14 лет назад · 361b09f7a2
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -360,6 +360,8 @@ Version 1.5.2 - SVN
 
				   - Allow administrators to configure subfolders of user INBOXes to be
			
 
				     treated as special folders by adding $subfolders_of_inbox_are_special
			
 
				     to config_local.php.
			
 
				+  - Added clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen
			
 
				+    for bringing this to our attention). [CVE-2010-4554]
			
 
				 
			
 
				 Version 1.5.1 (branched on 2006-02-12)
			
 
				 --------------------------------------
			
--- a/functions/page_header.php
+++ b/functions/page_header.php
@@ -56,11 +56,29 @@ function displayHtmlHeader( $title = 'SquirrelMail', $xtra = '', $do_hook = TRUE
 
				     //$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE);
			
 
				     $oTemplate->header('X-Powered-By: SquirrelMail', FALSE);
			
 
				 
			
 
				+    // prevent clickjack attempts
			
 
				+// FIXME: should we use DENY instead?  We can also make this a configurable value, including giving the admin the option of removing this entirely in case they WANT to be framed by an external domain
			
 
				+    $oTemplate->header('X-Frame-Options: SAMEORIGIN');
			
 
				+
			
 
				+    // prevent clickjack attempts using JavaScript for browsers that
			
 
				+    // don't support the X-Frame-Options header...
			
 
				+    // we check to see if we are *not* the top page, and if not, check
			
 
				+    // whether or not the top page is in the same domain as we are...
			
 
				+    // if not, log out immediately -- this is an attempt to do the same
			
 
				+    // thing that the X-Frame-Options does using JavaScript (never a good
			
 
				+    // idea to rely on JavaScript-based solutions, though)
			
 
				+//FIXME: is it a problem that we still force the clickjack protection code whether or not JavaScript is supported or desired by the user?
			
 
				+    $header_tags = '<script type="text/javascript" language="JavaScript">'
			
 
				+       . "\n<!--\n"
			
 
				+       . 'if (self != top) { try { if (document.domain != top.document.domain) {'
			
 
				+       . ' throw "Clickjacking security violation! Please log out immediately!"; /* this code should never execute - exception should already have been thrown since it\'s a security violation in this case to even try to access top.document.domain (but it\'s left here just to be extra safe) */ } } catch (e) { self.location = "'
			
 
				+       . sqm_baseuri() . 'src/signout.php"; top.location = "'
			
 
				+       . sqm_baseuri() . 'src/signout.php" } }'
			
 
				+       . "\n// -->\n</script>\n";
			
 
				+
			
 
				     $oTemplate->assign('frames', $frames);
			
 
				     $oTemplate->assign('lang', $squirrelmail_language);
			
 
				 
			
 
				-    $header_tags = '';
			
 
				-
			
 
				     $header_tags .= "<meta name=\"robots\" content=\"noindex,nofollow\" />\n";
			
 
				 
			
 
				     $used_fontset = (!empty($chosen_fontset) ? $chosen_fontset : $default_fontset);