summaryrefslogtreecommitdiff
path: root/program/steps
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2014-07-05 12:33:03 +0200
committerAleksander Machniak <alec@alec.pl>2014-07-05 12:33:03 +0200
commitca01e25772730cab0117bca0e514140e6c5f67d1 (patch)
tree50514c9738e96d42d8e5bbb1962bbb0169330eaa /program/steps
parent36d004e3d0ad9ff97b66b2e505f6b17fd6d23102 (diff)
Fix security issue in delete-response action - allow only ajax request.
Unify code for identities and responses deletion.
Diffstat (limited to 'program/steps')
-rw-r--r--program/steps/settings/delete_identity.inc55
-rw-r--r--program/steps/settings/func.inc1
-rw-r--r--program/steps/settings/identities.inc22
-rw-r--r--program/steps/settings/responses.inc8
4 files changed, 26 insertions, 60 deletions
diff --git a/program/steps/settings/delete_identity.inc b/program/steps/settings/delete_identity.inc
deleted file mode 100644
index f77620438..000000000
--- a/program/steps/settings/delete_identity.inc
+++ /dev/null
@@ -1,55 +0,0 @@
-<?php
-
-/*
- +-----------------------------------------------------------------------+
- | program/steps/settings/delete_identity.inc |
- | |
- | This file is part of the Roundcube Webmail client |
- | Copyright (C) 2005-2013, The Roundcube Dev Team |
- | |
- | Licensed under the GNU General Public License version 3 or |
- | any later version with exceptions for skins & plugins. |
- | See the README file for a full license statement. |
- | |
- | PURPOSE: |
- | Delete the submitted identities (IIDs) from the database |
- | |
- +-----------------------------------------------------------------------+
- | Author: Thomas Bruederli <roundcube@gmail.com> |
- +-----------------------------------------------------------------------+
-*/
-
-$iid = rcube_utils::get_input_value('_iid', rcube_utils::INPUT_GPC);
-
-// check request token
-if (!$OUTPUT->ajax_call && !$RCMAIL->check_request(rcube_utils::INPUT_GPC)) {
- $OUTPUT->show_message('invalidrequest', 'error');
- $RCMAIL->overwrite_action('identities');
- return;
-}
-
-if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid)) {
- $plugin = $RCMAIL->plugins->exec_hook('identity_delete', array('id' => $iid));
-
- $deleted = !$plugin['abort'] ? $RCMAIL->user->delete_identity($iid) : $plugin['result'];
-
- if ($deleted > 0 && $deleted !== false) {
- $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false);
- }
- else {
- $msg = $plugin['message'] ? $plugin['message'] : ($deleted < 0 ? 'nodeletelastidentity' : 'errorsaving');
- $OUTPUT->show_message($msg, 'error', null, false);
- }
-
- // send response
- if ($OUTPUT->ajax_call) {
- $OUTPUT->send();
- }
-}
-
-if ($OUTPUT->ajax_call) {
- exit;
-}
-
-// go to identities page
-$RCMAIL->overwrite_action('identities');
diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc
index 40b70b119..8a96ada6b 100644
--- a/program/steps/settings/func.inc
+++ b/program/steps/settings/func.inc
@@ -44,6 +44,7 @@ $RCMAIL->register_action_map(array(
'add-response' => 'edit_response.inc',
'save-response' => 'edit_response.inc',
'delete-response' => 'responses.inc',
+ 'delete-identity' => 'identities.inc',
'upload-display' => 'upload.inc',
));
diff --git a/program/steps/settings/identities.inc b/program/steps/settings/identities.inc
index e19c16c79..f43edc1f7 100644
--- a/program/steps/settings/identities.inc
+++ b/program/steps/settings/identities.inc
@@ -19,6 +19,28 @@
+-----------------------------------------------------------------------+
*/
+if ($RCMAIL->action == 'delete-identity' && $OUTPUT->ajax_call) {
+ $iid = rcube_utils::get_input_value('_iid', rcube_utils::INPUT_POST);
+
+ if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid)) {
+ $plugin = $RCMAIL->plugins->exec_hook('identity_delete', array('id' => $iid));
+
+ $deleted = !$plugin['abort'] ? $RCMAIL->user->delete_identity($iid) : $plugin['result'];
+
+ if ($deleted > 0 && $deleted !== false) {
+ $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false);
+ $OUTPUT->command('remove_identity', $iid);
+ }
+ else {
+ $msg = $plugin['message'] ? $plugin['message'] : ($deleted < 0 ? 'nodeletelastidentity' : 'errorsaving');
+ $OUTPUT->show_message($msg, 'error', null, false);
+ }
+ }
+
+ $OUTPUT->send();
+}
+
+
define('IDENTITIES_LEVEL', intval($RCMAIL->config->get('identities_level', 0)));
$OUTPUT->set_pagetitle($RCMAIL->gettext('identities'));
diff --git a/program/steps/settings/responses.inc b/program/steps/settings/responses.inc
index ddd1924fe..117e17f97 100644
--- a/program/steps/settings/responses.inc
+++ b/program/steps/settings/responses.inc
@@ -51,8 +51,8 @@ if (!empty($_POST['_insert'])) {
$RCMAIL->output->send();
}
-if ($RCMAIL->action == 'delete-response') {
- if ($key = rcube_utils::get_input_value('_key', rcube_utils::INPUT_GPC)) {
+if ($RCMAIL->action == 'delete-response' && $RCMAIL->output->ajax_call) {
+ if ($key = rcube_utils::get_input_value('_key', rcube_utils::INPUT_POST)) {
$responses = $RCMAIL->get_compose_responses(false, true);
foreach ($responses as $i => $response) {
if (empty($response['key']))
@@ -70,9 +70,7 @@ if ($RCMAIL->action == 'delete-response') {
$RCMAIL->output->command('remove_response', $key);
}
- if ($RCMAIL->output->ajax_call) {
- $RCMAIL->output->send();
- }
+ $RCMAIL->output->send();
}