'enable-threading' => 'manage_folders.inc', - 'disable-threading' => 'manage_folders.inc', - 'add-identity' => 'edit_identity.inc', - ) -); - // include task specific functions if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/func.inc')) include_once($incfile); @@ -238,9 +217,6 @@ // allow 5 "redirects" to another action $redirects = 0; $incstep = null; while ($redirects < 5) { - $stepfile = !empty($action_map[$RCMAIL->task][$RCMAIL->action]) ? - $action_map[$RCMAIL->task][$RCMAIL->action] : strtr($RCMAIL->action, '-', '_') . '.inc'; - // execute a plugin action if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) { $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action); @@ -251,7 +227,9 @@ break; } // try to include the step file - else if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/'.$stepfile)) { + else if (($stepfile = $RCMAIL->get_action_file()) + && is_file($incfile = 'program/steps/'.$RCMAIL->task.'/'.$stepfile) + ) { include($incfile); $redirects++; } -- Gitblit v1.9.1