Fix bugs where CSRF attacks were still possible on some requests

author: Aleksander Machniak <alec@alec.pl> 2014-12-15 13:47:55 +0100
committer: Aleksander Machniak <alec@alec.pl> 2014-12-15 13:47:55 +0100
commit: 376cbfd4f2dfcf455717409b70d9d056cbeb08b1 (patch)
tree: 9258578b88810e0cef8e483bd2df30c9e044960d /program/steps/addressbook/func.inc
parent: 753c8849accbbe0cb3ebef01e8b3e2ff3481a336 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc
index 2989dada2..625e044a4 100644
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@@ -879,13 +879,13 @@ function rcmail_search_update($return = false)
  *
  * @return array List of contact IDs per-source
  */
-function rcmail_get_cids($filter = null)
+function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC)
 {
     // contact ID (or comma-separated list of IDs) is provided in two
     // forms. If _source is an empty string then the ID is a string
     // containing contact ID and source name in form: <ID>-<SOURCE>
 
-    $cid    = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC);
+    $cid    = rcube_utils::get_input_value('_cid', $request_type);
     $source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC);
 
     if (is_array($cid)) {
author	Aleksander Machniak <alec@alec.pl>	2014-12-15 13:47:55 +0100
committer	Aleksander Machniak <alec@alec.pl>	2014-12-15 13:47:55 +0100
commit	376cbfd4f2dfcf455717409b70d9d056cbeb08b1 (patch)
tree	9258578b88810e0cef8e483bd2df30c9e044960d /program/steps/addressbook/func.inc
parent	753c8849accbbe0cb3ebef01e8b3e2ff3481a336 (diff)