diff options
author | thomascube <thomas@roundcube.net> | 2009-07-21 16:02:33 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2009-07-21 16:02:33 +0000 |
commit | 5499336feff22f682448dd99cc00a9b36701fcd1 (patch) | |
tree | 84c0fcf73be4f5c51f58c9656aaaefecd3530d9d /index.php | |
parent | 61e96cd1f9b32345fd15ae826674f38f0495baa3 (diff) |
Use global request tokens and automatically protect all POST requests
Diffstat (limited to 'index.php')
-rw-r--r-- | index.php | 9 |
1 files changed, 7 insertions, 2 deletions
@@ -2,7 +2,7 @@ /* +-------------------------------------------------------------------------+ | RoundCube Webmail IMAP Client | - | Version 0.3-20090702 | + | Version 0.3-20090721 | | | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | | @@ -143,11 +143,16 @@ else if ($RCMAIL->action != 'login' && $_SESSION['user_id'] && $RCMAIL->action ! // check client X-header to verify request origin if ($OUTPUT->ajax_call) { - if (!$RCMAIL->config->get('devel_mode') && !rc_request_header('X-RoundCube-Referer')) { + if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-RoundCube-Request') != $RCMAIL->get_request_token()) { header('HTTP/1.1 404 Not Found'); die("Invalid Request"); } } +// check request token in POST form submissions +else if (!empty($_POST) && !$RCMAIL->check_request()) { + $OUTPUT->show_message('invalidrequest', 'error'); + $OUTPUT->send($RCMAIL->task); +} // not logged in -> show login page |