Allow more liberal reuse of tokens to avoid cross-frame conflicts

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14383 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/functions/mailbox_display.php b/functions/mailbox_display.php
index 28398603feef0d1f5a056f5c1cac670c6f4143ff..542a4edeaa16318542764e18f79aad625651b8e8 100644 (file)
--- a/functions/mailbox_display.php
+++ b/functions/mailbox_display.php
@@ -1297,7 +1297,7 @@ function handleMessageListForm($imapConnection, &$aMailbox, $sButton='',
         // don't do anything to any messages until we have done security check
         // FIXME: not sure this code really belongs here, but there's nowhere else to put it with this architecture
         sqgetGlobalVar('smtoken', $submitted_token, SQ_FORM, '');
-        sm_validate_security_token($submitted_token, 3600, TRUE);
+        sm_validate_security_token($submitted_token, -1, TRUE);
 
         // make sure message UIDs are sanitized (BIGINT)
         foreach ($aUid as $i => $uid)

diff --git a/functions/strings.php b/functions/strings.php
index 5a1c5b8f2c5856d33c206c7936565adfb7decd0a..229fcfc2fc3352c27a34c26d5456425cfc4beaf3 100644 (file)
--- a/functions/strings.php
+++ b/functions/strings.php
@@ -1601,10 +1601,12 @@ function sm_generate_security_token($force_generate_new=FALSE)
   * @param string  $token           The token to validate
   * @param int     $validity_period The number of seconds tokens are valid
   *                                 for (set to zero to remove valid tokens
-  *                                 after only one use; use 3600 to allow
-  *                                 tokens to be reused for an hour)
-  *                                 (OPTIONAL; default is to only allow tokens
-  *                                 to be used once)
+  *                                 after only one use; set to -1 to allow
+  *                                 indefinite re-use (but still subject to
+  *                                 $max_token_age_days - see elsewhere);
+  *                                 use 3600 to allow tokens to be reused for
+  *                                 an hour) (OPTIONAL; default is to only
+  *                                 allow tokens to be used once)
   *                                 NOTE this is unrelated to $max_token_age_days
   *                                 or rather is an additional time constraint on
   *                                 tokens that allows them to be re-used (or not)
@@ -1649,9 +1651,11 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS
    $timestamp = $tokens[$token];
 
    // whether valid or not, we want to remove it from
-   // user prefs if it's old enough
+   // user prefs if it's old enough (unless requested to
+   // bypass this (in which case $validity_period is -1))
    //
-   if ($timestamp < $now - $validity_period)
+   if ($validity_period >= 0
+    && $timestamp < $now - $validity_period)
    {
       unset($tokens[$token]);
       setPref($data_dir, $username, 'security_tokens', serialize($tokens));

diff --git a/plugins/change_password/options.php b/plugins/change_password/options.php
index 474fe6194bee27f84ff9febb39a8d18f1a2f2ab6..2a3506a6be576f086e96a54cd869fd6e2231d268 100644 (file)
--- a/plugins/change_password/options.php
+++ b/plugins/change_password/options.php
@@ -56,7 +56,7 @@ if(sqgetGlobalVar('cpw_go', $cpw_go, SQ_POST)) {
 
     // security check
     sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     /* perform basic checks */
     $Messages = cpw_check_input();

diff --git a/plugins/squirrelspell/modules/lang_change.mod b/plugins/squirrelspell/modules/lang_change.mod
index b1a40b03974801017a49d7be5b94802c8fff2182..96525346c9bfedff7dd2e04b0e1abb6470856462 100644 (file)
--- a/plugins/squirrelspell/modules/lang_change.mod
+++ b/plugins/squirrelspell/modules/lang_change.mod
@@ -17,7 +17,7 @@
  */
 
 sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
-sm_validate_security_token($submitted_token, 3600, TRUE);
+sm_validate_security_token($submitted_token, -1, TRUE);
 
 global $SQSPELL_APP_DEFAULT;
 

diff --git a/src/addressbook.php b/src/addressbook.php
index d5081261f0799ee27d7ec43acb2b6e3fa79f1c1c..96522252f22d924d48c895311546fd091bf6a3a7 100644 (file)
--- a/src/addressbook.php
+++ b/src/addressbook.php
@@ -99,7 +99,7 @@ $form_url = 'addressbook.php';
 if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'POST') {
 
