banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Force ajax calls to protect from CSRF

Browse Source
release-0.6
thomascube 15 years ago
parent 7477973d93
commit 881217a5c9
7 changed files with 30 additions and 6 deletions
Show Stats Download Patch File Download Diff File

4
program/steps/addressbook/copy.inc
Unescape Escape View File

@ -19,6 +19,10 @@
*/ */
// only process ajax requests
if (!$OUTPUT->ajax_call)
return;
$cid = get_input_value('_cid', RCUBE_INPUT_POST); $cid = get_input_value('_cid', RCUBE_INPUT_POST);
$target = get_input_value('_to', RCUBE_INPUT_POST); $target = get_input_value('_to', RCUBE_INPUT_POST);
if ($cid && preg_match('/^[a-z0-9\-_=]+(,[a-z0-9\-_=]+)*$/i', $cid) && strlen($target) && $target != $source) if ($cid && preg_match('/^[a-z0-9\-_=]+(,[a-z0-9\-_=]+)*$/i', $cid) && strlen($target) && $target != $source)

5
program/steps/addressbook/delete.inc
Unescape Escape View File

@ -5,7 +5,7 @@
| program/steps/addressbook/delete.inc | | program/steps/addressbook/delete.inc |
| | | |
| This file is part of the RoundCube Webmail client | | This file is part of the RoundCube Webmail client |
| Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL | | Licensed under the GNU GPL |
| | | |
| PURPOSE: | | PURPOSE: |
@ -19,7 +19,8 @@
*/ */
if (($cid = get_input_value('_cid', RCUBE_INPUT_POST)) && if ($OUTPUT->ajax_call &&
($cid = get_input_value('_cid', RCUBE_INPUT_POST)) &&
(preg_match('/^[0-9]+(,[0-9]+)*$/', $cid) || (preg_match('/^[0-9]+(,[0-9]+)*$/', $cid) ||
preg_match('/^[a-zA-Z0-9=]+(,[a-zA-Z0-9=]+)*$/', $cid)) preg_match('/^[a-zA-Z0-9=]+(,[a-zA-Z0-9=]+)*$/', $cid))
) )

6
program/steps/mail/addcontact.inc
Unescape Escape View File

@ -5,7 +5,7 @@
| program/steps/mail/addcontact.inc | | program/steps/mail/addcontact.inc |
| | | |
| This file is part of the RoundCube Webmail client | | This file is part of the RoundCube Webmail client |
| Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL | | Licensed under the GNU GPL |
| | | |
| PURPOSE: | | PURPOSE: |
@ -19,6 +19,10 @@
*/ */
// only process ajax requests
if (!$OUTPUT->ajax_call)
return;
$done = false; $done = false;
$CONTACTS = $RCMAIL->get_address_book(null, true); $CONTACTS = $RCMAIL->get_address_book(null, true);

6
program/steps/mail/folders.inc
Unescape Escape View File

@ -5,7 +5,7 @@
| program/steps/mail/folders.inc | | program/steps/mail/folders.inc |
| | | |
| This file is part of the RoundCube Webmail client | | This file is part of the RoundCube Webmail client |
| Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL | | Licensed under the GNU GPL |
| | | |
| PURPOSE: | | PURPOSE: |
@ -18,6 +18,10 @@
$Id$ $Id$
*/ */
// only process ajax requests
if (!$OUTPUT->ajax_call)
return;
$mbox_name = $IMAP->get_mailbox_name(); $mbox_name = $IMAP->get_mailbox_name();
// send EXPUNGE command // send EXPUNGE command

6
program/steps/mail/mark.inc
Unescape Escape View File

@ -4,7 +4,7 @@
| program/steps/mail/mark.inc | | program/steps/mail/mark.inc |
| | | |
| This file is part of the RoundCube Webmail client | | This file is part of the RoundCube Webmail client |
| Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL | | Licensed under the GNU GPL |
| | | |
| PURPOSE: | | PURPOSE: |
@ -18,6 +18,10 @@
*/ */
// only process ajax requests
if (!$OUTPUT->ajax_call)
return;
$a_flags_map = array( $a_flags_map = array(
'undelete' => 'UNDELETED', 'undelete' => 'UNDELETED',
'delete' => 'DELETED', 'delete' => 'DELETED',

6
program/steps/mail/move_del.inc
Unescape Escape View File

@ -5,7 +5,7 @@
| program/steps/mail/move_del.inc | | program/steps/mail/move_del.inc |
| | | |
| This file is part of the RoundCube Webmail client | | This file is part of the RoundCube Webmail client |
| Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL | | Licensed under the GNU GPL |
| | | |
| PURPOSE: | | PURPOSE: |
@ -19,6 +19,10 @@
*/ */
// only process ajax requests
if (!$OUTPUT->ajax_call)
return;
// count messages before changing anything // count messages before changing anything
$old_count = $IMAP->messagecount(); $old_count = $IMAP->messagecount();
$old_pages = ceil($old_count / $IMAP->page_size); $old_pages = ceil($old_count / $IMAP->page_size);

3
program/steps/mail/sendmdn.inc
Unescape Escape View File

@ -19,6 +19,9 @@
*/ */
// only process ajax requests
if (!$OUTPUT->ajax_call)
return;
if (!empty($_POST['_uid'])) { if (!empty($_POST['_uid'])) {
$sent = rcmail_send_mdn(get_input_value('_uid', RCUBE_INPUT_POST), $smtp_error); $sent = rcmail_send_mdn(get_input_value('_uid', RCUBE_INPUT_POST), $smtp_error);

Write Preview
Loading…
Cancel
Save