| | |
|---|
| | | */ |
|---|
| | | public function set_skin($skin) |
|---|
| | | { |
|---|
| | | // Sanity check to prevent from path traversal vulnerability (#1490620) |
|---|
| | | if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) { |
|---|
| | | rcube::raise_error(array( |
|---|
| | | 'file' => __FILE__, |
|---|
| | | 'line' => __LINE__, |
|---|
| | | 'message' => 'Invalid skin name' |
|---|
| | | ), true, false); |
|---|
| | | |
|---|
| | | return false; |
|---|
| | | } |
|---|
| | | |
|---|
| | | $valid = false; |
|---|
| | | $path = RCUBE_INSTALL_PATH . 'skins/'; |
|---|
| | | |
|---|
| | |
|---|
| | | // write all javascript commands |
|---|
| | | $this->add_script($commands, 'head_top'); |
|---|
| | | |
|---|
| | | // send clickjacking protection headers |
|---|
| | | // allow (legal) iframe content to be loaded |
|---|
| | | $iframe = $this->framed || $this->env['framed']; |
|---|
| | | if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin'))) { |
|---|
| | | header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe)); |
|---|
| | | if (!headers_sent() && $iframe && $this->app->config->get('x_frame_options', 'sameorigin') === 'deny') { |
|---|
| | | header('X-Frame-Options: sameorigin', true); |
|---|
| | | } |
|---|
| | | |
|---|
| | | // call super method |
|---|
