- Fix CVE-2010-0464: Disable DNS prefetching (#1486449)

CHANGELOG

@@ -1,6 +1,7 @@
 CHANGELOG RoundCube Webmail
 ===========================
 
+- Fix CVE-2010-0464: Disable DNS prefetching (#1486449)
 - Fix Received headers to behave better with SpamAssassin (#1486513)
 - Password: Make passwords encoding consistent with core, add 'password_charset' global option (#1486473)
 - Fix adding contacts SQL error on mysql (#1486459)

program/include/rcube_shared.inc

@@ -39,6 +39,8 @@ function send_nocacheing_headers()
   header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
   header("Cache-Control: private, must-revalidate, post-check=0, pre-check=0");
   header("Pragma: no-cache");
+  // Request browser to disable DNS prefetching (CVE-2010-0464)
+  header("X-DNS-Prefetch-Control: off");
   
   // We need to set the following headers to make downloads work using IE in HTTPS mode.
   if (rcube_https_check()) {

program/steps/mail/get.inc

@@ -41,6 +41,7 @@ if (!empty($_GET['_uid'])) {
   $MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET));
 }
 
+send_nocacheing_headers();
 
 // show part page
 if (!empty($_GET['_frame'])) {
@@ -66,8 +67,6 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) {
     
     $browser = new rcube_browser;
 
-    send_nocacheing_headers();
-    
     // send download headers
     if ($_GET['_download']) {
       header("Content-Type: application/octet-stream");