From 681ba6fc3c296cd6cd11050531b8f4e785141786 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 16 Dec 2014 07:28:48 -0500
Subject: [PATCH] Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests

---
 program/include/rcmail_output_json.php |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/program/include/rcmail_output_json.php b/program/include/rcmail_output_json.php
index d0e1eec..91262ac 100644
--- a/program/include/rcmail_output_json.php
+++ b/program/include/rcmail_output_json.php
@@ -23,7 +23,7 @@
 /**
  * View class to produce JSON responses
  *
- * @package    Core
+ * @package Webmail
  * @subpackage View
  */
 class rcmail_output_json extends rcmail_output
@@ -181,6 +181,11 @@
      */
     public function raise_error($code, $message)
     {
+        if ($code == 403) {
+            header('HTTP/1.1 403 Forbidden');
+            die("Invalid Request");
+        }
+
         $this->show_message("Application Error ($code): $message", 'error');
         $this->remote_response();
         exit;

--
Gitblit v1.9.1