From 681ba6fc3c296cd6cd11050531b8f4e785141786 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 16 Dec 2014 13:28:48 +0100
Subject: Improve system security by using optional special URL with security
 token Allows to define separate server/path for image/js/css files Fix bugs
 where CSRF attacks were still possible on some requests

---
 program/steps/utils/error.inc | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'program/steps/utils/error.inc')

diff --git a/program/steps/utils/error.inc b/program/steps/utils/error.inc
index ec0d038f4..6bbc57fda 100644
--- a/program/steps/utils/error.inc
+++ b/program/steps/utils/error.inc
@@ -50,9 +50,17 @@ else if ($ERROR_CODE == 401) {
 
 // forbidden due to request check
 else if ($ERROR_CODE == 403) {
+    if ($_SERVER['REQUEST_METHOD'] == 'GET' && $rcmail->request_status == rcube::REQUEST_ERROR_URL) {
+        parse_str($_SERVER['QUERY_STRING'], $url);
+        $url = $rcmail->url($url, true, false, true);
+        $add = "<br /><a href=\"$url\">Click here to try again.<a/>";
+    }
+    else {
+        $add = "Please contact your server-administrator.";
+    }
+
     $__error_title = "REQUEST CHECK FAILED";
-    $__error_text  = "Access to this service was denied due to failing security checks!<br />\n"
-        . "Please contact your server-administrator.";
+    $__error_text  = "Access to this service was denied due to failing security checks!<br />\n$add";
 }
 
 // failed request (wrong step in URL)
-- 
cgit v1.2.3