From ba6d2a963accba3b98fff1d9acb5f1626705d832 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Tue, 12 Jul 2011 03:44:23 +0000 Subject: [PATCH] Add clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen for bringing this to our attention) [CVE-2010-4554] git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14118 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- doc/ChangeLog | 2 ++ functions/page_header.php | 22 ++++++++++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index f63b2c3c..a9c1710d 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -360,6 +360,8 @@ Version 1.5.2 - SVN - Allow administrators to configure subfolders of user INBOXes to be treated as special folders by adding $subfolders_of_inbox_are_special to config_local.php. + - Added clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen + for bringing this to our attention). [CVE-2010-4554] Version 1.5.1 (branched on 2006-02-12) -------------------------------------- diff --git a/functions/page_header.php b/functions/page_header.php index 42adba64..7c09c6f7 100644 --- a/functions/page_header.php +++ b/functions/page_header.php @@ -56,11 +56,29 @@ function displayHtmlHeader( $title = 'SquirrelMail', $xtra = '', $do_hook = TRUE //$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE); $oTemplate->header('X-Powered-By: SquirrelMail', FALSE); + // prevent clickjack attempts +// FIXME: should we use DENY instead? We can also make this a configurable value, including giving the admin the option of removing this entirely in case they WANT to be framed by an external domain + $oTemplate->header('X-Frame-Options: SAMEORIGIN'); + + // prevent clickjack attempts using JavaScript for browsers that + // don't support the X-Frame-Options header... + // we check to see if we are *not* the top page, and if not, check + // whether or not the top page is in the same domain as we are... + // if not, log out immediately -- this is an attempt to do the same + // thing that the X-Frame-Options does using JavaScript (never a good + // idea to rely on JavaScript-based solutions, though) +//FIXME: is it a problem that we still force the clickjack protection code whether or not JavaScript is supported or desired by the user? + $header_tags = '\n"; + $oTemplate->assign('frames', $frames); $oTemplate->assign('lang', $squirrelmail_language); - $header_tags = ''; - $header_tags .= "\n"; $used_fontset = (!empty($chosen_fontset) ? $chosen_fontset : $default_fontset); -- 2.25.1