summaryrefslogtreecommitdiff
path: root/program/steps/settings/save_prefs.inc
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2009-07-15 09:49:35 +0000
committerthomascube <thomas@roundcube.net>2009-07-15 09:49:35 +0000
commit57f0c81f2cc0518ed7ab107e16e6cadb8dfc53b0 (patch)
treeba2f16627d23c994233042a1cf51676559060914 /program/steps/settings/save_prefs.inc
parent19862b5586343205dc381339bfea46915dd498d3 (diff)
Use request tokens to protect POST requests from CSFR
Diffstat (limited to 'program/steps/settings/save_prefs.inc')
-rw-r--r--program/steps/settings/save_prefs.inc7
1 files changed, 7 insertions, 0 deletions
diff --git a/program/steps/settings/save_prefs.inc b/program/steps/settings/save_prefs.inc
index c5afd5b0c..7444a8b53 100644
--- a/program/steps/settings/save_prefs.inc
+++ b/program/steps/settings/save_prefs.inc
@@ -19,6 +19,13 @@
*/
+// check request token and exit if invalid
+if (!$RCMAIL->check_request('save-prefs', RCUBE_INPUT_POST)) {
+ $OUTPUT->show_message('invalidrequest', 'error');
+ rcmail_overwrite_action('preferences');
+ return;
+}
+
$a_user_prefs = array(
'language' => isset($_POST['_language']) ? get_input_value('_language', RCUBE_INPUT_POST) : $CONFIG['language'],
'timezone' => isset($_POST['_timezone']) ? (is_numeric($_POST['_timezone']) ? floatval($_POST['_timezone']) : get_input_value('_timezone', RCUBE_INPUT_POST)) : $CONFIG['timezone'],