diff options
| author | thomascube <thomas@roundcube.net> | 2009-07-21 16:02:33 +0000 |
|---|---|---|
| committer | thomascube <thomas@roundcube.net> | 2009-07-21 16:02:33 +0000 |
| commit | 5499336feff22f682448dd99cc00a9b36701fcd1 (patch) | |
| tree | 84c0fcf73be4f5c51f58c9656aaaefecd3530d9d /program/steps | |
| parent | 61e96cd1f9b32345fd15ae826674f38f0495baa3 (diff) | |
Use global request tokens and automatically protect all POST requests
Diffstat (limited to 'program/steps')
| -rw-r--r-- | program/steps/addressbook/save.inc | 10 | ||||
| -rw-r--r-- | program/steps/settings/save_identity.inc | 8 | ||||
| -rw-r--r-- | program/steps/settings/save_prefs.inc | 9 |
3 files changed, 3 insertions, 24 deletions
diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc index 45cb6387e..639e0f2d1 100644 --- a/program/steps/addressbook/save.inc +++ b/program/steps/addressbook/save.inc @@ -5,7 +5,7 @@ | program/steps/addressbook/save.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -22,14 +22,6 @@ $cid = get_input_value('_cid', RCUBE_INPUT_POST); $return_action = empty($cid) ? 'add' : 'show'; -// check request token and exit if invalid -if (!$RCMAIL->check_request('save.'.intval($cid), RCUBE_INPUT_POST)) -{ - $OUTPUT->show_message('invalidrequest', 'error'); - rcmail_overwrite_action($return_action); - return; -} - // cannot edit record if ($CONTACTS->readonly) { diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 86ff263d2..d36114cd0 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -5,7 +5,7 @@ | program/steps/settings/save_identity.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -26,12 +26,6 @@ $a_html_cols = array('signature'); $a_boolean_cols = array('standard', 'html_signature'); $updated = $default_id = false; -// check request token -if (!$RCMAIL->check_request('save-identity.'.intval(get_input_value('_iid', RCUBE_INPUT_POST)), RCUBE_INPUT_POST)) { - $OUTPUT->show_message('invalidrequest', 'error'); - rcmail_overwrite_action('identities'); - return; -} // check input if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3)) { diff --git a/program/steps/settings/save_prefs.inc b/program/steps/settings/save_prefs.inc index 7444a8b53..8430ffd88 100644 --- a/program/steps/settings/save_prefs.inc +++ b/program/steps/settings/save_prefs.inc @@ -5,7 +5,7 @@ | program/steps/settings/save_prefs.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -19,13 +19,6 @@ */ -// check request token and exit if invalid -if (!$RCMAIL->check_request('save-prefs', RCUBE_INPUT_POST)) { - $OUTPUT->show_message('invalidrequest', 'error'); - rcmail_overwrite_action('preferences'); - return; -} - $a_user_prefs = array( 'language' => isset($_POST['_language']) ? get_input_value('_language', RCUBE_INPUT_POST) : $CONFIG['language'], 'timezone' => isset($_POST['_timezone']) ? (is_numeric($_POST['_timezone']) ? floatval($_POST['_timezone']) : get_input_value('_timezone', RCUBE_INPUT_POST)) : $CONFIG['timezone'], |