Force token for #892

2025-11-08 06:11:37 +08:00 · 2023-01-31 10:49:06 +01:00 · 2023-01-31 10:49:06 +01:00 · b1c9bebce6
commit b1c9bebce6
parent 977dc1e5e4
4 changed files with 3 additions and 11 deletions
--- a/.docker/release/files/usr/local/include/application.ini
+++ b/.docker/release/files/usr/local/include/application.ini
@ -53,8 +53,6 @@ pdo_password = ""
 suggestions_limit = 30

 [security]
-; Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)
-csrf_protection = On
 custom_server_signature = "SnappyMail"
 x_xss_protection_header = "1; mode=block"
 openpgp = Off
--- a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php
@ -621,7 +621,7 @@ class Actions
 			'System' => \array_merge(
 				array(
 					'version' => APP_VERSION,
-					'token' => $oConfig->Get('security', 'csrf_protection', true) ? Utils::GetCsrfToken() : '',
+					'token' => Utils::GetCsrfToken(),
 					'languages' => \SnappyMail\L10n::getLanguages(false),
 					'webPath' => \RainLoop\Utils::WebPath(),
 					'webVersionPath' => \RainLoop\Utils::WebVersionPath()
--- a/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php
@ -183,9 +183,6 @@ class Application extends \RainLoop\Config\AbstractConfig
 			),

 			'security' => array(
-				'csrf_protection'    => array(true,
-				    'Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)'),
-
 				'custom_server_signature'    => array('SnappyMail'),
 				'x_xss_protection_header'    => array('1; mode=block'),

--- a/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php
@ -92,11 +92,8 @@ class ServiceActions
 				throw new Exceptions\ClientException(Notifications::InvalidInputArgument, null, 'Action unknown');
 			}

-			if ($this->oHttp->IsPost() &&
-				$this->Config()->Get('security', 'csrf_protection', true) &&
-				($_POST['XToken'] ?? '') !== Utils::GetCsrfToken())
-			{
-				throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'CSRF failed');
+			if ($this->oHttp->IsPost() && ($_POST['XToken'] ?? '') !== Utils::GetCsrfToken()) {
+				throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'Token mismatch');
 			}

 			if ($this->oActions instanceof ActionsAdmin && 0 === \stripos($sAction, 'Admin') && !\in_array($sAction, ['AdminLogin', 'AdminLogout'])) {