diff options
| author | thomascube <thomas@roundcube.net> | 2009-07-15 09:49:35 +0000 |
|---|---|---|
| committer | thomascube <thomas@roundcube.net> | 2009-07-15 09:49:35 +0000 |
| commit | 57f0c81f2cc0518ed7ab107e16e6cadb8dfc53b0 (patch) | |
| tree | ba2f16627d23c994233042a1cf51676559060914 /program/steps/settings/save_identity.inc | |
| parent | 19862b5586343205dc381339bfea46915dd498d3 (diff) | |
Use request tokens to protect POST requests from CSFR
Diffstat (limited to 'program/steps/settings/save_identity.inc')
| -rw-r--r-- | program/steps/settings/save_identity.inc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 900c2d3d9..86ff263d2 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -26,6 +26,12 @@ $a_html_cols = array('signature'); $a_boolean_cols = array('standard', 'html_signature'); $updated = $default_id = false; +// check request token +if (!$RCMAIL->check_request('save-identity.'.intval(get_input_value('_iid', RCUBE_INPUT_POST)), RCUBE_INPUT_POST)) { + $OUTPUT->show_message('invalidrequest', 'error'); + rcmail_overwrite_action('identities'); + return; +} // check input if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3)) { |