From 699af1e5206ed9114322adaa3c25c1c969640a53 Mon Sep 17 00:00:00 2001 From: Thomas Bruederli <thomas@roundcube.net> Date: Sun, 06 Mar 2016 08:35:48 -0500 Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response --- program/steps/mail/get.inc | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index a79b968..e4fd55f 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -131,6 +131,10 @@ exit; } + // require CSRF protected url for downloads + if ($plugin['download']) + $RCMAIL->request_security_check(rcube_utils::INPUT_GET); + // overwrite modified vars from plugin $mimetype = $plugin['mimetype']; $extensions = rcube_mime::get_mime_extensions($mimetype); -- Gitblit v1.9.1