'[SM-CVS] SF.net SVN: squirrelmail:[14769] branches/SM-1_4-STABLE/squirrelmail/ functions/strings.php'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squirrelmail-cvs
Subject:    [SM-CVS] SF.net SVN: squirrelmail:[14769] branches/SM-1_4-STABLE/squirrelmail/ functions/strings.php
From:       pdontthink--- via squirrelmail-cvs <squirrelmail-cvs () lists ! sourceforge ! net>
Date:       2018-08-25 20:27:50
Message-ID: 1535228870.514436.8239 () sfp-scm-3 ! v30 ! lw ! sourceforge ! com
[Download RAW message or body]

Revision: 14769
          http://sourceforge.net/p/squirrelmail/code/14769
Author:   pdontthink
Date:     2018-08-25 20:27:49 +0000 (Sat, 25 Aug 2018)
Log Message:
-----------
Add session-based security token functionality (enabled by default)

Modified Paths:
--------------
    branches/SM-1_4-STABLE/squirrelmail/functions/strings.php

Modified: branches/SM-1_4-STABLE/squirrelmail/functions/strings.php
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/functions/strings.php	2018-07-29 08:37:53 UTC \
                (rev 14768)
+++ branches/SM-1_4-STABLE/squirrelmail/functions/strings.php	2018-08-25 20:27:49 UTC \
(rev 14769) @@ -1323,8 +1323,18 @@
 /**
   * Generates a security token that is then stored in
   * the user's preferences with a timestamp for later
-  * verification/use.
+  * verification/use (although session-based tokens
+  * are not stored in user preferences).
   *
+  * NOTE: By default SquirrelMail will use a single session-based
+  *       token, but if desired, user tokens can have expiration
+  *       dates associated with them and become invalid even during
+  *       the same login session.  When in that mode, the note
+  *       immediately below applies, otherwise it is irrelevant.
+  *       To enable that mode, the administrator must add the
+  *       following to config/config_local.php:
+  *       $use_expiring_security_tokens = TRUE;
+  *
   * NOTE: The administrator can force SquirrelMail to generate
   * a new token every time one is requested (which may increase
   * obscurity through token randomness at the cost of some
@@ -1354,9 +1364,24 @@
 function sm_generate_security_token($force_generate_new=FALSE)
 {
 
-   global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token;
+   global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token,
+          $use_expiring_security_tokens;
    $max_generation_tries = 1000;
 
+   // if we're using session-based tokens, just return
+   // the same one every time (generate it if it's not there)
+   //
+   if (!$use_expiring_security_tokens)
+   {
+      if (sqgetGlobalVar('sm_security_token', $token, SQ_SESSION))
+         return $token;
+
+      // create new one since there was none in session
+      $token = GenerateRandomString(12, '', 7);
+      sqsession_register($token, 'sm_security_token');
+      return $token;
+   }
+
    $tokens = sm_get_user_security_tokens();
 
    if (!$force_generate_new && !$do_not_use_single_token && !empty($tokens))
@@ -1395,6 +1420,9 @@
   * overrides that value using $max_token_age_days in
   * config/config_local.php
   *
+  * Session-based tokens of course are always reused and are
+  * valid for the lifetime of the login session.
+  *
   * WARNING: If the administrator has turned the token system
   *          off by setting $disable_security_tokens to TRUE in
   *          config/config.php or the configuration tool, this
@@ -1429,6 +1457,7 @@
 {
 
    global $data_dir, $username, $max_token_age_days,
+          $use_expiring_security_tokens,
           $disable_security_tokens;
 
    // bypass token validation?  CAREFUL!
@@ -1435,6 +1464,26 @@
    //
    if ($disable_security_tokens) return TRUE;
 
+   // if we're using session-based tokens, just compare
+   // the same one every time
+   //
+   if (!$use_expiring_security_tokens)
+   {
+      if (!sqgetGlobalVar('sm_security_token', $session_token, SQ_SESSION))
+      {
+         if (!$show_error) return FALSE;
+         logout_error(_("Fatal security token error; please log in again"));
+         exit;
+      }
+      if ($token !== $session_token)
+      {
+         if (!$show_error) return FALSE;
+         logout_error(_("The current page request appears to have originated from an \
untrusted source.")); +         exit;
+      }
+      return TRUE;
+   }
+
    // don't purge old tokens here because we already
    // do it when generating tokens
    //

This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
-----
squirrelmail-cvs mailing list
List address: squirrelmail-cvs@lists.sourceforge.net
List info (subscribe/unsubscribe/change options): \
                https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
Repository: http://squirrelmail.org/svn


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic