From 7152d0fdefc0cb60b26c928342436604479dc610 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 5 Jul 2014 12:33:03 +0200
Subject: Fix security issue in delete-response action - allow only ajax
 request. Unify code for identities and responses deletion.

Conflicts:

	program/steps/settings/func.inc
---
 program/steps/settings/responses.inc | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

(limited to 'program/steps/settings/responses.inc')

diff --git a/program/steps/settings/responses.inc b/program/steps/settings/responses.inc
index 06093b3b8..4374595a7 100644
--- a/program/steps/settings/responses.inc
+++ b/program/steps/settings/responses.inc
@@ -51,8 +51,8 @@ if (!empty($_POST['_insert'])) {
     $RCMAIL->output->send();
 }
 
-if ($RCMAIL->action == 'delete-response') {
-    if ($key = rcube_utils::get_input_value('_key', rcube_utils::INPUT_GPC)) {
+if ($RCMAIL->action == 'delete-response' && $RCMAIL->output->ajax_call) {
+    if ($key = rcube_utils::get_input_value('_key', rcube_utils::INPUT_POST)) {
         $responses = $RCMAIL->get_compose_responses(false, true);
         foreach ($responses as $i => $response) {
             if (empty($response['key']))
@@ -70,9 +70,7 @@ if ($RCMAIL->action == 'delete-response') {
         $RCMAIL->output->command('remove_response', $key);
     }
 
-    if ($RCMAIL->output->ajax_call) {
-        $RCMAIL->output->send();
-    }
+    $RCMAIL->output->send();
 }
 
 
-- 
cgit v1.2.3