From: <pdo...@us...> - 2009-10-12 21:41:11
|
Revision: 13864 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13864&view=rev Author: pdontthink Date: 2009-10-12 21:40:55 +0000 (Mon, 12 Oct 2009) Log Message: ----------- Remove redundant call to is_logged_in(). Thanks to Fernando Gozalo Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/src/webmail.php Modified: branches/SM-1_4-STABLE/squirrelmail/src/webmail.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/webmail.php 2009-10-12 08:44:23 UTC (rev 13863) +++ branches/SM-1_4-STABLE/squirrelmail/src/webmail.php 2009-10-12 21:40:55 UTC (rev 13864) @@ -48,8 +48,6 @@ $mailtourl = ''; } -is_logged_in(); - // this value may be changed by a plugin, but initialize // it first to avoid register_globals headaches // This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2012-01-04 21:05:24
|
Revision: 14264 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=14264&view=rev Author: pdontthink Date: 2012-01-04 21:05:17 +0000 (Wed, 04 Jan 2012) Log Message: ----------- For environments where $browser_rendering_mode is not yet in the config file Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/src/webmail.php Modified: branches/SM-1_4-STABLE/squirrelmail/src/webmail.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/webmail.php 2012-01-04 21:03:41 UTC (rev 14263) +++ branches/SM-1_4-STABLE/squirrelmail/src/webmail.php 2012-01-04 21:05:17 UTC (rev 14264) @@ -68,6 +68,7 @@ set_up_language($my_language); +global $browser_rendering_mode; $output = ($browser_rendering_mode === 'standards' || $browser_rendering_mode === 'almost' ? '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">' : /* "quirks" */ '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN">'). This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2017-09-13 01:20:34
|
Revision: 14718 http://sourceforge.net/p/squirrelmail/code/14718 Author: pdontthink Date: 2017-09-13 01:20:32 +0000 (Wed, 13 Sep 2017) Log Message: ----------- We've long had clickjack prevention in page_header.php but let's put it in webmail.php too Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/src/webmail.php Modified: branches/SM-1_4-STABLE/squirrelmail/src/webmail.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/webmail.php 2017-09-12 19:05:35 UTC (rev 14717) +++ branches/SM-1_4-STABLE/squirrelmail/src/webmail.php 2017-09-13 01:20:32 UTC (rev 14718) @@ -68,15 +68,35 @@ set_up_language($my_language); +// prevent clickjack attempts +// FIXME: should we use DENY instead? We can also make this a configurable value, including giving the admin the option of removing this entirely in case they WANT to be framed by an external domain +header('X-Frame-Options: SAMEORIGIN'); + global $browser_rendering_mode; $output = ($browser_rendering_mode === 'standards' || $browser_rendering_mode === 'almost' ? '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">' : /* "quirks" */ '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN">'). - "\n<html><head>\n" . - "<meta name=\"robots\" content=\"noindex,nofollow\">\n" . - "<title>$org_title</title>\n". - "</head>"; + "\n<html><head>\n" + // prevent clickjack attempts using JavaScript for browsers that + // don't support the X-Frame-Options header... + // we check to see if we are *not* the top page, and if not, check + // whether or not the top page is in the same domain as we are... + // if not, log out immediately -- this is an attempt to do the same + // thing that the X-Frame-Options does using JavaScript (never a good + // idea to rely on JavaScript-based solutions, though) + . '<script type="text/javascript" language="JavaScript">' + . "\n<!--\n" + . 'if (self != top) { try { if (document.domain != top.document.domain) {' + . ' throw "Clickjacking security violation! Please log out immediately!"; /* this code should never execute - exception should already have been thrown since it\'s a security violation in this case to even try to access top.document.domain (but it\'s left here just to be extra safe) */ } } catch (e) { self.location = "' + . sqm_baseuri() . 'src/signout.php"; top.location = "' + . sqm_baseuri() . 'src/signout.php" } }' + . "\n// -->\n</script>\n" + + . "<meta name=\"robots\" content=\"noindex,nofollow\">\n" + . "<title>$org_title</title>\n" + . "</head>"; + $left_size = getPref($data_dir, $username, 'left_size'); $location_of_bar = getPref($data_dir, $username, 'location_of_bar'); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |