diff options
| author | Aleksander Machniak <alec@alec.pl> | 2014-07-05 12:33:03 +0200 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2014-07-05 12:33:03 +0200 |
| commit | ca01e25772730cab0117bca0e514140e6c5f67d1 (patch) | |
| tree | 50514c9738e96d42d8e5bbb1962bbb0169330eaa /program/steps/settings/delete_identity.inc | |
| parent | 36d004e3d0ad9ff97b66b2e505f6b17fd6d23102 (diff) | |
Fix security issue in delete-response action - allow only ajax request.
Unify code for identities and responses deletion.
Diffstat (limited to 'program/steps/settings/delete_identity.inc')
| -rw-r--r-- | program/steps/settings/delete_identity.inc | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/program/steps/settings/delete_identity.inc b/program/steps/settings/delete_identity.inc deleted file mode 100644 index f77620438..000000000 --- a/program/steps/settings/delete_identity.inc +++ /dev/null @@ -1,55 +0,0 @@ -<?php - -/* - +-----------------------------------------------------------------------+ - | program/steps/settings/delete_identity.inc | - | | - | This file is part of the Roundcube Webmail client | - | Copyright (C) 2005-2013, The Roundcube Dev Team | - | | - | Licensed under the GNU General Public License version 3 or | - | any later version with exceptions for skins & plugins. | - | See the README file for a full license statement. | - | | - | PURPOSE: | - | Delete the submitted identities (IIDs) from the database | - | | - +-----------------------------------------------------------------------+ - | Author: Thomas Bruederli <roundcube@gmail.com> | - +-----------------------------------------------------------------------+ -*/ - -$iid = rcube_utils::get_input_value('_iid', rcube_utils::INPUT_GPC); - -// check request token -if (!$OUTPUT->ajax_call && !$RCMAIL->check_request(rcube_utils::INPUT_GPC)) { - $OUTPUT->show_message('invalidrequest', 'error'); - $RCMAIL->overwrite_action('identities'); - return; -} - -if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid)) { - $plugin = $RCMAIL->plugins->exec_hook('identity_delete', array('id' => $iid)); - - $deleted = !$plugin['abort'] ? $RCMAIL->user->delete_identity($iid) : $plugin['result']; - - if ($deleted > 0 && $deleted !== false) { - $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false); - } - else { - $msg = $plugin['message'] ? $plugin['message'] : ($deleted < 0 ? 'nodeletelastidentity' : 'errorsaving'); - $OUTPUT->show_message($msg, 'error', null, false); - } - - // send response - if ($OUTPUT->ajax_call) { - $OUTPUT->send(); - } -} - -if ($OUTPUT->ajax_call) { - exit; -} - -// go to identities page -$RCMAIL->overwrite_action('identities'); |