fix(core): add CSRF token to HordePopup.popup at click time#171
Open
TDannhauer wants to merge 1 commit into
Open
fix(core): add CSRF token to HordePopup.popup at click time#171TDannhauer wants to merge 1 commit into
TDannhauer wants to merge 1 commit into
Conversation
HordePopup.popup() did not merge session ID and CSRF token into popup URLs, unlike HordeCore.popupWindow(). Append them at open time via HordeCore.addRequestParams() when available. Seed per-session token_secret_key before closing read-only sessions so view/download endpoints can validate HMAC tokens. ViewModeConfigurator: emit modern HMAC TOKEN for HordeCore.conf instead of the legacy empty horde.token session slot.
ralflang
requested changes
Jun 22, 2026
ralflang
left a comment
ralflang
left a comment
Member
There was a problem hiding this comment.
I don't like adding session ID to ajax URLs like its 1998. These belong into a header (cookie or other).
Contributor
Author
|
Feel free to adapt 🙂 Session and tokens is your Expertise |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
HordePopup.popup()URL at click time viaHordeCore.addRequestParams().token_secret_keyexists before read-only sessions are closed, so download/view scripts can validate HMAC tokens.ViewModeConfiguratorto expose a modern HMACHordeCore.conf.TOKENinstead of the legacy empty session slot.Motivation
After Horde 6 switched to HMAC CSRF tokens, IMP links that open MIME parts in a popup (e.g. “View HTML data in new window”) failed with “Invalid token!” and showed the portal instead of the message.
Horde::popupJs()usesHordePopup.popup(), which never appendedtoken/SIDparameters, unlikeHordeCore.popupWindow().Changes
js/popup.js: callHordeCore.addRequestParams()beforewindow.open().lib/Horde/Registry.php: seed per-session CSRF secret beforeSESSION_READONLYclose.src/PageOutput/ViewModeConfigurator.php(+ factory, tests): useHorde\Token\TokenforTOKEN.Test plan
Horde::popupJs()popups (help, prefs import, etc.) still open and authenticate correctly.vendor/bin/phpunit -c phpunit.xml.dist test/Unit/PageOutput/ViewModeConfiguratorTest.php test/Unit/PageOutput/ViewModeConfiguratorDiscovererTest.php