$RCMAIL->kill_session(); $RCMAIL->plugins->exec_hook('logout_after', $userdata); } else { if ($RCMAIL->action != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') { if (!$RCMAIL->authenticate_session()) { $OUTPUT->show_message('sessionerror', 'error'); $RCMAIL->kill_session(); } } } } // don't check for valid request tokens in these actions $request_check_whitelist = array('login' => 1, 'spell' => 1); // check client X-header to verify request origin if ($OUTPUT->ajax_call) { if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-RoundCube-Request') != $RCMAIL->get_request_token() && !empty($RCMAIL->user->ID)) { header('HTTP/1.1 404 Not Found'); die("Invalid Request"); } } else { if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) { $OUTPUT->show_message('invalidrequest', 'error'); $OUTPUT->send($RCMAIL->task); } } // not logged in -> show login page if (empty($RCMAIL->user->ID)) { if ($OUTPUT->ajax_call) { $OUTPUT->redirect(array(), 2000); } if (!empty($_REQUEST['_framed'])) {
if (($RCMAIL->task == 'logout' || $RCMAIL->action == 'logout') && isset($_SESSION['user_id'])) { $OUTPUT->show_message('loggedout'); $RCMAIL->logout_actions(); $RCMAIL->kill_session(); } else { if ($RCMAIL->action != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') { if (!$RCMAIL->authenticate_session()) { $OUTPUT->show_message('sessionerror', 'error'); $RCMAIL->kill_session(); } } } } // check client X-header to verify request origin if ($OUTPUT->ajax_call) { if (!$RCMAIL->config->get('devel_mode') && !rc_request_header('X-RoundCube-Referer')) { header('HTTP/1.1 404 Not Found'); die("Invalid Request"); } } // not logged in -> show login page if (empty($RCMAIL->user->ID)) { if ($OUTPUT->ajax_call) { $OUTPUT->redirect(array(), 2000); } // check if installer is still active if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) { $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"), html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") . html::p(null, "The install script of your RoundCube installation is still stored in its default location!") . html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the RoundCube directory because .\n these files may expose sensitive configuration data like server passwords and encryption keys\n to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser."))); } $OUTPUT->set_env('task', 'login'); $OUTPUT->send('login');
} // check if installer is still active if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) { $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"), html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") . html::p(null, "The install script of your Roundcube installation is still stored in its default location!") . html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because .\n these files may expose sensitive configuration data like server passwords and encryption keys\n to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser."))); } if ($session_error || $_REQUEST['_err'] == 'session') { $OUTPUT->show_message('sessionerror', 'error', null, true, -1); } $RCMAIL->set_task('login'); $OUTPUT->send('login'); } else { // don't check for valid request tokens in these actions $request_check_whitelist = array('login' => 1, 'spell' => 1); // check client X-header to verify request origin if ($OUTPUT->ajax_call) { if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) { header('HTTP/1.1 403 Forbidden'); die("Invalid Request"); } } else { if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) { $OUTPUT->show_message('invalidrequest', 'error'); $OUTPUT->send($RCMAIL->task); } } // check referer if configured if (!$request_check_whitelist[$RCMAIL->action] && $RCMAIL->config->get('referer_check') && !rcube_check_referer()) { raise_error(array('code' => 403, 'type' => 'php', 'message' => "Referer check failed"), true, true); } } // we're ready, user is authenticated and the request is safe
// check if installer is still active if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) { $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"), html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") . html::p(null, "The install script of your Roundcube installation is still stored in its default location!") . html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because .\n these files may expose sensitive configuration data like server passwords and encryption keys\n to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser."))); } if ($session_error || $_REQUEST['_err'] == 'session') { $OUTPUT->show_message('sessionerror', 'error', null, true, -1); } $plugin = $RCMAIL->plugins->exec_hook('unauthenticated', array('task' => 'login', 'error' => $session_error)); $RCMAIL->set_task($plugin['task']); $OUTPUT->send($plugin['task']); } else { $request_check_whitelist = array('login' => 1, 'spell' => 1, 'spell_html' => 1); if (!$request_check_whitelist[$RCMAIL->action]) { // check client X-header to verify request origin if ($OUTPUT->ajax_call) { if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) { header('HTTP/1.1 403 Forbidden'); die("Invalid Request"); } } else { if (!empty($_POST) && !$RCMAIL->check_request()) { $OUTPUT->show_message('invalidrequest', 'error'); $OUTPUT->send($RCMAIL->task); } } // check referer if configured if ($RCMAIL->config->get('referer_check') && !rcube_check_referer()) { raise_error(array('code' => 403, 'type' => 'php', 'message' => "Referer check failed"), true, true); } } }