diff options
| author | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-21 16:02:33 +0000 |
|---|---|---|
| committer | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-21 16:02:33 +0000 |
| commit | 06a746b43a418a501e67b47242499a1acd2ba848 (patch) | |
| tree | 8784a3591ac99529265558853d975d30967156b9 /roundcubemail/index.php | |
| parent | de9304fe9b1c3fce460ca79395becefa382ba134 (diff) | |
Use global request tokens and automatically protect all POST requests
git-svn-id: https://svn.roundcube.net/trunk@2778 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'roundcubemail/index.php')
| -rw-r--r-- | roundcubemail/index.php | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/roundcubemail/index.php b/roundcubemail/index.php index 2767277f7..c5a1049e9 100644 --- a/roundcubemail/index.php +++ b/roundcubemail/index.php @@ -2,7 +2,7 @@ /* +-------------------------------------------------------------------------+ | RoundCube Webmail IMAP Client | - | Version 0.3-20090702 | + | Version 0.3-20090721 | | | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | | @@ -143,11 +143,16 @@ else if ($RCMAIL->action != 'login' && $_SESSION['user_id'] && $RCMAIL->action ! // check client X-header to verify request origin if ($OUTPUT->ajax_call) { - if (!$RCMAIL->config->get('devel_mode') && !rc_request_header('X-RoundCube-Referer')) { + if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-RoundCube-Request') != $RCMAIL->get_request_token()) { header('HTTP/1.1 404 Not Found'); die("Invalid Request"); } } +// check request token in POST form submissions +else if (!empty($_POST) && !$RCMAIL->check_request()) { + $OUTPUT->show_message('invalidrequest', 'error'); + $OUTPUT->send($RCMAIL->task); +} // not logged in -> show login page |