/** * CSRF attack prevention code * * @param int Request mode */ public function request_security_check($mode = rcube_utils::INPUT_POST) { // check request token if (!$this->check_request($mode)) { self::raise_error(array('code' => 403, 'type' => 'php', 'message' => "Request security check failed"), false, true); } // check referer if configured if ($this->config->get('referer_check') && !rcube_utils::check_referer()) { self::raise_error(array('code' => 403, 'type' => 'php', 'message' => "Referer check failed"), true, true); } }
function rcube_check_referer() { return rcube_utils::check_referer(); }
$request_check_whitelist = array('login' => 1, 'spell' => 1, 'spell_html' => 1); if (!$request_check_whitelist[$RCMAIL->action]) { // check client X-header to verify request origin if ($OUTPUT->ajax_call) { if (rcube_utils::request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) { header('HTTP/1.1 403 Forbidden'); die("Invalid Request"); } } else { if (!empty($_POST) && !$RCMAIL->check_request()) { $OUTPUT->show_message('invalidrequest', 'error'); $OUTPUT->send($RCMAIL->task); } } // check referer if configured if ($RCMAIL->config->get('referer_check') && !rcube_utils::check_referer()) { raise_error(array('code' => 403, 'type' => 'php', 'message' => "Referer check failed"), true, true); } } } // we're ready, user is authenticated and the request is safe $plugin = $RCMAIL->plugins->exec_hook('ready', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action)); $RCMAIL->set_task($plugin['task']); $RCMAIL->action = $plugin['action']; // handle special actions if ($RCMAIL->action == 'keep-alive') { $OUTPUT->reset(); $RCMAIL->plugins->exec_hook('keep_alive', array()); $OUTPUT->send(); } else { if ($RCMAIL->action == 'save-pref') {
function rcube_check_referer() { _deprecation_warning(__FUNCTION__); return rcube_utils::check_referer(); }