Backport r5375 to release branch

author: thomascube <thomas@roundcube.net> 2011-10-30 11:37:41 +0000
committer: thomascube <thomas@roundcube.net> 2011-10-30 11:37:41 +0000
commit: 44a352b7b8ef4723030e6af2131ebadb4ba525cf (patch)
tree: 0e96011d39b23450cc6792b88ec326f44c83139b
parent: f1654a33b271f80422729f72d58695130724cb98 (diff)
2 files changed, 2 insertions, 2 deletions
diff --git a/index.php b/index.php
index de40cced1..e8c6cef24 100644
--- a/index.php
+++ b/index.php
@@ -195,7 +195,7 @@ else {
   // check client X-header to verify request origin
   if ($OUTPUT->ajax_call) {
     if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) {
-      header('HTTP/1.1 404 Not Found');
+      header('HTTP/1.1 403 Forbidden');
       die("Invalid Request");
     }
   }
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index a4a783c80..1ecdfcde0 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -1268,7 +1268,7 @@ class rcmail
   {
     $sess_id = $_COOKIE[ini_get('session.name')];
     if (!$sess_id) $sess_id = session_id();
-    $plugin = $this->plugins->exec_hook('request_token', array('value' => md5('RT' . $this->task . $this->config->get('des_key') . $sess_id)));
+    $plugin = $this->plugins->exec_hook('request_token', array('value' => md5('RT' . $this->user->ID . $this->config->get('des_key') . $sess_id)));
     return $plugin['value'];
   }
author	thomascube <thomas@roundcube.net>	2011-10-30 11:37:41 +0000
committer	thomascube <thomas@roundcube.net>	2011-10-30 11:37:41 +0000
commit	44a352b7b8ef4723030e6af2131ebadb4ba525cf (patch)
tree	0e96011d39b23450cc6792b88ec326f44c83139b
parent	f1654a33b271f80422729f72d58695130724cb98 (diff)