From: pdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Tue, 12 Jul 2011 03:44:23 +0000 (+0000)
Subject: Add clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen for bringing... 
X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=commitdiff_plain;h=ba6d2a963accba3b98fff1d9acb5f1626705d832

Add clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen for bringing this to our attention) [CVE-2010-4554]

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14118 7612ce4b-ef26-0410-bec9-ea0150e637f0
---

diff --git a/doc/ChangeLog b/doc/ChangeLog
index f63b2c3c..a9c1710d 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -360,6 +360,8 @@ Version 1.5.2 - SVN
   - Allow administrators to configure subfolders of user INBOXes to be
     treated as special folders by adding $subfolders_of_inbox_are_special
     to config_local.php.
+  - Added clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen
+    for bringing this to our attention). [CVE-2010-4554]
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------
diff --git a/functions/page_header.php b/functions/page_header.php
index 42adba64..7c09c6f7 100644
--- a/functions/page_header.php
+++ b/functions/page_header.php
@@ -56,11 +56,29 @@ function displayHtmlHeader( $title = 'SquirrelMail', $xtra = '', $do_hook = TRUE
     //$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE);
     $oTemplate->header('X-Powered-By: SquirrelMail', FALSE);
 
+    // prevent clickjack attempts
+// FIXME: should we use DENY instead?  We can also make this a configurable value, including giving the admin the option of removing this entirely in case they WANT to be framed by an external domain
+    $oTemplate->header('X-Frame-Options: SAMEORIGIN');
+
+    // prevent clickjack attempts using JavaScript for browsers that
+    // don't support the X-Frame-Options header...
+    // we check to see if we are *not* the top page, and if not, check
+    // whether or not the top page is in the same domain as we are...
+    // if not, log out immediately -- this is an attempt to do the same
+    // thing that the X-Frame-Options does using JavaScript (never a good
+    // idea to rely on JavaScript-based solutions, though)
+//FIXME: is it a problem that we still force the clickjack protection code whether or not JavaScript is supported or desired by the user?
+    $header_tags = '<script type="text/javascript" language="JavaScript">'
+       . "\n<!--\n"
+       . 'if (self != top) { try { if (document.domain != top.document.domain) {'
+       . ' throw "Clickjacking security violation! Please log out immediately!"; /* this code should never execute - exception should already have been thrown since it\'s a security violation in this case to even try to access top.document.domain (but it\'s left here just to be extra safe) */ } } catch (e) { self.location = "'
+       . sqm_baseuri() . 'src/signout.php"; top.location = "'
+       . sqm_baseuri() . 'src/signout.php" } }'
+       . "\n// -->\n</script>\n";
+
     $oTemplate->assign('frames', $frames);
     $oTemplate->assign('lang', $squirrelmail_language);
 
-    $header_tags = '';
-
     $header_tags .= "<meta name=\"robots\" content=\"noindex,nofollow\" />\n";
 
     $used_fontset = (!empty($chosen_fontset) ? $chosen_fontset : $default_fontset);