From 699af1e5206ed9114322adaa3c25c1c969640a53 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Sun, 06 Mar 2016 08:35:48 -0500
Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response

---
 program/steps/mail/viewsource.inc |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/program/steps/mail/viewsource.inc b/program/steps/mail/viewsource.inc
index f988f67..284b333 100644
--- a/program/steps/mail/viewsource.inc
+++ b/program/steps/mail/viewsource.inc
@@ -19,6 +19,10 @@
  +-----------------------------------------------------------------------+
 */
 
+if (!empty($_GET['_save'])) {
+    $RCMAIL->request_security_check(rcube_utils::INPUT_GET);
+}
+
 ob_end_clean();
 
 // similar code as in program/steps/mail/get.inc

--
Gitblit v1.9.1