summaryrefslogtreecommitdiff
path: root/program/steps/utils
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2014-12-16 13:28:48 +0100
committerAleksander Machniak <alec@alec.pl>2014-12-16 13:28:48 +0100
commit681ba6fc3c296cd6cd11050531b8f4e785141786 (patch)
tree77cd99edc9536c1e85e5ee057d231aa3aa5e0aba /program/steps/utils
parent53b7421d4419ce12c62d47e5b1231240cefdc3d5 (diff)
Improve system security by using optional special URL with security token
Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'program/steps/utils')
-rw-r--r--program/steps/utils/error.inc12
1 files changed, 10 insertions, 2 deletions
diff --git a/program/steps/utils/error.inc b/program/steps/utils/error.inc
index ec0d038f4..6bbc57fda 100644
--- a/program/steps/utils/error.inc
+++ b/program/steps/utils/error.inc
@@ -50,9 +50,17 @@ else if ($ERROR_CODE == 401) {
// forbidden due to request check
else if ($ERROR_CODE == 403) {
+ if ($_SERVER['REQUEST_METHOD'] == 'GET' && $rcmail->request_status == rcube::REQUEST_ERROR_URL) {
+ parse_str($_SERVER['QUERY_STRING'], $url);
+ $url = $rcmail->url($url, true, false, true);
+ $add = "<br /><a href=\"$url\">Click here to try again.<a/>";
+ }
+ else {
+ $add = "Please contact your server-administrator.";
+ }
+
$__error_title = "REQUEST CHECK FAILED";
- $__error_text = "Access to this service was denied due to failing security checks!<br />\n"
- . "Please contact your server-administrator.";
+ $__error_text = "Access to this service was denied due to failing security checks!<br />\n$add";
}
// failed request (wrong step in URL)