Force ajax calls to protect from CSRF
| | |
| | | |
| | | */ |
| | | |
| | | // only process ajax requests |
| | | if (!$OUTPUT->ajax_call) |
| | | return; |
| | | |
| | | $cid = get_input_value('_cid', RCUBE_INPUT_POST); |
| | | $target = get_input_value('_to', RCUBE_INPUT_POST); |
| | | if ($cid && preg_match('/^[a-z0-9\-_=]+(,[a-z0-9\-_=]+)*$/i', $cid) && strlen($target) && $target != $source) |
| | |
| | | | program/steps/addressbook/delete.inc | |
| | | | | |
| | | | This file is part of the RoundCube Webmail client | |
| | | | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | |
| | | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | |
| | | | Licensed under the GNU GPL | |
| | | | | |
| | | | PURPOSE: | |
| | |
| | | |
| | | */ |
| | | |
| | | if (($cid = get_input_value('_cid', RCUBE_INPUT_POST)) && |
| | | if ($OUTPUT->ajax_call && |
| | | ($cid = get_input_value('_cid', RCUBE_INPUT_POST)) && |
| | | (preg_match('/^[0-9]+(,[0-9]+)*$/', $cid) || |
| | | preg_match('/^[a-zA-Z0-9=]+(,[a-zA-Z0-9=]+)*$/', $cid)) |
| | | ) |
| | |
| | | | program/steps/mail/addcontact.inc | |
| | | | | |
| | | | This file is part of the RoundCube Webmail client | |
| | | | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | |
| | | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | |
| | | | Licensed under the GNU GPL | |
| | | | | |
| | | | PURPOSE: | |
| | |
| | | |
| | | */ |
| | | |
| | | // only process ajax requests |
| | | if (!$OUTPUT->ajax_call) |
| | | return; |
| | | |
| | | $done = false; |
| | | $CONTACTS = $RCMAIL->get_address_book(null, true); |
| | | |
| | |
| | | | program/steps/mail/folders.inc | |
| | | | | |
| | | | This file is part of the RoundCube Webmail client | |
| | | | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | |
| | | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | |
| | | | Licensed under the GNU GPL | |
| | | | | |
| | | | PURPOSE: | |
| | |
| | | $Id$ |
| | | */ |
| | | |
| | | // only process ajax requests |
| | | if (!$OUTPUT->ajax_call) |
| | | return; |
| | | |
| | | $mbox_name = $IMAP->get_mailbox_name(); |
| | | |
| | | // send EXPUNGE command |
| | |
| | | | program/steps/mail/mark.inc | |
| | | | | |
| | | | This file is part of the RoundCube Webmail client | |
| | | | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | |
| | | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | |
| | | | Licensed under the GNU GPL | |
| | | | | |
| | | | PURPOSE: | |
| | |
| | | |
| | | */ |
| | | |
| | | // only process ajax requests |
| | | if (!$OUTPUT->ajax_call) |
| | | return; |
| | | |
| | | $a_flags_map = array( |
| | | 'undelete' => 'UNDELETED', |
| | | 'delete' => 'DELETED', |
| | |
| | | | program/steps/mail/move_del.inc | |
| | | | | |
| | | | This file is part of the RoundCube Webmail client | |
| | | | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | |
| | | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | |
| | | | Licensed under the GNU GPL | |
| | | | | |
| | | | PURPOSE: | |
| | |
| | | |
| | | */ |
| | | |
| | | // only process ajax requests |
| | | if (!$OUTPUT->ajax_call) |
| | | return; |
| | | |
| | | // count messages before changing anything |
| | | $old_count = $IMAP->messagecount(); |
| | | $old_pages = ceil($old_count / $IMAP->page_size); |
| | |
| | | |
| | | */ |
| | | |
| | | // only process ajax requests |
| | | if (!$OUTPUT->ajax_call) |
| | | return; |
| | | |
| | | if (!empty($_POST['_uid'])) { |
| | | $sent = rcmail_send_mdn(get_input_value('_uid', RCUBE_INPUT_POST), $smtp_error); |