Roundcubemail devel
parent: 5499336f | patch | commit | ignore whitespace
thomascube
2009-07-21 2a5d02ab8ea2e80d7d73f90b1d31994def0c7c43 
Also protect GET request from CSRF

3 files modified
23 ■■■■ changed files
CHANGELOG 1 ●●●● patch | view | raw | blame | history
program/js/app.js 5 ●●●●● patch | view | raw | blame | history
program/steps/settings/delete_identity.inc 17 ●●●● patch | view | raw | blame | history 
 CHANGELOG


@@ -3,6 +3,7 @@




- Fix import of vCard entries with params (#1485453)


- Fix HTML messages output with empty block elements (#1485974)


- Use request tokens to protect POST requests from CSFR


- Added hook when killing a session


- Added hook to write_log function (#1485971)


- Performance improvements by use UID commands (#1485690)




 program/js/app.js


@@ -2969,8 +2969,9 @@


    if (!id)


      id = this.env.iid ? this.env.iid : selection[0];




    // if (this.env.framed && id)


    this.goto_url('delete-identity', '_iid='+id, true);


    // append token to request


    this.goto_url('delete-identity', '_iid='+id+'&_token='+this.env.request_token, true);


    


    return true;


    };






 program/steps/settings/delete_identity.inc


@@ -5,7 +5,7 @@


 | program/steps/settings/delete_identity.inc                            |


 |                                                                       |


 | This file is part of the RoundCube Webmail client                     |


 | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |


 | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland                 |


 | Licensed under the GNU GPL                                            |


 |                                                                       |


 | PURPOSE:                                                              |


@@ -19,11 +19,20 @@




*/




if (($ids = get_input_value('_iid', RCUBE_INPUT_GET)) && preg_match('/^[0-9]+(,[0-9]+)*$/', $ids))


$iid = get_input_value('_iid', RCUBE_INPUT_GPC);




// check request token


if (!$OUTPUT->ajax_call && !$RCMAIL->check_request(RCUBE_INPUT_GPC)) {


  $OUTPUT->show_message('invalidrequest', 'error');


  rcmail_overwrite_action('identities');


  return;


}




if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid))


{


  $plugin = $RCMAIL->plugins->exec_hook('delete_identity', array('id' => $ids));


  $plugin = $RCMAIL->plugins->exec_hook('delete_identity', array('id' => $iid));


  


  if (!$plugin['abort'] && $USER->delete_identity($ids)) {


  if (!$plugin['abort'] && $USER->delete_identity($iid)) {


    $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false);


  }


  else {