diff options
| author | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-15 09:49:35 +0000 |
|---|---|---|
| committer | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-15 09:49:35 +0000 |
| commit | 94486f4f3e94367a148c762648eb0c3ed84014d6 (patch) | |
| tree | 044ef51b29ced112d0791f0aa000fe39d6ffa64e /roundcubemail/program/steps/settings/save_identity.inc | |
| parent | 03cfead1d42ca546e148516fd5750af7a47ea278 (diff) | |
Use request tokens to protect POST requests from CSFR
git-svn-id: https://svn.roundcube.net/trunk@2755 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'roundcubemail/program/steps/settings/save_identity.inc')
| -rw-r--r-- | roundcubemail/program/steps/settings/save_identity.inc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/roundcubemail/program/steps/settings/save_identity.inc b/roundcubemail/program/steps/settings/save_identity.inc index 900c2d3d9..86ff263d2 100644 --- a/roundcubemail/program/steps/settings/save_identity.inc +++ b/roundcubemail/program/steps/settings/save_identity.inc @@ -26,6 +26,12 @@ $a_html_cols = array('signature'); $a_boolean_cols = array('standard', 'html_signature'); $updated = $default_id = false; +// check request token +if (!$RCMAIL->check_request('save-identity.'.intval(get_input_value('_iid', RCUBE_INPUT_POST)), RCUBE_INPUT_POST)) { + $OUTPUT->show_message('invalidrequest', 'error'); + rcmail_overwrite_action('identities'); + return; +} // check input if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3)) { |