From 881217a5c95dbfe4e62154a2c0edd135b504220e Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Thu, 16 Jul 2009 11:01:05 -0400
Subject: [PATCH] Force ajax calls to protect from CSRF
---
program/steps/mail/folders.inc | 6 +++++-
program/steps/addressbook/delete.inc | 5 +++--
program/steps/mail/mark.inc | 6 +++++-
program/steps/mail/sendmdn.inc | 3 +++
program/steps/addressbook/copy.inc | 4 ++++
program/steps/mail/addcontact.inc | 6 +++++-
program/steps/mail/move_del.inc | 6 +++++-
7 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/program/steps/addressbook/copy.inc b/program/steps/addressbook/copy.inc
index 75190a6..a27b67b 100644
--- a/program/steps/addressbook/copy.inc
+++ b/program/steps/addressbook/copy.inc
@@ -19,6 +19,10 @@
*/
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
+
$cid = get_input_value('_cid', RCUBE_INPUT_POST);
$target = get_input_value('_to', RCUBE_INPUT_POST);
if ($cid && preg_match('/^[a-z0-9\-_=]+(,[a-z0-9\-_=]+)*$/i', $cid) && strlen($target) && $target != $source)
diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc
index 6ab9cc3..1611ae1 100644
--- a/program/steps/addressbook/delete.inc
+++ b/program/steps/addressbook/delete.inc
@@ -5,7 +5,7 @@
| program/steps/addressbook/delete.inc |
| |
| This file is part of the RoundCube Webmail client |
- | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland |
+ | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL |
| |
| PURPOSE: |
@@ -19,7 +19,8 @@
*/
-if (($cid = get_input_value('_cid', RCUBE_INPUT_POST)) &&
+if ($OUTPUT->ajax_call &&
+ ($cid = get_input_value('_cid', RCUBE_INPUT_POST)) &&
(preg_match('/^[0-9]+(,[0-9]+)*$/', $cid) ||
preg_match('/^[a-zA-Z0-9=]+(,[a-zA-Z0-9=]+)*$/', $cid))
)
diff --git a/program/steps/mail/addcontact.inc b/program/steps/mail/addcontact.inc
index 5f8c6d1..23e6579 100644
--- a/program/steps/mail/addcontact.inc
+++ b/program/steps/mail/addcontact.inc
@@ -5,7 +5,7 @@
| program/steps/mail/addcontact.inc |
| |
| This file is part of the RoundCube Webmail client |
- | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland |
+ | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL |
| |
| PURPOSE: |
@@ -19,6 +19,10 @@
*/
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
+
$done = false;
$CONTACTS = $RCMAIL->get_address_book(null, true);
diff --git a/program/steps/mail/folders.inc b/program/steps/mail/folders.inc
index 7fd1f62..dc086b1 100644
--- a/program/steps/mail/folders.inc
+++ b/program/steps/mail/folders.inc
@@ -5,7 +5,7 @@
| program/steps/mail/folders.inc |
| |
| This file is part of the RoundCube Webmail client |
- | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland |
+ | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL |
| |
| PURPOSE: |
@@ -18,6 +18,10 @@
$Id$
*/
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
+
$mbox_name = $IMAP->get_mailbox_name();
// send EXPUNGE command
diff --git a/program/steps/mail/mark.inc b/program/steps/mail/mark.inc
index 339beca..c3ddf7b 100644
--- a/program/steps/mail/mark.inc
+++ b/program/steps/mail/mark.inc
@@ -4,7 +4,7 @@
| program/steps/mail/mark.inc |
| |
| This file is part of the RoundCube Webmail client |
- | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland |
+ | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL |
| |
| PURPOSE: |
@@ -18,6 +18,10 @@
*/
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
+
$a_flags_map = array(
'undelete' => 'UNDELETED',
'delete' => 'DELETED',
diff --git a/program/steps/mail/move_del.inc b/program/steps/mail/move_del.inc
index d22cd35..103d69e 100644
--- a/program/steps/mail/move_del.inc
+++ b/program/steps/mail/move_del.inc
@@ -5,7 +5,7 @@
| program/steps/mail/move_del.inc |
| |
| This file is part of the RoundCube Webmail client |
- | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland |
+ | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL |
| |
| PURPOSE: |
@@ -19,6 +19,10 @@
*/
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
+
// count messages before changing anything
$old_count = $IMAP->messagecount();
$old_pages = ceil($old_count / $IMAP->page_size);
diff --git a/program/steps/mail/sendmdn.inc b/program/steps/mail/sendmdn.inc
index c3294e7..f1fb792 100644
--- a/program/steps/mail/sendmdn.inc
+++ b/program/steps/mail/sendmdn.inc
@@ -19,6 +19,9 @@
*/
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
if (!empty($_POST['_uid'])) {
$sent = rcmail_send_mdn(get_input_value('_uid', RCUBE_INPUT_POST), $smtp_error);
--
Gitblit v1.9.1