summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2011-10-30 11:34:31 +0000
committerthomascube <thomas@roundcube.net>2011-10-30 11:34:31 +0000
commitabdf31486a946d63623c3047d08e7730926c4d86 (patch)
tree28727469589c57b0b624726d31fcddaba8f89011
parent187ff4e59719cf7b695ce9190ed3967885f557bb (diff)
Allow cross-task ajax requests
-rw-r--r--index.php2
-rw-r--r--program/include/rcmail.php2
2 files changed, 2 insertions, 2 deletions
diff --git a/index.php b/index.php
index a1eb54587..dce3db36d 100644
--- a/index.php
+++ b/index.php
@@ -195,7 +195,7 @@ else {
// check client X-header to verify request origin
if ($OUTPUT->ajax_call) {
if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) {
- header('HTTP/1.1 404 Not Found');
+ header('HTTP/1.1 403 Forbidden');
die("Invalid Request");
}
}
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index a4a783c80..1ecdfcde0 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -1268,7 +1268,7 @@ class rcmail
{
$sess_id = $_COOKIE[ini_get('session.name')];
if (!$sess_id) $sess_id = session_id();
- $plugin = $this->plugins->exec_hook('request_token', array('value' => md5('RT' . $this->task . $this->config->get('des_key') . $sess_id)));
+ $plugin = $this->plugins->exec_hook('request_token', array('value' => md5('RT' . $this->user->ID . $this->config->get('des_key') . $sess_id)));
return $plugin['value'];
}