Fix security issue in delete-response action - allow only ajax request.

Unify code for identities and responses deletion.
author: Aleksander Machniak <alec@alec.pl> 2014-07-05 12:33:03 +0200
committer: Aleksander Machniak <alec@alec.pl> 2014-07-05 12:33:03 +0200
commit: ca01e25772730cab0117bca0e514140e6c5f67d1 (patch)
tree: 50514c9738e96d42d8e5bbb1962bbb0169330eaa /program/steps/settings/responses.inc
parent: 36d004e3d0ad9ff97b66b2e505f6b17fd6d23102 (diff)
1 files changed, 3 insertions, 5 deletions
diff --git a/program/steps/settings/responses.inc b/program/steps/settings/responses.inc
index ddd1924fe..117e17f97 100644
--- a/program/steps/settings/responses.inc
+++ b/program/steps/settings/responses.inc
@@ -51,8 +51,8 @@ if (!empty($_POST['_insert'])) {
     $RCMAIL->output->send();
 }
 
-if ($RCMAIL->action == 'delete-response') {
-    if ($key = rcube_utils::get_input_value('_key', rcube_utils::INPUT_GPC)) {
+if ($RCMAIL->action == 'delete-response' && $RCMAIL->output->ajax_call) {
+    if ($key = rcube_utils::get_input_value('_key', rcube_utils::INPUT_POST)) {
         $responses = $RCMAIL->get_compose_responses(false, true);
         foreach ($responses as $i => $response) {
             if (empty($response['key']))
@@ -70,9 +70,7 @@ if ($RCMAIL->action == 'delete-response') {
         $RCMAIL->output->command('remove_response', $key);
     }
 
-    if ($RCMAIL->output->ajax_call) {
-        $RCMAIL->output->send();
-    }
+    $RCMAIL->output->send();
 }
author	Aleksander Machniak <alec@alec.pl>	2014-07-05 12:33:03 +0200
committer	Aleksander Machniak <alec@alec.pl>	2014-07-05 12:33:03 +0200
commit	ca01e25772730cab0117bca0e514140e6c5f67d1 (patch)
tree	50514c9738e96d42d8e5bbb1962bbb0169330eaa /program/steps/settings/responses.inc
parent	36d004e3d0ad9ff97b66b2e505f6b17fd6d23102 (diff)