X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;ds=sidebyside;f=src%2Fsearch.php;h=0b642bcb0fcf1672aa8b96454784bdcf732ab31d;hb=45e7eca2bbcb3bb643893e84bfca0d742854376b;hp=113077d1f1c9ea9f68734ba5a4abfec47a9449d9;hpb=47485591c277f6da6aab7fe2b18482ea93234105;p=squirrelmail.git diff --git a/src/search.php b/src/search.php index 113077d1..0b642bcb 100644 --- a/src/search.php +++ b/src/search.php @@ -8,7 +8,7 @@ * Subfolder search idea from Patch #806075 by Thomas Pohl xraven at users.sourceforge.net. Thanks Thomas! * * @author Alex Lemaresquier - Brainstorm - * @copyright © 1999-2007 The SquirrelMail Project Team + * @copyright 1999-2012 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -674,13 +674,13 @@ function asearch_print_query_array(&$boxes, &$query_array, &$query_keys, &$actio $oTemplate->assign('expand_collapse_toggle', '../src/search.php?'.$show_pref.'='.($show_flag==1 ? 0 : 1)); $oTemplate->assign('query_list', $a); - $oTemplate->assign('save_recent', '../src/search.php?submit=save_recent&rownum='); - $oTemplate->assign('do_recent', '../src/search.php?submit=search_recent&rownum='); - $oTemplate->assign('forget_recent', '../src/search.php?submit=forget_recent&rownum='); + $oTemplate->assign('save_recent', '../src/search.php?submit=save_recent&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('do_recent', '../src/search.php?submit=search_recent&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('forget_recent', '../src/search.php?submit=forget_recent&smtoken=' . sm_generate_security_token() . '&rownum='); - $oTemplate->assign('edit_saved', '../src/search.php?submit=edit_saved&rownum='); - $oTemplate->assign('do_saved', '../src/search.php?submit=search_saved&rownum='); - $oTemplate->assign('delete_saved', '../src/search.php?submit=delete_saved&rownum='); + $oTemplate->assign('edit_saved', '../src/search.php?submit=edit_saved&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('do_saved', '../src/search.php?submit=search_saved&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('delete_saved', '../src/search.php?submit=delete_saved&smtoken=' . sm_generate_security_token() . '&rownum='); $oTemplate->display('search_list.tpl'); } @@ -806,7 +806,8 @@ function asearch_print_form($imapConnection, &$boxes, $mailbox_array, $biop_arra $oTemplate->assign('criteria', $c); - echo '
' . "\n"; + echo '' . "\n" + . addHidden('smtoken', sm_generate_security_token()) . "\n"; $oTemplate->display('search_advanced.tpl'); echo "
\n"; } @@ -866,7 +867,8 @@ function asearch_print_form_basic($imapConnection, &$boxes, $mailbox_array, $bio $oTemplate->assign('where_sel', $where); $oTemplate->assign('what_val', $what); - echo '
' . "\n"; + echo '' . "\n" + . addHidden('smtoken', sm_generate_security_token()) . "\n"; $oTemplate->display('search.tpl'); echo "
\n"; } @@ -891,6 +893,7 @@ function sqimap_asearch_get_selectable_unformatted_mailboxes(&$boxes) /* ------------------------ main ------------------------ */ /* get globals we will need */ +sqgetGlobalVar('smtoken', $submitted_token, SQ_FORM, ''); sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); if (!sqgetGlobalVar('checkall',$checkall,SQ_GET)) { @@ -1179,6 +1182,10 @@ if ((empty($submit)) && (!empty($where_array))) { if (!isset($submit)) { $submit = ''; } else { + + // first validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + switch ($submit) { case $search_button_text: if (asearch_check_query($where_array, $what_array, $exclude_array) == '') { @@ -1374,16 +1381,20 @@ if (isset($aMailbox['FORWARD_SESSION'])) { $compose_height = '550'; } // do not use &, it will break the query string and $session will not be detected!!! - $comp_uri = SM_PATH . 'src/compose.php?mailbox='. urlencode($mailbox). - '&session='.$aMailbox['FORWARD_SESSION']; + $comp_uri = $base_uri . 'src/compose.php?mailbox='. urlencode($mailbox) + . '&session='.$aMailbox['FORWARD_SESSION']['SESSION_NUMBER'] + . '&smaction=forward_as_attachment' + . '&fwduid=' . implode('_', $aMailbox['FORWARD_SESSION']['UIDS']); displayPageHeader($color, $mailbox, "comp_in_new('$comp_uri', $compose_width, $compose_height);", false); } else { // save mailboxstate sqsession_register($aMailbox,'aLastSelectedMailbox'); session_write_close(); // we have to redirect to the compose page - $location = SM_PATH . 'src/compose.php?mailbox='. urlencode($mailbox). - '&session='.$aMailbox['FORWARD_SESSION']; + $location = $base_uri . 'src/compose.php?mailbox='. urlencode($mailbox) + . '&session='.$aMailbox['FORWARD_SESSION']['SESSION_NUMBER'] + . '&smaction=forward_as_attachment' + . '&fwduid=' . implode('_', $aMailbox['FORWARD_SESSION']['UIDS']); header("Location: $location"); exit; } @@ -1593,7 +1604,7 @@ if ($submit == $search_button_text) { */ if ($aMailbox['EXISTS'] > 0) { if ($iError) { - // TODO + // TODO: Implement an error handler in the search page. echo "ERROR occured, errorhandler will be implemented very soon"; } else { foreach ($aTemplate as $k => $v) {