From 376cbfd4f2dfcf455717409b70d9d056cbeb08b1 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Mon, 15 Dec 2014 13:47:55 +0100 Subject: Fix bugs where CSRF attacks were still possible on some requests --- program/steps/addressbook/delete.inc | 5 +++-- program/steps/addressbook/func.inc | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'program/steps') diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index f5b8e4eb5..9a23c59bb 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -20,10 +20,11 @@ */ // process ajax requests only -if (!$OUTPUT->ajax_call) +if (!$OUTPUT->ajax_call) { return; +} -$cids = rcmail_get_cids(); +$cids = rcmail_get_cids(null, rcube_utils::INPUT_POST); $delcnt = 0; // remove previous deletes diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc index 2989dada2..625e044a4 100644 --- a/program/steps/addressbook/func.inc +++ b/program/steps/addressbook/func.inc @@ -879,13 +879,13 @@ function rcmail_search_update($return = false) * * @return array List of contact IDs per-source */ -function rcmail_get_cids($filter = null) +function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC) { // contact ID (or comma-separated list of IDs) is provided in two // forms. If _source is an empty string then the ID is a string // containing contact ID and source name in form: - - $cid = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC); + $cid = rcube_utils::get_input_value('_cid', $request_type); $source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC); if (is_array($cid)) { -- cgit v1.2.3