diff options
author | Aleksander Machniak <alec@alec.pl> | 2014-12-16 13:28:48 +0100 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2014-12-16 13:28:48 +0100 |
commit | 681ba6fc3c296cd6cd11050531b8f4e785141786 (patch) | |
tree | 77cd99edc9536c1e85e5ee057d231aa3aa5e0aba /plugins/acl | |
parent | 53b7421d4419ce12c62d47e5b1231240cefdc3d5 (diff) |
Improve system security by using optional special URL with security token
Allows to define separate server/path for image/js/css files
Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'plugins/acl')
-rw-r--r-- | plugins/acl/acl.js | 27 | ||||
-rw-r--r-- | plugins/acl/acl.php | 12 |
2 files changed, 24 insertions, 15 deletions
diff --git a/plugins/acl/acl.js b/plugins/acl/acl.js index e59ac72a2..14634534e 100644 --- a/plugins/acl/acl.js +++ b/plugins/acl/acl.js @@ -58,8 +58,11 @@ rcube_webmail.prototype.acl_delete = function() var users = this.acl_get_usernames(); if (users && users.length && confirm(this.get_label('acl.deleteconfirm'))) { - this.http_request('settings/plugin.acl', '_act=delete&_user='+urlencode(users.join(',')) - + '&_mbox='+urlencode(this.env.mailbox), + this.http_post('settings/plugin.acl', { + _act: 'delete', + _user: users.join(','), + _mbox: this.env.mailbox + }, this.set_busy(true, 'acl.deleting')); } } @@ -67,7 +70,7 @@ rcube_webmail.prototype.acl_delete = function() // Save ACL data rcube_webmail.prototype.acl_save = function() { - var user = $('#acluser', this.acl_form).val(), rights = '', type; + var data, type, rights = '', user = $('#acluser', this.acl_form).val(); $((this.env.acl_advanced ? '#advancedrights :checkbox' : '#simplerights :checkbox'), this.acl_form).map(function() { if (this.checked) @@ -88,12 +91,18 @@ rcube_webmail.prototype.acl_save = function() return; } - this.http_request('settings/plugin.acl', '_act=save' - + '&_user='+urlencode(user) - + '&_acl=' +rights - + '&_mbox='+urlencode(this.env.mailbox) - + (this.acl_id ? '&_old='+this.acl_id : ''), - this.set_busy(true, 'acl.saving')); + data = { + _act: 'save', + _user: user, + _acl: rights, + _mbox: this.env.mailbox + } + + if (this.acl_id) { + data._old = this.acl_id; + } + + this.http_post('settings/plugin.acl', data, this.set_busy(true, 'acl.saving')); } // Cancel/Hide form diff --git a/plugins/acl/acl.php b/plugins/acl/acl.php index 349f7e518..35a92bb1c 100644 --- a/plugins/acl/acl.php +++ b/plugins/acl/acl.php @@ -454,10 +454,10 @@ class acl extends rcube_plugin */ private function action_save() { - $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_GPC, true)); // UTF7-IMAP - $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_GPC)); - $acl = trim(rcube_utils::get_input_value('_acl', rcube_utils::INPUT_GPC)); - $oldid = trim(rcube_utils::get_input_value('_old', rcube_utils::INPUT_GPC)); + $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST, true)); // UTF7-IMAP + $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)); + $acl = trim(rcube_utils::get_input_value('_acl', rcube_utils::INPUT_POST)); + $oldid = trim(rcube_utils::get_input_value('_old', rcube_utils::INPUT_POST)); $acl = array_intersect(str_split($acl), $this->rights_supported()); $users = $oldid ? array($user) : explode(',', $user); @@ -510,8 +510,8 @@ class acl extends rcube_plugin */ private function action_delete() { - $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_GPC, true)); //UTF7-IMAP - $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_GPC)); + $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST, true)); //UTF7-IMAP + $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)); $user = explode(',', $user); |