diff options
| author | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-16 15:01:05 +0000 |
|---|---|---|
| committer | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-16 15:01:05 +0000 |
| commit | 0f544af302d7ba6bd6d19c6a53150d8ce269905f (patch) | |
| tree | 40a5acbeff3c96f81dae156b986ab7ad6a62668b /roundcubemail/program/steps/addressbook | |
| parent | 4e24ba053659872a97490f345f7343d8b084c58a (diff) | |
Force ajax calls to protect from CSRF
git-svn-id: https://svn.roundcube.net/trunk@2758 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'roundcubemail/program/steps/addressbook')
| -rw-r--r-- | roundcubemail/program/steps/addressbook/copy.inc | 4 | ||||
| -rw-r--r-- | roundcubemail/program/steps/addressbook/delete.inc | 5 |
2 files changed, 7 insertions, 2 deletions
diff --git a/roundcubemail/program/steps/addressbook/copy.inc b/roundcubemail/program/steps/addressbook/copy.inc index 75190a611..a27b67b09 100644 --- a/roundcubemail/program/steps/addressbook/copy.inc +++ b/roundcubemail/program/steps/addressbook/copy.inc @@ -19,6 +19,10 @@ */ +// only process ajax requests +if (!$OUTPUT->ajax_call) + return; + $cid = get_input_value('_cid', RCUBE_INPUT_POST); $target = get_input_value('_to', RCUBE_INPUT_POST); if ($cid && preg_match('/^[a-z0-9\-_=]+(,[a-z0-9\-_=]+)*$/i', $cid) && strlen($target) && $target != $source) diff --git a/roundcubemail/program/steps/addressbook/delete.inc b/roundcubemail/program/steps/addressbook/delete.inc index 6ab9cc3df..1611ae1a1 100644 --- a/roundcubemail/program/steps/addressbook/delete.inc +++ b/roundcubemail/program/steps/addressbook/delete.inc @@ -5,7 +5,7 @@ | program/steps/addressbook/delete.inc | | | | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -19,7 +19,8 @@ */ -if (($cid = get_input_value('_cid', RCUBE_INPUT_POST)) && +if ($OUTPUT->ajax_call && + ($cid = get_input_value('_cid', RCUBE_INPUT_POST)) && (preg_match('/^[0-9]+(,[0-9]+)*$/', $cid) || preg_match('/^[a-zA-Z0-9=]+(,[a-zA-Z0-9=]+)*$/', $cid)) ) |
