diff options
author | Aleksander Machniak <alec@alec.pl> | 2014-12-15 13:47:55 +0100 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2014-12-15 13:47:55 +0100 |
commit | 376cbfd4f2dfcf455717409b70d9d056cbeb08b1 (patch) | |
tree | 9258578b88810e0cef8e483bd2df30c9e044960d /program | |
parent | 753c8849accbbe0cb3ebef01e8b3e2ff3481a336 (diff) |
Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'program')
-rw-r--r-- | program/js/app.js | 9 | ||||
-rw-r--r-- | program/steps/addressbook/delete.inc | 5 | ||||
-rw-r--r-- | program/steps/addressbook/func.inc | 4 |
3 files changed, 12 insertions, 6 deletions
diff --git a/program/js/app.js b/program/js/app.js index fe9daddc8..7859ecbea 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -1336,8 +1336,10 @@ function rcube_webmail() var url = this.get_task_url(task); if (task == 'mail') url += '&_mbox=INBOX'; - else if (task == 'logout' && !this.env.server_error) + else if (task == 'logout' && !this.env.server_error) { + url += '&_token=' + this.env.request_token; this.clear_compose_data(); + } this.redirect(url); }; @@ -1347,7 +1349,10 @@ function rcube_webmail() if (!url) url = this.env.comm_path; - return url.replace(/_task=[a-z0-9_-]+/i, '_task='+task); + if (url.match(/[?&]_task=[a-zA-Z0-9_-]+/)) + return url.replace(/_task=[a-zA-Z0-9_-]+/, '_task=' + task); + else + return url.replace(/\?.*$/, '') + '?_task=' + task; }; this.reload = function(delay) diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index f5b8e4eb5..9a23c59bb 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -20,10 +20,11 @@ */ // process ajax requests only -if (!$OUTPUT->ajax_call) +if (!$OUTPUT->ajax_call) { return; +} -$cids = rcmail_get_cids(); +$cids = rcmail_get_cids(null, rcube_utils::INPUT_POST); $delcnt = 0; // remove previous deletes diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc index 2989dada2..625e044a4 100644 --- a/program/steps/addressbook/func.inc +++ b/program/steps/addressbook/func.inc @@ -879,13 +879,13 @@ function rcmail_search_update($return = false) * * @return array List of contact IDs per-source */ -function rcmail_get_cids($filter = null) +function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC) { // contact ID (or comma-separated list of IDs) is provided in two // forms. If _source is an empty string then the ID is a string // containing contact ID and source name in form: <ID>-<SOURCE> - $cid = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC); + $cid = rcube_utils::get_input_value('_cid', $request_type); $source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC); if (is_array($cid)) { |