From 699af1e5206ed9114322adaa3c25c1c969640a53 Mon Sep 17 00:00:00 2001 From: Thomas Bruederli <thomas@roundcube.net> Date: Sun, 06 Mar 2016 08:35:48 -0500 Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response --- plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php index 362c529..cdeac98 100644 --- a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php +++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php @@ -397,6 +397,8 @@ } } else if ($action == 'setget') { + $this->rc->request_security_check(rcube_utils::INPUT_GET); + $script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_GPC, true); $script = $this->sieve->get_script($script_name); -- Gitblit v1.9.1