From ebc619c149f82e9151bbf672cf065447f4d12923 Mon Sep 17 00:00:00 2001 From: alecpl Date: Fri, 26 Feb 2010 08:06:48 +0000 Subject: [PATCH] - Fix CVE-2010-0464: Disable DNS prefetching (#1486449) --- CHANGELOG | 1 + program/include/rcube_shared.inc | 2 ++ program/steps/mail/get.inc | 3 +-- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 184d06a83..1093b0746 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG RoundCube Webmail =========================== +- Fix CVE-2010-0464: Disable DNS prefetching (#1486449) - Fix Received headers to behave better with SpamAssassin (#1486513) - Password: Make passwords encoding consistent with core, add 'password_charset' global option (#1486473) - Fix adding contacts SQL error on mysql (#1486459) diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc index 610023f69..f4f23a26b 100644 --- a/program/include/rcube_shared.inc +++ b/program/include/rcube_shared.inc @@ -39,6 +39,8 @@ function send_nocacheing_headers() header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT"); header("Cache-Control: private, must-revalidate, post-check=0, pre-check=0"); header("Pragma: no-cache"); + // Request browser to disable DNS prefetching (CVE-2010-0464) + header("X-DNS-Prefetch-Control: off"); // We need to set the following headers to make downloads work using IE in HTTPS mode. if (rcube_https_check()) { diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index cb938c08b..a41925a65 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -41,6 +41,7 @@ if (!empty($_GET['_uid'])) { $MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET)); } +send_nocacheing_headers(); // show part page if (!empty($_GET['_frame'])) { @@ -66,8 +67,6 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) { $browser = new rcube_browser; - send_nocacheing_headers(); - // send download headers if ($_GET['_download']) { header("Content-Type: application/octet-stream");