diff options
author | Aleksander Machniak <alec@alec.pl> | 2014-12-16 13:28:48 +0100 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2014-12-16 13:28:48 +0100 |
commit | 681ba6fc3c296cd6cd11050531b8f4e785141786 (patch) | |
tree | 77cd99edc9536c1e85e5ee057d231aa3aa5e0aba /program/steps/addressbook/photo.inc | |
parent | 53b7421d4419ce12c62d47e5b1231240cefdc3d5 (diff) |
Improve system security by using optional special URL with security token
Allows to define separate server/path for image/js/css files
Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'program/steps/addressbook/photo.inc')
-rw-r--r-- | program/steps/addressbook/photo.inc | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/program/steps/addressbook/photo.inc b/program/steps/addressbook/photo.inc index 30d09ffcc..962ca3126 100644 --- a/program/steps/addressbook/photo.inc +++ b/program/steps/addressbook/photo.inc @@ -90,6 +90,12 @@ if (!$cid && $email) { $RCMAIL->output->future_expire_header(86400); } -header('Content-Type: ' . rcube_mime::image_content_type($data)); -echo $data ? $data : file_get_contents('program/resources/blank.gif'); +if ($data) { + header('Content-Type: ' . rcube_mime::image_content_type($data)); + echo $data; +} +else { + header('Content-Type: image/gif'); + echo base64_decode(rcmail_output::BLANK_GIF); +} exit; |