From 376cbfd4f2dfcf455717409b70d9d056cbeb08b1 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Mon, 15 Dec 2014 13:47:55 +0100
Subject: Fix bugs where CSRF attacks were still possible on some requests

---
 program/js/app.js | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'program/js')

diff --git a/program/js/app.js b/program/js/app.js
index fe9daddc8..7859ecbea 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -1336,8 +1336,10 @@ function rcube_webmail()
     var url = this.get_task_url(task);
     if (task == 'mail')
       url += '&_mbox=INBOX';
-    else if (task == 'logout' && !this.env.server_error)
+    else if (task == 'logout' && !this.env.server_error) {
+      url += '&_token=' + this.env.request_token;
       this.clear_compose_data();
+    }
 
     this.redirect(url);
   };
@@ -1347,7 +1349,10 @@ function rcube_webmail()
     if (!url)
       url = this.env.comm_path;
 
-    return url.replace(/_task=[a-z0-9_-]+/i, '_task='+task);
+    if (url.match(/[?&]_task=[a-zA-Z0-9_-]+/))
+        return url.replace(/_task=[a-zA-Z0-9_-]+/, '_task=' + task);
+    else
+        return url.replace(/\?.*$/, '') + '?_task=' + task;
   };
 
   this.reload = function(delay)
-- 
cgit v1.2.3