diff options
author | Thomas Bruederli <thomas@roundcube.net> | 2016-01-16 19:48:22 +0300 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2016-03-06 16:31:07 +0300 |
commit | 4a408843b0ef816daf70a472a02b78cd6073a4d5 (patch) | |
tree | cacb8d3c24c016948b4f22b15e0f9d0402db81d5 /plugins | |
parent | d4df3748cfaacadf52b19eb37b2a476df80525a9 (diff) |
Protect download urls against CSRF using unique request tokens (#1490642)
Send X-Frame-Options headers with every HTTP response
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/enigma/enigma.js | 2 | ||||
-rw-r--r-- | plugins/enigma/lib/enigma_ui.php | 2 | ||||
-rw-r--r-- | plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php | 2 | ||||
-rw-r--r-- | plugins/managesieve/managesieve.js | 2 | ||||
-rw-r--r-- | plugins/zipdownload/zipdownload.js | 2 | ||||
-rw-r--r-- | plugins/zipdownload/zipdownload.php | 6 |
6 files changed, 12 insertions, 4 deletions
diff --git a/plugins/enigma/enigma.js b/plugins/enigma/enigma.js index bd52d047a..a5497f4b3 100644 --- a/plugins/enigma/enigma.js +++ b/plugins/enigma/enigma.js @@ -157,7 +157,7 @@ rcube_webmail.prototype.enigma_export = function(selected) if (!keys.length) return; - this.goto_url('plugin.enigmakeys', {_a: 'export', _keys: keys}); + this.goto_url('plugin.enigmakeys', {_a: 'export', _keys: keys}, false, true); }; // Submit key(s) import form diff --git a/plugins/enigma/lib/enigma_ui.php b/plugins/enigma/lib/enigma_ui.php index dfdacc7a6..ca28c321a 100644 --- a/plugins/enigma/lib/enigma_ui.php +++ b/plugins/enigma/lib/enigma_ui.php @@ -459,6 +459,8 @@ class enigma_ui */ private function key_export() { + $this->rc->request_security_check(rcube_utils::INPUT_GET); + $keys = rcube_utils::get_input_value('_keys', rcube_utils::INPUT_GPC); $engine = $this->enigma->load_engine(); $list = $keys == '*' ? $engine->list_keys() : explode(',', $keys); diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php index 67c921161..3fb168443 100644 --- a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php +++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php @@ -397,6 +397,8 @@ class rcube_sieve_engine } } else if ($action == 'setget') { + $this->rc->request_security_check(rcube_utils::INPUT_GET); + $script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_GPC, true); $script = $this->sieve->get_script($script_name); diff --git a/plugins/managesieve/managesieve.js b/plugins/managesieve/managesieve.js index a69fa5a58..117f01a5a 100644 --- a/plugins/managesieve/managesieve.js +++ b/plugins/managesieve/managesieve.js @@ -181,7 +181,7 @@ rcube_webmail.prototype.managesieve_setget = function() var id = this.filtersets_list.get_single_selection(), script = this.env.filtersets[id]; - location.href = this.env.comm_path+'&_action=plugin.managesieve-action&_act=setget&_set='+urlencode(script); + this.goto_url('plugin.managesieve-action', {_act: 'setget', _set: script}, false, true); }; // Set activate/deactivate request diff --git a/plugins/zipdownload/zipdownload.js b/plugins/zipdownload/zipdownload.js index 228b04f8f..6f918d298 100644 --- a/plugins/zipdownload/zipdownload.js +++ b/plugins/zipdownload/zipdownload.js @@ -54,7 +54,7 @@ function rcmail_zipdownload(mode) // default .eml download of single message if (mode == 'eml') { var uid = rcmail.get_single_uid(); - rcmail.goto_url('viewsource', rcmail.params_from_uid(uid, {_save: 1})); + rcmail.goto_url('viewsource', rcmail.params_from_uid(uid, {_save: 1}), false, true); return; } diff --git a/plugins/zipdownload/zipdownload.php b/plugins/zipdownload/zipdownload.php index 2928f4978..241de5489 100644 --- a/plugins/zipdownload/zipdownload.php +++ b/plugins/zipdownload/zipdownload.php @@ -63,7 +63,7 @@ class zipdownload extends rcube_plugin '_action' => 'plugin.zipdownload.attachments', '_mbox' => $rcmail->output->env['mailbox'], '_uid' => $rcmail->output->env['uid'], - )); + ), false, false, true); $link = html::a(array('href' => $href, 'class' => 'button zipdownload'), rcube::Q($this->gettext('downloadall')) @@ -120,6 +120,10 @@ class zipdownload extends rcube_plugin public function download_attachments() { $rcmail = rcmail::get_instance(); + + // require CSRF protected request + $rcmail->request_security_check(rcube_utils::INPUT_GET); + $imap = $rcmail->get_storage(); $temp_dir = $rcmail->config->get('temp_dir'); $tmpfname = tempnam($temp_dir, 'zipdownload'); |