githubFork/roundcubemail.git

			@@ -2,7 +2,7 @@
			/*
			+-------------------------------------------------------------------------+
			\| RoundCube Webmail IMAP Client \|
			\| Version 0.3-20090805 \|
			\| Version 0.3-20090814 \|
			\| \|
			\| Copyright (C) 2005-2009, RoundCube Dev. - Switzerland \|
			\| \|
			@@ -64,7 +64,8 @@
			}

			// check if https is required (for login) and redirect if necessary
			if ($RCMAIL->config->get('force_https', false) && empty($_SESSION['user_id']) && !(isset($_SERVER['HTTPS']) \|\| $_SERVER['SERVER_PORT'] == 443)) {
			if ($RCMAIL->config->get('force_https', false) && empty($_SESSION['user_id'])
			&& !(isset($_SERVER['HTTPS']) \|\| $_SERVER['SERVER_PORT'] == 443 \|\| $RCMAIL->config->get('use_https'))) {
			header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
			exit;
			}
			@@ -129,9 +130,11 @@

			// end session
			else if ($RCMAIL->task=='logout' && isset($_SESSION['user_id'])) {
			$userdata = array('user' => $_SESSION['username'], 'host' => $_SESSION['imap_host'], 'lang' => $RCMAIL->user->language);
			$OUTPUT->show_message('loggedout');
			$RCMAIL->logout_actions();
			$RCMAIL->kill_session();
			$RCMAIL->plugins->exec_hook('logout_after', $userdata);
			}

			// check session and auth cookie
			@@ -142,6 +145,8 @@
			}
			}

			// don't check for valid request tokens in these actions
			$request_check_whitelist = array('login'=>1, 'spell'=>1);

			// check client X-header to verify request origin
			if ($OUTPUT->ajax_call) {
			@@ -151,7 +156,7 @@
			}
			}
			// check request token in POST form submissions
			else if (!empty($_POST) && $RCMAIL->action != 'login' && !$RCMAIL->check_request()) {
			else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
			$OUTPUT->show_message('invalidrequest', 'error');
			$OUTPUT->send($RCMAIL->task);
			}