diff options
author | alecpl <alec@alec.pl> | 2010-02-26 08:06:48 +0000 |
---|---|---|
committer | alecpl <alec@alec.pl> | 2010-02-26 08:06:48 +0000 |
commit | ebc619c149f82e9151bbf672cf065447f4d12923 (patch) | |
tree | f6d05c8da628e16a772382197d175d6e2f77abdb | |
parent | 3d0ec7620fafb9acaeac25cab8e81c44a6df2228 (diff) |
- Fix CVE-2010-0464: Disable DNS prefetching (#1486449)
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | program/include/rcube_shared.inc | 2 | ||||
-rw-r--r-- | program/steps/mail/get.inc | 3 |
3 files changed, 4 insertions, 2 deletions
@@ -1,6 +1,7 @@ CHANGELOG RoundCube Webmail =========================== +- Fix CVE-2010-0464: Disable DNS prefetching (#1486449) - Fix Received headers to behave better with SpamAssassin (#1486513) - Password: Make passwords encoding consistent with core, add 'password_charset' global option (#1486473) - Fix adding contacts SQL error on mysql (#1486459) diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc index 610023f69..f4f23a26b 100644 --- a/program/include/rcube_shared.inc +++ b/program/include/rcube_shared.inc @@ -39,6 +39,8 @@ function send_nocacheing_headers() header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT"); header("Cache-Control: private, must-revalidate, post-check=0, pre-check=0"); header("Pragma: no-cache"); + // Request browser to disable DNS prefetching (CVE-2010-0464) + header("X-DNS-Prefetch-Control: off"); // We need to set the following headers to make downloads work using IE in HTTPS mode. if (rcube_https_check()) { diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index cb938c08b..a41925a65 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -41,6 +41,7 @@ if (!empty($_GET['_uid'])) { $MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET)); } +send_nocacheing_headers(); // show part page if (!empty($_GET['_frame'])) { @@ -66,8 +67,6 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) { $browser = new rcube_browser; - send_nocacheing_headers(); - // send download headers if ($_GET['_download']) { header("Content-Type: application/octet-stream"); |