X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Fsearch.php;h=43db16e0d5b26c756e916b0df47db71bf249d4f3;hb=865050ce6daedb8dbbbb568a36e802b0b6459565;hp=6520fc281daac92528ccb5b2e1377184dda8a00f;hpb=969c1e9fcec1fb8c0e67004dc5f22aee9cc4d003;p=squirrelmail.git diff --git a/src/search.php b/src/search.php index 6520fc28..43db16e0 100644 --- a/src/search.php +++ b/src/search.php @@ -8,7 +8,7 @@ * Subfolder search idea from Patch #806075 by Thomas Pohl xraven at users.sourceforge.net. Thanks Thomas! * * @author Alex Lemaresquier - Brainstorm - * @copyright © 1999-2007 The SquirrelMail Project Team + * @copyright 1999-2010 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -674,13 +674,13 @@ function asearch_print_query_array(&$boxes, &$query_array, &$query_keys, &$actio $oTemplate->assign('expand_collapse_toggle', '../src/search.php?'.$show_pref.'='.($show_flag==1 ? 0 : 1)); $oTemplate->assign('query_list', $a); - $oTemplate->assign('save_recent', '../src/search.php?submit=save_recent&rownum='); - $oTemplate->assign('do_recent', '../src/search.php?submit=search_recent&rownum='); - $oTemplate->assign('forget_recent', '../src/search.php?submit=forget_recent&rownum='); + $oTemplate->assign('save_recent', '../src/search.php?submit=save_recent&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('do_recent', '../src/search.php?submit=search_recent&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('forget_recent', '../src/search.php?submit=forget_recent&smtoken=' . sm_generate_security_token() . '&rownum='); - $oTemplate->assign('edit_saved', '../src/search.php?submit=edit_saved&rownum='); - $oTemplate->assign('do_saved', '../src/search.php?submit=search_saved&rownum='); - $oTemplate->assign('delete_saved', '../src/search.php?submit=delete_saved&rownum='); + $oTemplate->assign('edit_saved', '../src/search.php?submit=edit_saved&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('do_saved', '../src/search.php?submit=search_saved&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('delete_saved', '../src/search.php?submit=delete_saved&smtoken=' . sm_generate_security_token() . '&rownum='); $oTemplate->display('search_list.tpl'); } @@ -806,7 +806,8 @@ function asearch_print_form($imapConnection, &$boxes, $mailbox_array, $biop_arra $oTemplate->assign('criteria', $c); - echo '
' . "\n"; + echo '' . "\n" + . addHidden('smtoken', sm_generate_security_token()) . "\n"; $oTemplate->display('search_advanced.tpl'); echo "
\n"; } @@ -866,7 +867,8 @@ function asearch_print_form_basic($imapConnection, &$boxes, $mailbox_array, $bio $oTemplate->assign('where_sel', $where); $oTemplate->assign('what_val', $what); - echo '
' . "\n"; + echo '' . "\n" + . addHidden('smtoken', sm_generate_security_token()) . "\n"; $oTemplate->display('search.tpl'); echo "
\n"; } @@ -891,6 +893,7 @@ function sqimap_asearch_get_selectable_unformatted_mailboxes(&$boxes) /* ------------------------ main ------------------------ */ /* get globals we will need */ +sqgetGlobalVar('smtoken', $submitted_token, SQ_FORM, ''); sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); if (!sqgetGlobalVar('checkall',$checkall,SQ_GET)) { @@ -1179,6 +1182,10 @@ if ((empty($submit)) && (!empty($where_array))) { if (!isset($submit)) { $submit = ''; } else { + + // first validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + switch ($submit) { case $search_button_text: if (asearch_check_query($where_array, $what_array, $exclude_array) == '') { @@ -1374,16 +1381,20 @@ if (isset($aMailbox['FORWARD_SESSION'])) { $compose_height = '550'; } // do not use &, it will break the query string and $session will not be detected!!! - $comp_uri = SM_PATH . 'src/compose.php?mailbox='. urlencode($mailbox). - '&session='.$aMailbox['FORWARD_SESSION']; + $comp_uri = $base_uri . 'src/compose.php?mailbox='. urlencode($mailbox) + . '&session='.$aMailbox['FORWARD_SESSION']['SESSION_NUMBER'] + . '&smaction=forward_as_attachment' + . '&fwduid=' . implode('_', $aMailbox['FORWARD_SESSION']['UIDS']); displayPageHeader($color, $mailbox, "comp_in_new('$comp_uri', $compose_width, $compose_height);", false); } else { // save mailboxstate sqsession_register($aMailbox,'aLastSelectedMailbox'); session_write_close(); // we have to redirect to the compose page - $location = SM_PATH . 'src/compose.php?mailbox='. urlencode($mailbox). - '&session='.$aMailbox['FORWARD_SESSION']; + $location = $base_uri . 'src/compose.php?mailbox='. urlencode($mailbox) + . '&session='.$aMailbox['FORWARD_SESSION']['SESSION_NUMBER'] + . '&smaction=forward_as_attachment' + . '&fwduid=' . implode('_', $aMailbox['FORWARD_SESSION']['UIDS']); header("Location: $location"); exit; } @@ -1593,7 +1604,7 @@ if ($submit == $search_button_text) { */ if ($aMailbox['EXISTS'] > 0) { if ($iError) { - // TODO + // TODO: Implement an error handler in the search page. echo "ERROR occured, errorhandler will be implemented very soon"; } else { foreach ($aTemplate as $k => $v) { @@ -1628,6 +1639,10 @@ if ($submit == $search_button_text) { global $show_personal_names; $oTemplate->assign('show_personal_names', $show_personal_names); + global $accesskey_mailbox_toggle_selected, $accesskey_mailbox_thread; + $oTemplate->assign('accesskey_mailbox_toggle_selected', $accesskey_mailbox_toggle_selected); + $oTemplate->assign('accesskey_mailbox_thread', $accesskey_mailbox_thread); + $oTemplate->display('message_list.tpl'); } }