From 4a408843b0ef816daf70a472a02b78cd6073a4d5 Mon Sep 17 00:00:00 2001 From: Thomas Bruederli <thomas@roundcube.net> Date: Sun, 06 Mar 2016 08:31:07 -0500 Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response --- program/steps/mail/viewsource.inc | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/program/steps/mail/viewsource.inc b/program/steps/mail/viewsource.inc index 1198505..1e1fe26 100644 --- a/program/steps/mail/viewsource.inc +++ b/program/steps/mail/viewsource.inc @@ -19,6 +19,10 @@ +-----------------------------------------------------------------------+ */ +if (!empty($_GET['_save'])) { + $RCMAIL->request_security_check(rcube_utils::INPUT_GET); +} + ob_end_clean(); // similar code as in program/steps/mail/get.inc -- Gitblit v1.9.1