Roundcubemail devel
parent: 7477973d | patch | commit | ignore whitespace
thomascube
2009-07-16 881217a5c95dbfe4e62154a2c0edd135b504220e 
Force ajax calls to protect from CSRF

7 files modified
36 ■■■■ changed files
program/steps/addressbook/copy.inc 4 ●●●● patch | view | raw | blame | history
program/steps/addressbook/delete.inc 5 ●●●●● patch | view | raw | blame | history
program/steps/mail/addcontact.inc 6 ●●●● patch | view | raw | blame | history
program/steps/mail/folders.inc 6 ●●●● patch | view | raw | blame | history
program/steps/mail/mark.inc 6 ●●●● patch | view | raw | blame | history
program/steps/mail/move_del.inc 6 ●●●● patch | view | raw | blame | history
program/steps/mail/sendmdn.inc 3 ●●●●● patch | view | raw | blame | history 
 program/steps/addressbook/copy.inc


@@ -19,6 +19,10 @@




*/




// only process ajax requests


if (!$OUTPUT->ajax_call)


  return;




$cid = get_input_value('_cid', RCUBE_INPUT_POST);


$target = get_input_value('_to', RCUBE_INPUT_POST);


if ($cid && preg_match('/^[a-z0-9\-_=]+(,[a-z0-9\-_=]+)*$/i', $cid) && strlen($target) && $target != $source)




 program/steps/addressbook/delete.inc


@@ -5,7 +5,7 @@


 | program/steps/addressbook/delete.inc                                  |


 |                                                                       |


 | This file is part of the RoundCube Webmail client                     |


 | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |


 | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland                 |


 | Licensed under the GNU GPL                                            |


 |                                                                       |


 | PURPOSE:                                                              |


@@ -19,7 +19,8 @@




*/




if (($cid = get_input_value('_cid', RCUBE_INPUT_POST)) &&


if ($OUTPUT->ajax_call &&


    ($cid = get_input_value('_cid', RCUBE_INPUT_POST)) &&


    (preg_match('/^[0-9]+(,[0-9]+)*$/', $cid) ||


     preg_match('/^[a-zA-Z0-9=]+(,[a-zA-Z0-9=]+)*$/', $cid))


   )




 program/steps/mail/addcontact.inc


@@ -5,7 +5,7 @@


 | program/steps/mail/addcontact.inc                                     |


 |                                                                       |


 | This file is part of the RoundCube Webmail client                     |


 | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |


 | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland                 |


 | Licensed under the GNU GPL                                            |


 |                                                                       |


 | PURPOSE:                                                              |


@@ -19,6 +19,10 @@




*/




// only process ajax requests


if (!$OUTPUT->ajax_call)


  return;




$done = false;


$CONTACTS = $RCMAIL->get_address_book(null, true);






 program/steps/mail/folders.inc


@@ -5,7 +5,7 @@


 | program/steps/mail/folders.inc                                        |


 |                                                                       |


 | This file is part of the RoundCube Webmail client                     |


 | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |


 | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland                 |


 | Licensed under the GNU GPL                                            |


 |                                                                       |


 | PURPOSE:                                                              |


@@ -18,6 +18,10 @@


 $Id$


*/




// only process ajax requests


if (!$OUTPUT->ajax_call)


  return;




$mbox_name = $IMAP->get_mailbox_name();




// send EXPUNGE command




 program/steps/mail/mark.inc


@@ -4,7 +4,7 @@


 | program/steps/mail/mark.inc                                           |


 |                                                                       |


 | This file is part of the RoundCube Webmail client                     |


 | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |


 | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland                 |


 | Licensed under the GNU GPL                                            |


 |                                                                       |


 | PURPOSE:                                                              |


@@ -18,6 +18,10 @@




*/




// only process ajax requests


if (!$OUTPUT->ajax_call)


  return;




$a_flags_map = array(


  'undelete' => 'UNDELETED',


  'delete' => 'DELETED',




 program/steps/mail/move_del.inc


@@ -5,7 +5,7 @@


 | program/steps/mail/move_del.inc                                       |


 |                                                                       |


 | This file is part of the RoundCube Webmail client                     |


 | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |


 | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland                 |


 | Licensed under the GNU GPL                                            |


 |                                                                       |


 | PURPOSE:                                                              |


@@ -19,6 +19,10 @@




*/




// only process ajax requests


if (!$OUTPUT->ajax_call)


  return;




// count messages before changing anything


$old_count = $IMAP->messagecount();


$old_pages = ceil($old_count / $IMAP->page_size);




 program/steps/mail/sendmdn.inc


@@ -19,6 +19,9 @@




*/




// only process ajax requests


if (!$OUTPUT->ajax_call)


  return;




if (!empty($_POST['_uid'])) {


  $sent = rcmail_send_mdn(get_input_value('_uid', RCUBE_INPUT_POST), $smtp_error);