diff options
| author | Aleksander Machniak <alec@alec.pl> | 2014-12-15 13:47:55 +0100 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2014-12-15 13:47:55 +0100 |
| commit | 376cbfd4f2dfcf455717409b70d9d056cbeb08b1 (patch) | |
| tree | 9258578b88810e0cef8e483bd2df30c9e044960d /program/steps | |
| parent | 753c8849accbbe0cb3ebef01e8b3e2ff3481a336 (diff) | |
Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'program/steps')
| -rw-r--r-- | program/steps/addressbook/delete.inc | 5 | ||||
| -rw-r--r-- | program/steps/addressbook/func.inc | 4 |
2 files changed, 5 insertions, 4 deletions
diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index f5b8e4eb5..9a23c59bb 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -20,10 +20,11 @@ */ // process ajax requests only -if (!$OUTPUT->ajax_call) +if (!$OUTPUT->ajax_call) { return; +} -$cids = rcmail_get_cids(); +$cids = rcmail_get_cids(null, rcube_utils::INPUT_POST); $delcnt = 0; // remove previous deletes diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc index 2989dada2..625e044a4 100644 --- a/program/steps/addressbook/func.inc +++ b/program/steps/addressbook/func.inc @@ -879,13 +879,13 @@ function rcmail_search_update($return = false) * * @return array List of contact IDs per-source */ -function rcmail_get_cids($filter = null) +function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC) { // contact ID (or comma-separated list of IDs) is provided in two // forms. If _source is an empty string then the ID is a string // containing contact ID and source name in form: <ID>-<SOURCE> - $cid = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC); + $cid = rcube_utils::get_input_value('_cid', $request_type); $source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC); if (is_array($cid)) { |