From 881217a5c95dbfe4e62154a2c0edd135b504220e Mon Sep 17 00:00:00 2001 From: thomascube Date: Thu, 16 Jul 2009 15:01:05 +0000 Subject: Force ajax calls to protect from CSRF --- program/steps/addressbook/copy.inc | 4 ++++ program/steps/addressbook/delete.inc | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'program/steps/addressbook') diff --git a/program/steps/addressbook/copy.inc b/program/steps/addressbook/copy.inc index 75190a611..a27b67b09 100644 --- a/program/steps/addressbook/copy.inc +++ b/program/steps/addressbook/copy.inc @@ -19,6 +19,10 @@ */ +// only process ajax requests +if (!$OUTPUT->ajax_call) + return; + $cid = get_input_value('_cid', RCUBE_INPUT_POST); $target = get_input_value('_to', RCUBE_INPUT_POST); if ($cid && preg_match('/^[a-z0-9\-_=]+(,[a-z0-9\-_=]+)*$/i', $cid) && strlen($target) && $target != $source) diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index 6ab9cc3df..1611ae1a1 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -5,7 +5,7 @@ | program/steps/addressbook/delete.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -19,7 +19,8 @@ */ -if (($cid = get_input_value('_cid', RCUBE_INPUT_POST)) && +if ($OUTPUT->ajax_call && + ($cid = get_input_value('_cid', RCUBE_INPUT_POST)) && (preg_match('/^[0-9]+(,[0-9]+)*$/', $cid) || preg_match('/^[a-zA-Z0-9=]+(,[a-zA-Z0-9=]+)*$/', $cid)) ) -- cgit v1.2.3