From 1bd5ba05f08cf8dd42e2b61e06eefd991a48e060 Mon Sep 17 00:00:00 2001 From: alec Date: Fri, 26 Feb 2010 08:06:48 +0000 Subject: - Fix CVE-2010-0464: Disable DNS prefetching (#1486449) git-svn-id: https://svn.roundcube.net/trunk@3293 208e9e7b-5314-0410-a742-e7e81cd9613c --- roundcubemail/program/include/rcube_shared.inc | 2 ++ roundcubemail/program/steps/mail/get.inc | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'roundcubemail/program') diff --git a/roundcubemail/program/include/rcube_shared.inc b/roundcubemail/program/include/rcube_shared.inc index 610023f69..f4f23a26b 100644 --- a/roundcubemail/program/include/rcube_shared.inc +++ b/roundcubemail/program/include/rcube_shared.inc @@ -39,6 +39,8 @@ function send_nocacheing_headers() header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT"); header("Cache-Control: private, must-revalidate, post-check=0, pre-check=0"); header("Pragma: no-cache"); + // Request browser to disable DNS prefetching (CVE-2010-0464) + header("X-DNS-Prefetch-Control: off"); // We need to set the following headers to make downloads work using IE in HTTPS mode. if (rcube_https_check()) { diff --git a/roundcubemail/program/steps/mail/get.inc b/roundcubemail/program/steps/mail/get.inc index cb938c08b..a41925a65 100644 --- a/roundcubemail/program/steps/mail/get.inc +++ b/roundcubemail/program/steps/mail/get.inc @@ -41,6 +41,7 @@ if (!empty($_GET['_uid'])) { $MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET)); } +send_nocacheing_headers(); // show part page if (!empty($_GET['_frame'])) { @@ -66,8 +67,6 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) { $browser = new rcube_browser; - send_nocacheing_headers(); - // send download headers if ($_GET['_download']) { header("Content-Type: application/octet-stream"); -- cgit v1.2.3