From 699af1e5206ed9114322adaa3c25c1c969640a53 Mon Sep 17 00:00:00 2001 From: Thomas Bruederli <thomas@roundcube.net> Date: Sun, 06 Mar 2016 08:35:48 -0500 Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response --- program/lib/Roundcube/rcube_message.php | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) diff --git a/program/lib/Roundcube/rcube_message.php b/program/lib/Roundcube/rcube_message.php index b9008af..4550b76 100644 --- a/program/lib/Roundcube/rcube_message.php +++ b/program/lib/Roundcube/rcube_message.php @@ -105,10 +105,11 @@ $this->opt = array( 'safe' => $this->is_safe, 'prefer_html' => $this->app->config->get('prefer_html'), - 'get_url' => $this->app->url(array( - 'action' => 'get', - 'mbox' => $this->storage->get_folder(), - 'uid' => $uid)) + 'get_url' => $this->app->url(array( + 'action' => 'get', + 'mbox' => $this->storage->get_folder(), + 'uid' => $uid), + false, false, true) ); if (!empty($this->headers->structure)) { -- Gitblit v1.9.1