X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Ffolders.php;h=92c2d2ead1282a745f1c7278625b8ee53c8fa599;hb=5facc3fca35506c6d0cbcf0233b63d275c6ee2a6;hp=03e21a7cadfc752a739d08983f2a586da4bf614c;hpb=6e515418431c0a99f10705da21366fe7093f95b6;p=squirrelmail.git

diff --git a/src/folders.php b/src/folders.php
index 03e21a7c..92c2d2ea 100644
--- a/src/folders.php
+++ b/src/folders.php
@@ -6,12 +6,15 @@
  * scripts which do most of the work. Also handles the Special
  * Folders.
  *
- * @copyright &copy; 1999-2006 The SquirrelMail Project Team
+ * @copyright 1999-2017 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
  */
 
+/** This is the folders page */
+define('PAGE_NAME', 'folders');
+
 /**
  * Include the SquirrelMail initialization file.
  */
@@ -22,21 +25,27 @@ require_once(SM_PATH . 'functions/imap_general.php');
 require_once(SM_PATH . 'functions/folder_manip.php');
 require_once(SM_PATH . 'functions/forms.php');
 
-displayPageHeader($color, 'None');
+displayPageHeader($color);
 
 /* get globals we may need */
 sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION);
 sqgetGlobalVar('smaction', $action, SQ_POST);
+sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
 
 /* end of get globals */
 
-$imapConnection = sqimap_login ($username, false, $imapServerAddress, $imapPort, 0);
+global $imap_stream_options; // in case not defined in config
+$imapConnection = sqimap_login ($username, false, $imapServerAddress, $imapPort, 0, $imap_stream_options);
 
 /* switch to the right function based on what the user selected */
 if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
     switch ($action)
     {
         case 'create':
+
+            // first, validate security token
+            sm_validate_security_token($submitted_token, -1, TRUE);
+
             sqgetGlobalVar('folder_name',  $folder_name,  SQ_POST);
             sqgetGlobalVar('subfolder',    $subfolder,    SQ_POST);
             sqgetGlobalVar('contain_subs', $contain_subs, SQ_POST);
@@ -51,6 +60,10 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
                 sqgetGlobalVar('old_name',    $old_name, SQ_POST);
                 folders_rename_getname($imapConnection, $delimiter, $old_name);
             } else {
+
+                // first, validate security token
+                sm_validate_security_token($submitted_token, -1, TRUE);
+
                 sqgetGlobalVar('orig',        $orig,     SQ_POST);
                 sqgetGlobalVar('old_name',    $old_name, SQ_POST);
                 folders_rename_do($imapConnection, $delimiter, $orig, $old_name, $new_name);
@@ -63,6 +76,10 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
             }
             sqgetGlobalVar('folder_name',  $folder_name,  SQ_POST);
             if ( sqgetGlobalVar('confirmed', $dummy, SQ_POST) ) {
+
+                // first, validate security token
+                sm_validate_security_token($submitted_token, -1, TRUE);
+
                 folders_delete_do($imapConnection, $delimiter, $folder_name);
                 $td_str =  _("Deleted folder successfully.");
             } else {
@@ -70,11 +87,19 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
             }
             break;
         case 'subscribe':
+
+            // first, validate security token
+            sm_validate_security_token($submitted_token, -1, TRUE);
+
             sqgetGlobalVar('folder_names',  $folder_names,  SQ_POST);
             folders_subscribe($imapConnection, $folder_names);
             $td_str =  _("Subscribed successfully.");
             break;
         case 'unsubscribe':
+
+            // first, validate security token
+            sm_validate_security_token($submitted_token, -1, TRUE);
+
             sqgetGlobalVar('folder_names',  $folder_names,  SQ_POST);
             folders_unsubscribe($imapConnection, $folder_names);
             $td_str =  _("Unsubscribed successfully.");
@@ -88,7 +113,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
 }
 
 if (isset($td_str)) {
-    $oTemplate->assign('note', htmlspecialchars($td_str));
+    $oTemplate->assign('note', sm_encode_html_special_chars($td_str));
     $oTemplate->display('note.tpl');
 }
 
@@ -173,8 +198,8 @@ if ($show_only_subscribed_folders && !$no_list_for_subscribe) {
     	}
     
     	if ($use_folder) {
-    	    $box_enc  = htmlspecialchars($box_a['unformatted-dm']);
-    	    $box_disp = htmlspecialchars(imap_utf7_decode_local($box_a['unformatted-disp']));
+    	    $box_enc  = sm_encode_html_special_chars($box_a['unformatted-dm']);
+    	    $box_disp = sm_encode_html_special_chars(imap_utf7_decode_local($box_a['unformatted-disp']));
             $subbox_option_list[] = array( 'Value' => $box_enc, 'Display' => $box_disp);
     	}
     }
@@ -193,4 +218,3 @@ $oTemplate->assign('subbox_option_list', $subbox_option_list);
 $oTemplate->display('folder_manip.tpl');
 
 $oTemplate->display('footer.tpl');
-?>