From ebc619c149f82e9151bbf672cf065447f4d12923 Mon Sep 17 00:00:00 2001
From: alecpl <alec@alec.pl>
Date: Fri, 26 Feb 2010 03:06:48 -0500
Subject: [PATCH] - Fix CVE-2010-0464: Disable DNS prefetching (#1486449)

---
 CHANGELOG                        |    1 +
 program/include/rcube_shared.inc |    2 ++
 program/steps/mail/get.inc       |    3 +--
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 184d06a..1093b07 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG RoundCube Webmail
 ===========================
 
+- Fix CVE-2010-0464: Disable DNS prefetching (#1486449)
 - Fix Received headers to behave better with SpamAssassin (#1486513)
 - Password: Make passwords encoding consistent with core, add 'password_charset' global option (#1486473)
 - Fix adding contacts SQL error on mysql (#1486459)
diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc
index 610023f..f4f23a2 100644
--- a/program/include/rcube_shared.inc
+++ b/program/include/rcube_shared.inc
@@ -39,6 +39,8 @@
   header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
   header("Cache-Control: private, must-revalidate, post-check=0, pre-check=0");
   header("Pragma: no-cache");
+  // Request browser to disable DNS prefetching (CVE-2010-0464)
+  header("X-DNS-Prefetch-Control: off");
   
   // We need to set the following headers to make downloads work using IE in HTTPS mode.
   if (rcube_https_check()) {
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index cb938c0..a41925a 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -41,6 +41,7 @@
   $MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET));
 }
 
+send_nocacheing_headers();
 
 // show part page
 if (!empty($_GET['_frame'])) {
@@ -66,8 +67,6 @@
     
     $browser = new rcube_browser;
 
-    send_nocacheing_headers();
-    
     // send download headers
     if ($_GET['_download']) {
       header("Content-Type: application/octet-stream");

--
Gitblit v1.9.1