diff options
author | thomascube <thomas@roundcube.net> | 2011-10-30 11:34:31 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2011-10-30 11:34:31 +0000 |
commit | abdf31486a946d63623c3047d08e7730926c4d86 (patch) | |
tree | 28727469589c57b0b624726d31fcddaba8f89011 | |
parent | 187ff4e59719cf7b695ce9190ed3967885f557bb (diff) |
Allow cross-task ajax requests
-rw-r--r-- | index.php | 2 | ||||
-rw-r--r-- | program/include/rcmail.php | 2 |
2 files changed, 2 insertions, 2 deletions
@@ -195,7 +195,7 @@ else { // check client X-header to verify request origin if ($OUTPUT->ajax_call) { if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) { - header('HTTP/1.1 404 Not Found'); + header('HTTP/1.1 403 Forbidden'); die("Invalid Request"); } } diff --git a/program/include/rcmail.php b/program/include/rcmail.php index a4a783c80..1ecdfcde0 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -1268,7 +1268,7 @@ class rcmail { $sess_id = $_COOKIE[ini_get('session.name')]; if (!$sess_id) $sess_id = session_id(); - $plugin = $this->plugins->exec_hook('request_token', array('value' => md5('RT' . $this->task . $this->config->get('des_key') . $sess_id))); + $plugin = $this->plugins->exec_hook('request_token', array('value' => md5('RT' . $this->user->ID . $this->config->get('des_key') . $sess_id))); return $plugin['value']; } |