Use request tokens to protect POST requests from CSFR

git-svn-id: https://svn.roundcube.net/trunk@2755 208e9e7b-5314-0410-a742-e7e81cd9613c
author: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2009-07-15 09:49:35 +0000
committer: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2009-07-15 09:49:35 +0000
commit: 94486f4f3e94367a148c762648eb0c3ed84014d6 (patch)
tree: 044ef51b29ced112d0791f0aa000fe39d6ffa64e /roundcubemail/program/steps/settings/save_prefs.inc
parent: 03cfead1d42ca546e148516fd5750af7a47ea278 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/roundcubemail/program/steps/settings/save_prefs.inc b/roundcubemail/program/steps/settings/save_prefs.inc
index c5afd5b0c..7444a8b53 100644
--- a/roundcubemail/program/steps/settings/save_prefs.inc
+++ b/roundcubemail/program/steps/settings/save_prefs.inc
@@ -19,6 +19,13 @@
 
 */
 
+// check request token and exit if invalid
+if (!$RCMAIL->check_request('save-prefs', RCUBE_INPUT_POST)) {
+  $OUTPUT->show_message('invalidrequest', 'error');
+  rcmail_overwrite_action('preferences');
+  return;
+}
+
 $a_user_prefs = array(
   'language'     => isset($_POST['_language']) ? get_input_value('_language', RCUBE_INPUT_POST) : $CONFIG['language'],
   'timezone'     => isset($_POST['_timezone']) ? (is_numeric($_POST['_timezone']) ? floatval($_POST['_timezone']) : get_input_value('_timezone', RCUBE_INPUT_POST)) : $CONFIG['timezone'],
author	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2009-07-15 09:49:35 +0000
committer	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2009-07-15 09:49:35 +0000
commit	94486f4f3e94367a148c762648eb0c3ed84014d6 (patch)
tree	044ef51b29ced112d0791f0aa000fe39d6ffa64e /roundcubemail/program/steps/settings/save_prefs.inc
parent	03cfead1d42ca546e148516fd5750af7a47ea278 (diff)