summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoralecpl <alec@alec.pl>2010-02-26 08:06:48 +0000
committeralecpl <alec@alec.pl>2010-02-26 08:06:48 +0000
commitebc619c149f82e9151bbf672cf065447f4d12923 (patch)
treef6d05c8da628e16a772382197d175d6e2f77abdb
parent3d0ec7620fafb9acaeac25cab8e81c44a6df2228 (diff)
- Fix CVE-2010-0464: Disable DNS prefetching (#1486449)
-rw-r--r--CHANGELOG1
-rw-r--r--program/include/rcube_shared.inc2
-rw-r--r--program/steps/mail/get.inc3
3 files changed, 4 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 184d06a83..1093b0746 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
CHANGELOG RoundCube Webmail
===========================
+- Fix CVE-2010-0464: Disable DNS prefetching (#1486449)
- Fix Received headers to behave better with SpamAssassin (#1486513)
- Password: Make passwords encoding consistent with core, add 'password_charset' global option (#1486473)
- Fix adding contacts SQL error on mysql (#1486459)
diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc
index 610023f69..f4f23a26b 100644
--- a/program/include/rcube_shared.inc
+++ b/program/include/rcube_shared.inc
@@ -39,6 +39,8 @@ function send_nocacheing_headers()
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: private, must-revalidate, post-check=0, pre-check=0");
header("Pragma: no-cache");
+ // Request browser to disable DNS prefetching (CVE-2010-0464)
+ header("X-DNS-Prefetch-Control: off");
// We need to set the following headers to make downloads work using IE in HTTPS mode.
if (rcube_https_check()) {
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index cb938c08b..a41925a65 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -41,6 +41,7 @@ if (!empty($_GET['_uid'])) {
$MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET));
}
+send_nocacheing_headers();
// show part page
if (!empty($_GET['_frame'])) {
@@ -66,8 +67,6 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) {
$browser = new rcube_browser;
- send_nocacheing_headers();
-
// send download headers
if ($_GET['_download']) {
header("Content-Type: application/octet-stream");