From 57f0c81f2cc0518ed7ab107e16e6cadb8dfc53b0 Mon Sep 17 00:00:00 2001 From: thomascube Date: Wed, 15 Jul 2009 09:49:35 +0000 Subject: Use request tokens to protect POST requests from CSFR --- program/steps/settings/save_identity.inc | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'program/steps/settings/save_identity.inc') diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 900c2d3d9..86ff263d2 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -26,6 +26,12 @@ $a_html_cols = array('signature'); $a_boolean_cols = array('standard', 'html_signature'); $updated = $default_id = false; +// check request token +if (!$RCMAIL->check_request('save-identity.'.intval(get_input_value('_iid', RCUBE_INPUT_POST)), RCUBE_INPUT_POST)) { + $OUTPUT->show_message('invalidrequest', 'error'); + rcmail_overwrite_action('identities'); + return; +} // check input if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3)) { -- cgit v1.2.3