summaryrefslogtreecommitdiff
path: root/program
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2014-12-15 13:47:55 +0100
committerAleksander Machniak <alec@alec.pl>2014-12-15 13:47:55 +0100
commit376cbfd4f2dfcf455717409b70d9d056cbeb08b1 (patch)
tree9258578b88810e0cef8e483bd2df30c9e044960d /program
parent753c8849accbbe0cb3ebef01e8b3e2ff3481a336 (diff)
Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'program')
-rw-r--r--program/js/app.js9
-rw-r--r--program/steps/addressbook/delete.inc5
-rw-r--r--program/steps/addressbook/func.inc4
3 files changed, 12 insertions, 6 deletions
diff --git a/program/js/app.js b/program/js/app.js
index fe9daddc8..7859ecbea 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -1336,8 +1336,10 @@ function rcube_webmail()
var url = this.get_task_url(task);
if (task == 'mail')
url += '&_mbox=INBOX';
- else if (task == 'logout' && !this.env.server_error)
+ else if (task == 'logout' && !this.env.server_error) {
+ url += '&_token=' + this.env.request_token;
this.clear_compose_data();
+ }
this.redirect(url);
};
@@ -1347,7 +1349,10 @@ function rcube_webmail()
if (!url)
url = this.env.comm_path;
- return url.replace(/_task=[a-z0-9_-]+/i, '_task='+task);
+ if (url.match(/[?&]_task=[a-zA-Z0-9_-]+/))
+ return url.replace(/_task=[a-zA-Z0-9_-]+/, '_task=' + task);
+ else
+ return url.replace(/\?.*$/, '') + '?_task=' + task;
};
this.reload = function(delay)
diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc
index f5b8e4eb5..9a23c59bb 100644
--- a/program/steps/addressbook/delete.inc
+++ b/program/steps/addressbook/delete.inc
@@ -20,10 +20,11 @@
*/
// process ajax requests only
-if (!$OUTPUT->ajax_call)
+if (!$OUTPUT->ajax_call) {
return;
+}
-$cids = rcmail_get_cids();
+$cids = rcmail_get_cids(null, rcube_utils::INPUT_POST);
$delcnt = 0;
// remove previous deletes
diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc
index 2989dada2..625e044a4 100644
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@@ -879,13 +879,13 @@ function rcmail_search_update($return = false)
*
* @return array List of contact IDs per-source
*/
-function rcmail_get_cids($filter = null)
+function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC)
{
// contact ID (or comma-separated list of IDs) is provided in two
// forms. If _source is an empty string then the ID is a string
// containing contact ID and source name in form: <ID>-<SOURCE>
- $cid = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC);
+ $cid = rcube_utils::get_input_value('_cid', $request_type);
$source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC);
if (is_array($cid)) {