Index: program/include/rcube_shared.inc =================================================================== --- program/include/rcube_shared.inc (revision 790) +++ program/include/rcube_shared.inc (working copy) @@ -1488,6 +1488,31 @@ } +/** + * Read a specific HTTP request header + * + * @access static + * @param string $name Header name + * @return mixed Header value or null if not available + */ +function rc_request_header($name) + { + if (function_exists('getallheaders')) + { + $hdrs = getallheaders(); + $hdrs = array_change_key_case($hdrs, CASE_UPPER); + $key = strtoupper($name); + } + else + { + $key = 'HTTP_' . strtoupper(strtr($name, '-', '_')); + $hdrs = array_change_key_case($_SERVER, CASE_UPPER); + } + + return isset($hdrs[$key]); + } + + // replace the middle part of a string with ... // if it is longer than the allowed length function abbrevate_string($str, $maxlength, $place_holder='...') Index: program/js/app.js =================================================================== --- program/js/app.js (revision 790) +++ program/js/app.js (working copy) @@ -3500,6 +3500,7 @@ this.xmlhttp.onreadystatechange = function(){ ref.xmlhttp_onreadystatechange(); }; this.xmlhttp.open('GET', url); + this.xmlhttp.setRequestHeader('X-RoundCube-Referer', bw.get_cookie('sessid')); this.xmlhttp.send(null); }; @@ -3533,6 +3534,7 @@ this.xmlhttp.onreadystatechange = function() { ref.xmlhttp_onreadystatechange(); }; this.xmlhttp.open('POST', url, true); this.xmlhttp.setRequestHeader('Content-Type', contentType); + this.xmlhttp.setRequestHeader('X-RoundCube-Referer', bw.get_cookie('sessid')); this.xmlhttp.send(req_body); }; Index: index.php =================================================================== --- index.php (revision 790) +++ index.php (working copy) @@ -219,6 +219,15 @@ } +// check client X-header to verify request origin +if ($OUTPUT->ajax_call) +{ + if (empty($CONFIG['devel_mode']) && !rc_request_header('X-RoundCube-Referer')) + { + header('HTTP/1.1 404 Not Found'); + die("Invalid Request"); + } +} // set task and action to client $OUTPUT->set_env('task', $_task);