From b807084a6b33c96d2568456f367b1c5a8384660c Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 08 Aug 2012 02:55:46 -0400
Subject: [PATCH] - Fix (disable) request validation for spell and spell_html actions   Consider action whitelist also for ajax requests

---
 CHANGELOG |    1 +
 index.php |   37 +++++++++++++++++++------------------
 2 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index ba7d1a1..4ff82a4 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix (disable) request validation for spell and spell_html actions
 - Add new DB abstraction layer based on PHP PDO, supporting SQLite3 (#1488332)
 - Removed PEAR::MDB2 package
 - Removed users.alias column, added option ('user_aliases')
diff --git a/index.php b/index.php
index 143d90f..0ad371a 100644
--- a/index.php
+++ b/index.php
@@ -219,27 +219,28 @@
 // CSRF prevention
 else {
   // don't check for valid request tokens in these actions
-  $request_check_whitelist = array('login'=>1, 'spell'=>1);
+  $request_check_whitelist = array('login'=>1, 'spell'=>1, 'spell_html'=>1);
 
-  // check client X-header to verify request origin
-  if ($OUTPUT->ajax_call) {
-    if (rcube_utils::request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
-      header('HTTP/1.1 403 Forbidden');
-      die("Invalid Request");
+  if (!$request_check_whitelist[$RCMAIL->action]) {
+    // check client X-header to verify request origin
+    if ($OUTPUT->ajax_call) {
+      if (rcube_utils::request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
+        header('HTTP/1.1 403 Forbidden');
+        die("Invalid Request");
+      }
     }
-  }
-  // check request token in POST form submissions
-  else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
-    $OUTPUT->show_message('invalidrequest', 'error');
-    $OUTPUT->send($RCMAIL->task);
-  }
+    // check request token in POST form submissions
+    else if (!empty($_POST) && !$RCMAIL->check_request()) {
+      $OUTPUT->show_message('invalidrequest', 'error');
+      $OUTPUT->send($RCMAIL->task);
+    }
 
-  // check referer if configured
-  if (!$request_check_whitelist[$RCMAIL->action] && $RCMAIL->config->get('referer_check') && !rcmail::check_referer()) {
-    raise_error(array(
-      'code' => 403,
-      'type' => 'php',
-      'message' => "Referer check failed"), true, true);
+    // check referer if configured
+    if ($RCMAIL->config->get('referer_check') && !rcmail::check_referer()) {
+      raise_error(array(
+        'code' => 403, 'type' => 'php',
+        'message' => "Referer check failed"), true, true);
+    }
   }
 }
 

--
Gitblit v1.9.1