From 699af1e5206ed9114322adaa3c25c1c969640a53 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Sun, 06 Mar 2016 08:35:48 -0500
Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response

---
 program/include/rcmail.php |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 95ad67a..53aeb90 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -813,6 +813,8 @@
             // this need to be full url to make redirects work
             $absolute = true;
         }
+        else if ($secure && ($token = $this->get_request_token()))
+            $url .= $delm . '_token=' . urlencode($token);
 
         if ($absolute || $full) {
             // add base path to this Roundcube installation

--
Gitblit v1.9.1