diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php b/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php index 217cc6a0c..c1cc47628 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php @@ -94,14 +94,15 @@ class ServiceActions throw new Exceptions\ClientException(Notifications::InvalidInputArgument, null, 'Action unknown'); } - $xtoken = $token = Utils::GetCsrfToken(); + $token = Utils::GetCsrfToken(); if (isset($_SERVER['HTTP_X_SM_TOKEN'])) { - $xtoken = $_SERVER['HTTP_X_SM_TOKEN']; + if ($_SERVER['HTTP_X_SM_TOKEN'] !== $token) { + throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'HTTP Token mismatch'); + } } else if ($this->oHttp->IsPost()) { - $xtoken = $_POST['XToken'] ?? ''; - } - if ($xtoken !== $token) { - throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'Token mismatch'); + if (empty($_POST['XToken']) || $_POST['XToken'] !== $token) { + throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'XToken Token mismatch'); + } } if ($this->oActions instanceof ActionsAdmin && 0 === \stripos($sAction, 'Admin') && !\in_array($sAction, ['AdminLogin', 'AdminLogout'])) { @@ -617,9 +618,7 @@ class ServiceActions \header('Content-Type: application/json; charset=utf-8'); $this->oHttp->ServerNoCache(); try { - $sResult = Utils::jsonEncode($this->oActions->AppData($bAdmin)); - $this->oActions->logWrite($sResult, \LOG_INFO, 'APPDATA'); - return $sResult; + return Utils::jsonEncode($this->oActions->AppData($bAdmin)); } catch (\Throwable $oException) { $this->Logger()->WriteExceptionShort($oException); \MailSo\Base\Http::StatusHeader(500); diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Utils.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Utils.php index 241cfdf95..32ce103af 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/Utils.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Utils.php @@ -69,9 +69,13 @@ class Utils public static function GetConnectionToken() : string { $oActions = \RainLoop\Api::Actions(); - $oAccount = $oActions->getAccountFromToken(false) ?: $oActions->getMainAccountFromToken(false); + $oAccount = $oActions->getAccountFromToken(false); if ($oAccount) { - return $oAccount->Hash(); + return '2-' . \sha1(APP_SALT.$oAccount->Hash()); + } + $oAccount = $oActions->getMainAccountFromToken(false); + if ($oAccount) { + return '1-' . \sha1(APP_SALT.$oAccount->Hash()); } $sToken = \SnappyMail\Cookies::get(self::CONNECTION_TOKEN); if (!$sToken) { @@ -83,7 +87,8 @@ class Utils public static function GetCsrfToken() : string { - return \sha1('Csrf'.APP_SALT.self::GetConnectionToken().'Token'.APP_SALT); + return self::GetConnectionToken(); +// return \sha1('Csrf'.APP_SALT.self::GetConnectionToken().'Token'.APP_SALT); } public static function UpdateConnectionToken() : void