diff options
| author | Aleksander Machniak <alec@alec.pl> | 2014-12-16 13:28:48 +0100 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2014-12-16 13:28:48 +0100 |
| commit | 681ba6fc3c296cd6cd11050531b8f4e785141786 (patch) | |
| tree | 77cd99edc9536c1e85e5ee057d231aa3aa5e0aba /program/js | |
| parent | 53b7421d4419ce12c62d47e5b1231240cefdc3d5 (diff) | |
Improve system security by using optional special URL with security token
Allows to define separate server/path for image/js/css files
Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'program/js')
| -rw-r--r-- | program/js/app.js | 24 | ||||
| -rw-r--r-- | program/js/editor.js | 5 |
2 files changed, 23 insertions, 6 deletions
diff --git a/program/js/app.js b/program/js/app.js index e0a6d26e3..4e65a9c6d 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -58,7 +58,6 @@ function rcube_webmail() request_timeout: 180, // seconds draft_autosave: 0, // seconds comm_path: './', - blankpage: 'program/resources/blank.gif', recipients_separator: ',', recipients_delimiter: ', ', popup_width: 1150, @@ -163,6 +162,9 @@ function rcube_webmail() return; } + if (!this.env.blankpage) + this.env.blankpage = this.assets_path('program/resources/blank.gif'); + // find all registered gui containers for (n in this.gui_containers) this.gui_containers[n] = $('#'+this.gui_containers[n]); @@ -1406,8 +1408,10 @@ function rcube_webmail() if (task == 'mail') url += '&_mbox=INBOX'; - else if (task == 'logout' && !this.env.server_error) + else if (task == 'logout' && !this.env.server_error) { + url += '&_token=' + this.env.request_token; this.clear_compose_data(); + } this.redirect(url); }; @@ -1417,7 +1421,10 @@ function rcube_webmail() if (!url) url = this.env.comm_path; - return url.replace(/_task=[a-z0-9_-]+/i, '_task='+task); + if (url.match(/[?&]_task=[a-zA-Z0-9_-]+/)) + return url.replace(/_task=[a-zA-Z0-9_-]+/, '_task=' + task); + else + return url.replace(/\?.*$/, '') + '?_task=' + task; }; this.reload = function(delay) @@ -8039,7 +8046,7 @@ function rcube_webmail() img.onload = function() { ref.env.browser_capabilities.tif = 1; }; img.onerror = function() { ref.env.browser_capabilities.tif = 0; }; - img.src = 'program/resources/blank.tif'; + img.src = this.assets_path('program/resources/blank.tif'); }; this.pdf_support_check = function() @@ -8096,6 +8103,15 @@ function rcube_webmail() return 0; }; + this.assets_path = function(path) + { + if (this.env.assets_path && !path.startsWith(this.env.assets_path)) { + path = this.env.assets_path + path; + } + + return path; + }; + // Cookie setter this.set_cookie = function(name, value, expires) { diff --git a/program/js/editor.js b/program/js/editor.js index 3dac5f371..2fc3429ab 100644 --- a/program/js/editor.js +++ b/program/js/editor.js @@ -36,12 +36,13 @@ function rcube_text_editor(config, id) { var ref = this, + abs_url = location.href.replace(/[?#].*$/, '').replace(/\/$/, ''), conf = { selector: '#' + ($('#' + id).is('.mce_editor') ? id : 'fake-editor-id'), cache_suffix: 's=4010700', theme: 'modern', language: config.lang, - content_css: 'program/js/tinymce/roundcube/content.css', + content_css: rcmail.assets_path('program/js/tinymce/roundcube/content.css'), menubar: false, statusbar: false, toolbar_items_size: 'small', @@ -83,7 +84,7 @@ function rcube_text_editor(config, id) toolbar: 'bold italic underline | alignleft aligncenter alignright alignjustify' + ' | bullist numlist outdent indent ltr rtl blockquote | forecolor backcolor | fontselect fontsizeselect' + ' | link unlink table | emoticons charmap image media | code searchreplace undo redo', - spellchecker_rpc_url: '../../../../../?_task=utils&_action=spell_html&_remote=1', + spellchecker_rpc_url: abs_url + '/?_task=utils&_action=spell_html&_remote=1', spellchecker_language: rcmail.env.spell_lang, accessibility_focus: false, file_browser_callback: function(name, url, type, win) { ref.file_browser_callback(name, url, type); }, |