From 10e2dbbb9c49f1721b4d740bc102c10c742a7b76 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Wed, 23 Nov 2011 13:53:58 -0500
Subject: [PATCH] Improve clickjacking protection: bust frame or disable all form elements and abort UI initialization
---
index.php | 15 ++++++++++++---
1 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/index.php b/index.php
index 60b4cbd..dce3db3 100644
--- a/index.php
+++ b/index.php
@@ -2,7 +2,7 @@
/*
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 0.6-svn |
+ | Version 0.7-svn |
| |
| Copyright (C) 2005-2011, The Roundcube Dev Team |
| |
@@ -32,6 +32,9 @@
// init application, start session, init output class, etc.
$RCMAIL = rcmail::get_instance();
+
+// Make the whole PHP output non-cacheable (#1487797)
+send_nocacheing_headers();
// turn on output buffering
ob_start();
@@ -177,7 +180,7 @@
)
);
}
-
+
if ($session_error || $_REQUEST['_err'] == 'session')
$OUTPUT->show_message('sessionerror', 'error', null, true, -1);
@@ -192,7 +195,7 @@
// check client X-header to verify request origin
if ($OUTPUT->ajax_call) {
if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) {
- header('HTTP/1.1 404 Not Found');
+ header('HTTP/1.1 403 Forbidden');
die("Invalid Request");
}
}
@@ -211,6 +214,12 @@
}
}
+// we're ready, user is authenticated and the request is safe
+$plugin = $RCMAIL->plugins->exec_hook('ready', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
+$RCMAIL->set_task($plugin['task']);
+$RCMAIL->action = $plugin['action'];
+
+
// handle special actions
if ($RCMAIL->action == 'keep-alive') {
$OUTPUT->reset();
--
Gitblit v1.9.1