From 4a408843b0ef816daf70a472a02b78cd6073a4d5 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Sun, 06 Mar 2016 08:31:07 -0500
Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response
---
program/lib/Roundcube/rcube_message.php | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/program/lib/Roundcube/rcube_message.php b/program/lib/Roundcube/rcube_message.php
index 3e95b2b..10ebbf6 100644
--- a/program/lib/Roundcube/rcube_message.php
+++ b/program/lib/Roundcube/rcube_message.php
@@ -108,7 +108,8 @@
'get_url' => $this->app->url(array(
'action' => 'get',
'mbox' => $this->folder,
- 'uid' => $uid))
+ 'uid' => $uid),
+ false, false, true)
);
if (!empty($this->headers->structure)) {
@@ -339,6 +340,7 @@
$level = explode('.', $part->mime_id);
$depth = count($level);
+ $last = '';
// Check if the part belongs to higher-level's multipart part
// this can be alternative/related/signed/encrypted or mixed
@@ -348,9 +350,12 @@
return true;
}
- $parent = $this->mime_parts[join('.', $level)];
+ $parent = $this->mime_parts[join('.', $level)];
+ $max_delta = $depth - (1 + ($last == 'multipart/alternative' ? 1 : 0));
+ $last = $parent->mimetype;
+
if (!preg_match('/^multipart\/(alternative|related|signed|encrypted|mixed)$/', $parent->mimetype)
- || ($parent->mimetype == 'multipart/mixed' && $parent_depth < $depth - 1)) {
+ || ($parent->mimetype == 'multipart/mixed' && $parent_depth < $max_delta)) {
continue 2;
}
}
--
Gitblit v1.9.1