diff options
| author | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2011-02-08 08:13:06 +0000 |
|---|---|---|
| committer | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2011-02-08 08:13:06 +0000 |
| commit | 7c95446d869d392f330f93cda8de91941c99d75b (patch) | |
| tree | cbf75f0f720600e5a51269f8fed3f56635ee6e3c /roundcubemail/index.php | |
| parent | 3b73335cc73cda7f827e49a44950f886ba38a16b (diff) | |
Add optional referer check to prevent CSRF in GET requests
git-svn-id: https://svn.roundcube.net/trunk@4503 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'roundcubemail/index.php')
| -rw-r--r-- | roundcubemail/index.php | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/roundcubemail/index.php b/roundcubemail/index.php index bf38874d0..f50cf2bb3 100644 --- a/roundcubemail/index.php +++ b/roundcubemail/index.php @@ -190,6 +190,14 @@ else { $OUTPUT->show_message('invalidrequest', 'error'); $OUTPUT->send($RCMAIL->task); } + + // check referer if configured + if (!$request_check_whitelist[$RCMAIL->action] && $RCMAIL->config->get('referer_check') && !rcube_check_referer()) { + raise_error(array( + 'code' => 403, + 'type' => 'php', + 'message' => "Referer check failed"), true, true); + } } // handle special actions |