summaryrefslogtreecommitdiff
path: root/index.php
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2009-07-21 16:02:33 +0000
committerthomascube <thomas@roundcube.net>2009-07-21 16:02:33 +0000
commit5499336feff22f682448dd99cc00a9b36701fcd1 (patch)
tree84c0fcf73be4f5c51f58c9656aaaefecd3530d9d /index.php
parent61e96cd1f9b32345fd15ae826674f38f0495baa3 (diff)
Use global request tokens and automatically protect all POST requests
Diffstat (limited to 'index.php')
-rw-r--r--index.php9
1 files changed, 7 insertions, 2 deletions
diff --git a/index.php b/index.php
index 2767277f7..c5a1049e9 100644
--- a/index.php
+++ b/index.php
@@ -2,7 +2,7 @@
/*
+-------------------------------------------------------------------------+
| RoundCube Webmail IMAP Client |
- | Version 0.3-20090702 |
+ | Version 0.3-20090721 |
| |
| Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
| |
@@ -143,11 +143,16 @@ else if ($RCMAIL->action != 'login' && $_SESSION['user_id'] && $RCMAIL->action !
// check client X-header to verify request origin
if ($OUTPUT->ajax_call) {
- if (!$RCMAIL->config->get('devel_mode') && !rc_request_header('X-RoundCube-Referer')) {
+ if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-RoundCube-Request') != $RCMAIL->get_request_token()) {
header('HTTP/1.1 404 Not Found');
die("Invalid Request");
}
}
+// check request token in POST form submissions
+else if (!empty($_POST) && !$RCMAIL->check_request()) {
+ $OUTPUT->show_message('invalidrequest', 'error');
+ $OUTPUT->send($RCMAIL->task);
+}
// not logged in -> show login page