Some bugfixes, security issues + minor improvements

thomascube

2007-08-10 719a257f0c8fd750a4984ed56273dc653565729e

 index.php

@@ -2,7 +2,7 @@
/*
 +-----------------------------------------------------------------------+
 | RoundCube Webmail IMAP Client                                         |
 | Version 0.1-20070428                                                  |
 | Version 0.1-20070809                                                  |
 |                                                                       |
 | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |
 | Licensed under the GNU GPL                                            |
@@ -41,7 +41,7 @@
*/

// application constants
define('RCMAIL_VERSION', '0.1-20070428');
define('RCMAIL_VERSION', '0.1-20070809');
define('RCMAIL_CHARSET', 'UTF-8');
define('JS_OBJECT_NAME', 'rcmail');

@@ -81,7 +81,6 @@
require_once('include/rcube_imap.inc');
require_once('include/bugs.inc');
require_once('include/main.inc');
require_once('include/cache.inc');
require_once('PEAR.php');


@@ -219,6 +218,17 @@
}


// check client X-header to verify request origin
if ($OUTPUT->ajax_call)
{
  $hdrs = getallheaders();
  if (empty($hdrs['X-RoundCube-Referer']) && empty($CONFIG['devel_mode']))
  {
    header('HTTP/1.1 404 Not Found');
    die("Invalid Request");
  }
}


// set task and action to client
$OUTPUT->set_env('task', $_task);
@@ -285,7 +295,7 @@
  if ($_action=='getunread')
    include('program/steps/mail/getunread.inc');
    
  if ($_action=='list' && isset($_GET['_remote']))
  if ($_action=='list' && isset($_REQUEST['_remote']))
    include('program/steps/mail/list.inc');

   if ($_action=='search')
@@ -323,7 +333,7 @@
  if ($_action=='show')
    include('program/steps/addressbook/show.inc');  

  if ($_action=='list' && $_GET['_remote'])
  if ($_action=='list' && $_REQUEST['_remote'])
    include('program/steps/addressbook/list.inc');

  if ($_action=='search')