From cb8ebfcbf8cf72f1aeb44b4fcdd62e071cc00368 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Wed, 6 Oct 2010 08:02:47 +0000
Subject: Hotfixes for release 0.4.1 building new 0.4.2 version

---
 index.php | 44 ++++++++++++++++++++++++--------------------
 1 file changed, 24 insertions(+), 20 deletions(-)

(limited to 'index.php')

diff --git a/index.php b/index.php
index a6e2ada46..a8dd55c90 100644
--- a/index.php
+++ b/index.php
@@ -2,7 +2,7 @@
 /*
  +-------------------------------------------------------------------------+
  | Roundcube Webmail IMAP Client                                           |
- | Version 0.4.1                                                           |
+ | Version 0.4.2                                                           |
  |                                                                         |
  | Copyright (C) 2005-2010, Roundcube Dev. - Switzerland                   |
  |                                                                         |
@@ -141,22 +141,6 @@ else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action !=
   }
 }
 
-// don't check for valid request tokens in these actions
-$request_check_whitelist = array('login'=>1, 'spell'=>1);
-
-// check client X-header to verify request origin
-if ($OUTPUT->ajax_call) {
-  if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !empty($RCMAIL->user->ID)) {
-    header('HTTP/1.1 404 Not Found');
-    die("Invalid Request");
-  }
-}
-// check request token in POST form submissions
-else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
-  $OUTPUT->show_message('invalidrequest', 'error');
-  $OUTPUT->send($RCMAIL->task);
-}
-
 // not logged in -> show login page
 if (empty($RCMAIL->user->ID)) {
   if ($OUTPUT->ajax_call)
@@ -176,17 +160,37 @@ if (empty($RCMAIL->user->ID)) {
       )
     );
   }
-  
+
   $OUTPUT->set_env('task', 'login');
   $OUTPUT->send('login');
 }
+// CSRF prevention
+else {
+  // don't check for valid request tokens in these actions
+  $request_check_whitelist = array('login'=>1, 'spell'=>1);
+
+  // check client X-header to verify request origin
+  if ($OUTPUT->ajax_call) {
+    if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
+      header('HTTP/1.1 404 Not Found');
+      die("Invalid Request");
+    }
+  }
+  // check request token in POST form submissions
+  else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
+    $OUTPUT->show_message('invalidrequest', 'error');
+    $OUTPUT->send($RCMAIL->task);
+  }
+}
 
-
-// handle keep-alive signal
+// handle special actions
 if ($RCMAIL->action == 'keep-alive') {
   $OUTPUT->reset();
   $OUTPUT->send();
 }
+else if ($RCMAIL->action == 'save-pref') {
+  include 'steps/utils/save_pref.inc';
+}
 
 
 // map task/action to a certain include file
-- 
cgit v1.2.3