the-djmaze/snappymail
1
1
Fork 0
mirror of https://github.com/the-djmaze/snappymail.git synced 2024-09-20 07:35:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Improved InvalidToken debugging

Browse source
This commit is contained in:
the-djmaze 2024-07-08 10:53:03 +02:00
parent 34a8ff3ce3
commit ed0223fbb8
2 changed files with 16 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php
View file

@ -94,14 +94,15 @@ class ServiceActions
throw new Exceptions\ClientException(Notifications::InvalidInputArgument, null, 'Action unknown');
}
$xtoken = $token = Utils::GetCsrfToken();
$token = Utils::GetCsrfToken();
if (isset($_SERVER['HTTP_X_SM_TOKEN'])) {
$xtoken = $_SERVER['HTTP_X_SM_TOKEN'];
if ($_SERVER['HTTP_X_SM_TOKEN'] !== $token) {
throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'HTTP Token mismatch');
}
} else if ($this->oHttp->IsPost()) {
$xtoken = $_POST['XToken'] ?? '';
}
if ($xtoken !== $token) {
throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'Token mismatch');
if (empty($_POST['XToken']) || $_POST['XToken'] !== $token) {
throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'XToken Token mismatch');
}
}
if ($this->oActions instanceof ActionsAdmin && 0 === \stripos($sAction, 'Admin') && !\in_array($sAction, ['AdminLogin', 'AdminLogout'])) {
@ -617,9 +618,7 @@ class ServiceActions
\header('Content-Type: application/json; charset=utf-8');
$this->oHttp->ServerNoCache();
try {
$sResult = Utils::jsonEncode($this->oActions->AppData($bAdmin));
$this->oActions->logWrite($sResult, \LOG_INFO, 'APPDATA');
return $sResult;
return Utils::jsonEncode($this->oActions->AppData($bAdmin));
} catch (\Throwable $oException) {
$this->Logger()->WriteExceptionShort($oException);
\MailSo\Base\Http::StatusHeader(500);

11
snappymail/v/0.0.0/app/libraries/RainLoop/Utils.php
View file

@ -69,9 +69,13 @@ class Utils
public static function GetConnectionToken() : string
{
$oActions = \RainLoop\Api::Actions();
$oAccount = $oActions->getAccountFromToken(false) ?: $oActions->getMainAccountFromToken(false);
$oAccount = $oActions->getAccountFromToken(false);
if ($oAccount) {
return $oAccount->Hash();
return '2-' . \sha1(APP_SALT.$oAccount->Hash());
}
$oAccount = $oActions->getMainAccountFromToken(false);
if ($oAccount) {
return '1-' . \sha1(APP_SALT.$oAccount->Hash());
}
$sToken = \SnappyMail\Cookies::get(self::CONNECTION_TOKEN);
if (!$sToken) {
@ -83,7 +87,8 @@ class Utils
public static function GetCsrfToken() : string
{
return \sha1('Csrf'.APP_SALT.self::GetConnectionToken().'Token'.APP_SALT);
return self::GetConnectionToken();
// return \sha1('Csrf'.APP_SALT.self::GetConnectionToken().'Token'.APP_SALT);
}
public static function UpdateConnectionToken() : void