Some bugfixes, security issues + minor improvements

author: thomascube <thomas@roundcube.net> 2007-08-10 08:27:40 +0000
committer: thomascube <thomas@roundcube.net> 2007-08-10 08:27:40 +0000
commit: 719a257f0c8fd750a4984ed56273dc653565729e (patch)
tree: 2707636618edff63d691180a99a48cbdda350703 /index.php
parent: 4b9efbb9f49911b17bde2d46b86df825e987101e (diff)
1 files changed, 13 insertions, 2 deletions
diff --git a/index.php b/index.php
index 9908cf2a0..6e8b7ffa8 100644
--- a/index.php
+++ b/index.php
@@ -2,7 +2,7 @@
 /*
  +-----------------------------------------------------------------------+
  | RoundCube Webmail IMAP Client                                         |
- | Version 0.1-20070518                                                  |
+ | Version 0.1-20070809                                                  |
  |                                                                       |
  | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |
  | Licensed under the GNU GPL                                            |
@@ -41,7 +41,7 @@
 */
 
 // application constants
-define('RCMAIL_VERSION', '0.1-20070517');
+define('RCMAIL_VERSION', '0.1-20070809');
 define('RCMAIL_CHARSET', 'UTF-8');
 define('JS_OBJECT_NAME', 'rcmail');
 
@@ -218,6 +218,17 @@ if (empty($_SESSION['user_id']))
 }
 
 
+// check client X-header to verify request origin
+if ($OUTPUT->ajax_call)
+{
+  $hdrs = getallheaders();
+  if (empty($hdrs['X-RoundCube-Referer']) && empty($CONFIG['devel_mode']))
+  {
+    header('HTTP/1.1 404 Not Found');
+    die("Invalid Request");
+  }
+}
+
 
 // set task and action to client
 $OUTPUT->set_env('task', $_task);
author	thomascube <thomas@roundcube.net>	2007-08-10 08:27:40 +0000
committer	thomascube <thomas@roundcube.net>	2007-08-10 08:27:40 +0000
commit	719a257f0c8fd750a4984ed56273dc653565729e (patch)
tree	2707636618edff63d691180a99a48cbdda350703 /index.php
parent	4b9efbb9f49911b17bde2d46b86df825e987101e (diff)