Removed referer_check option (#6440)

pull/6446/head
Aleksander Machniak 6 years ago
parent d868297a0a
commit 796e5a17e6

@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail CHANGELOG Roundcube Webmail
=========================== ===========================
- Removed referer_check option (#6440)
- Update to TinyMCE 4.8.2 - Update to TinyMCE 4.8.2
- Plugin API: Added 'raise_error' hook (#6199) - Plugin API: Added 'raise_error' hook (#6199)
- Managesieve: Added support for 'editheader' extension - RFC5293 (#5954) - Managesieve: Added support for 'editheader' extension - RFC5293 (#5954)

@ -497,9 +497,6 @@ $config['trusted_host_patterns'] = array();
// check client IP in session authorization // check client IP in session authorization
$config['ip_check'] = false; $config['ip_check'] = false;
// check referer of incoming requests
$config['referer_check'] = false;
// X-Frame-Options HTTP header value sent to prevent from Clickjacking. // X-Frame-Options HTTP header value sent to prevent from Clickjacking.
// Possible values: sameorigin|deny|allow-from <uri>. // Possible values: sameorigin|deny|allow-from <uri>.
// Set to false in order to disable sending the header. // Set to false in order to disable sending the header.

@ -926,12 +926,6 @@ class rcmail extends rcube
$error = array('code' => 403, 'message' => "Request security check failed"); $error = array('code' => 403, 'message' => "Request security check failed");
self::raise_error($error, false, true); self::raise_error($error, false, true);
} }
// check referer if configured
if ($this->config->get('referer_check') && !rcube_utils::check_referer()) {
$error = array('code' => 403, 'message' => "Referer check failed");
self::raise_error($error, true, true);
}
} }
/** /**

@ -33,7 +33,7 @@ class rcmail_install
public $bool_config_props = array(); public $bool_config_props = array();
public $local_config = array('db_dsnw', 'default_host', 'support_url', 'des_key', 'plugins'); public $local_config = array('db_dsnw', 'default_host', 'support_url', 'des_key', 'plugins');
public $obsolete_config = array('db_backend', 'db_max_length', 'double_auth', 'preview_pane', 'debug_level'); public $obsolete_config = array('db_backend', 'db_max_length', 'double_auth', 'preview_pane', 'debug_level', 'referer_check');
public $replaced_config = array( public $replaced_config = array(
'skin_path' => 'skin', 'skin_path' => 'skin',
'locale_string' => 'language', 'locale_string' => 'language',

@ -152,19 +152,6 @@ class rcube_utils
return filter_var($ip, FILTER_VALIDATE_IP) !== false; return filter_var($ip, FILTER_VALIDATE_IP) !== false;
} }
/**
* Check whether the HTTP referer matches the current request
*
* @return boolean True if referer is the same host+path, false if not
*/
public static function check_referer()
{
$uri = parse_url($_SERVER['REQUEST_URI']);
$referer = parse_url(self::request_header('Referer'));
return $referer['host'] == self::request_header('Host') && $referer['path'] == $uri['path'];
}
/** /**
* Replacing specials characters to a specific encoding type * Replacing specials characters to a specific encoding type
* *

Loading…
Cancel
Save