From 06a746b43a418a501e67b47242499a1acd2ba848 Mon Sep 17 00:00:00 2001 From: thomasb Date: Tue, 21 Jul 2009 16:02:33 +0000 Subject: Use global request tokens and automatically protect all POST requests git-svn-id: https://svn.roundcube.net/trunk@2778 208e9e7b-5314-0410-a742-e7e81cd9613c --- roundcubemail/index.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'roundcubemail/index.php') diff --git a/roundcubemail/index.php b/roundcubemail/index.php index 2767277f7..c5a1049e9 100644 --- a/roundcubemail/index.php +++ b/roundcubemail/index.php @@ -2,7 +2,7 @@ /* +-------------------------------------------------------------------------+ | RoundCube Webmail IMAP Client | - | Version 0.3-20090702 | + | Version 0.3-20090721 | | | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | | @@ -143,11 +143,16 @@ else if ($RCMAIL->action != 'login' && $_SESSION['user_id'] && $RCMAIL->action ! // check client X-header to verify request origin if ($OUTPUT->ajax_call) { - if (!$RCMAIL->config->get('devel_mode') && !rc_request_header('X-RoundCube-Referer')) { + if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-RoundCube-Request') != $RCMAIL->get_request_token()) { header('HTTP/1.1 404 Not Found'); die("Invalid Request"); } } +// check request token in POST form submissions +else if (!empty($_POST) && !$RCMAIL->check_request()) { + $OUTPUT->show_message('invalidrequest', 'error'); + $OUTPUT->send($RCMAIL->task); +} // not logged in -> show login page -- cgit v1.2.3