From 881217a5c95dbfe4e62154a2c0edd135b504220e Mon Sep 17 00:00:00 2001 From: thomascube Date: Thu, 16 Jul 2009 15:01:05 +0000 Subject: Force ajax calls to protect from CSRF --- program/steps/addressbook/copy.inc | 4 ++++ program/steps/addressbook/delete.inc | 5 +++-- program/steps/mail/addcontact.inc | 6 +++++- program/steps/mail/folders.inc | 6 +++++- program/steps/mail/mark.inc | 6 +++++- program/steps/mail/move_del.inc | 6 +++++- program/steps/mail/sendmdn.inc | 3 +++ 7 files changed, 30 insertions(+), 6 deletions(-) (limited to 'program') diff --git a/program/steps/addressbook/copy.inc b/program/steps/addressbook/copy.inc index 75190a611..a27b67b09 100644 --- a/program/steps/addressbook/copy.inc +++ b/program/steps/addressbook/copy.inc @@ -19,6 +19,10 @@ */ +// only process ajax requests +if (!$OUTPUT->ajax_call) + return; + $cid = get_input_value('_cid', RCUBE_INPUT_POST); $target = get_input_value('_to', RCUBE_INPUT_POST); if ($cid && preg_match('/^[a-z0-9\-_=]+(,[a-z0-9\-_=]+)*$/i', $cid) && strlen($target) && $target != $source) diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index 6ab9cc3df..1611ae1a1 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -5,7 +5,7 @@ | program/steps/addressbook/delete.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -19,7 +19,8 @@ */ -if (($cid = get_input_value('_cid', RCUBE_INPUT_POST)) && +if ($OUTPUT->ajax_call && + ($cid = get_input_value('_cid', RCUBE_INPUT_POST)) && (preg_match('/^[0-9]+(,[0-9]+)*$/', $cid) || preg_match('/^[a-zA-Z0-9=]+(,[a-zA-Z0-9=]+)*$/', $cid)) ) diff --git a/program/steps/mail/addcontact.inc b/program/steps/mail/addcontact.inc index 5f8c6d14d..23e657974 100644 --- a/program/steps/mail/addcontact.inc +++ b/program/steps/mail/addcontact.inc @@ -5,7 +5,7 @@ | program/steps/mail/addcontact.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -19,6 +19,10 @@ */ +// only process ajax requests +if (!$OUTPUT->ajax_call) + return; + $done = false; $CONTACTS = $RCMAIL->get_address_book(null, true); diff --git a/program/steps/mail/folders.inc b/program/steps/mail/folders.inc index 7fd1f62cc..dc086b155 100644 --- a/program/steps/mail/folders.inc +++ b/program/steps/mail/folders.inc @@ -5,7 +5,7 @@ | program/steps/mail/folders.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -18,6 +18,10 @@ $Id$ */ +// only process ajax requests +if (!$OUTPUT->ajax_call) + return; + $mbox_name = $IMAP->get_mailbox_name(); // send EXPUNGE command diff --git a/program/steps/mail/mark.inc b/program/steps/mail/mark.inc index 339beca4b..c3ddf7b8c 100644 --- a/program/steps/mail/mark.inc +++ b/program/steps/mail/mark.inc @@ -4,7 +4,7 @@ | program/steps/mail/mark.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -18,6 +18,10 @@ */ +// only process ajax requests +if (!$OUTPUT->ajax_call) + return; + $a_flags_map = array( 'undelete' => 'UNDELETED', 'delete' => 'DELETED', diff --git a/program/steps/mail/move_del.inc b/program/steps/mail/move_del.inc index d22cd35bd..103d69e48 100644 --- a/program/steps/mail/move_del.inc +++ b/program/steps/mail/move_del.inc @@ -5,7 +5,7 @@ | program/steps/mail/move_del.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -19,6 +19,10 @@ */ +// only process ajax requests +if (!$OUTPUT->ajax_call) + return; + // count messages before changing anything $old_count = $IMAP->messagecount(); $old_pages = ceil($old_count / $IMAP->page_size); diff --git a/program/steps/mail/sendmdn.inc b/program/steps/mail/sendmdn.inc index c3294e7fe..f1fb79296 100644 --- a/program/steps/mail/sendmdn.inc +++ b/program/steps/mail/sendmdn.inc @@ -19,6 +19,9 @@ */ +// only process ajax requests +if (!$OUTPUT->ajax_call) + return; if (!empty($_POST['_uid'])) { $sent = rcmail_send_mdn(get_input_value('_uid', RCUBE_INPUT_POST), $smtp_error); -- cgit v1.2.3