     // first, validate security token
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     /**************************************************
      * Add new address                                *

diff --git a/src/compose.php b/src/compose.php
index 7c051643cf7fc0af81efb6511d538edb2645efff..be9f6df51493cd537808b199a4cff8ebca426558 100644 (file)
--- a/src/compose.php
+++ b/src/compose.php
@@ -415,7 +415,7 @@ if ($draft) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     /*
      * Set $default_charset to correspond with the user's selection
@@ -474,7 +474,7 @@ if ($send) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     if (isset($_FILES['attachfile']) &&
             $_FILES['attachfile']['tmp_name'] &&
@@ -601,7 +601,7 @@ if ($send) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     if ($compose_new_win == '1') {
         compose_Header($color, $mailbox);
@@ -650,7 +650,7 @@ if ($send) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     if ($compose_new_win == '1') {
         compose_Header($color, $mailbox);
@@ -666,7 +666,7 @@ elseif (isset($sigappend)) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     $signature = $idents[$identity]['signature'];
 
@@ -681,7 +681,7 @@ elseif (isset($sigappend)) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     if ($compose_new_win == '1') {
         compose_Header($color, $mailbox);

diff --git a/src/empty_trash.php b/src/empty_trash.php
index 05c5f3a43a237db4ff47ebce12566088d9a8da8b..1db9d07e4b06c7e98f13484f7221b06d7878c4e2 100644 (file)
--- a/src/empty_trash.php
+++ b/src/empty_trash.php
@@ -32,7 +32,7 @@ sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION);
 
 // first do a security check
 sqgetGlobalVar('smtoken', $submitted_token, SQ_GET, '');
-sm_validate_security_token($submitted_token, 3600, TRUE);
+sm_validate_security_token($submitted_token, -1, TRUE);
 
 $imap_stream = sqimap_login($username, false, $imapServerAddress, $imapPort, 0);
 

diff --git a/src/folders.php b/src/folders.php
index 1a1f402df41002e93750ed43bf8423a49caaf701..28a8302c839752095fcd9a0e1dd2ea8a3ee5bbab 100644 (file)
--- a/src/folders.php
+++ b/src/folders.php
@@ -43,7 +43,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
         case 'create':
 
             // first, validate security token
-            sm_validate_security_token($submitted_token, 3600, TRUE);
+            sm_validate_security_token($submitted_token, -1, TRUE);
 
             sqgetGlobalVar('folder_name',  $folder_name,  SQ_POST);
             sqgetGlobalVar('subfolder',    $subfolder,    SQ_POST);
@@ -61,7 +61,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
             } else {
 
                 // first, validate security token
-                sm_validate_security_token($submitted_token, 3600, TRUE);
+                sm_validate_security_token($submitted_token, -1, TRUE);
 
                 sqgetGlobalVar('orig',        $orig,     SQ_POST);
                 sqgetGlobalVar('old_name',    $old_name, SQ_POST);
@@ -77,7 +77,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
             if ( sqgetGlobalVar('confirmed', $dummy, SQ_POST) ) {
 
                 // first, validate security token
-                sm_validate_security_token($submitted_token, 3600, TRUE);
+                sm_validate_security_token($submitted_token, -1, TRUE);
 
                 folders_delete_do($imapConnection, $delimiter, $folder_name);
                 $td_str =  _("Deleted folder successfully.");
@@ -88,7 +88,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
         case 'subscribe':
 
             // first, validate security token
-            sm_validate_security_token($submitted_token, 3600, TRUE);
+            sm_validate_security_token($submitted_token, -1, TRUE);
 
             sqgetGlobalVar('folder_names',  $folder_names,  SQ_POST);
             folders_subscribe($imapConnection, $folder_names);
@@ -97,7 +97,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
         case 'unsubscribe':
 
             // first, validate security token
-            sm_validate_security_token($submitted_token, 3600, TRUE);
+            sm_validate_security_token($submitted_token, -1, TRUE);
 
             sqgetGlobalVar('folder_names',  $folder_names,  SQ_POST);
             folders_unsubscribe($imapConnection, $folder_names);

diff --git a/src/options.php b/src/options.php
index 2a3fd2a42e76f7496cf0ea5b710c1ceb6d1a72ce..1a1e14ef72643aef3ac0030405d1ddf369fedb58 100644 (file)
--- a/src/options.php
+++ b/src/options.php
@@ -203,7 +203,7 @@ if ( !@is_file( $optpage_file ) ) {
 // security check before saving anything...
 //FIXME: what about SMOPT_MODE_LINK??
 if ($optmode == SMOPT_MODE_SUBMIT) {
-   sm_validate_security_token($submitted_token, 3600, TRUE);
+   sm_validate_security_token($submitted_token, -1, TRUE);
 }
 
 $optpage_save_error=array();

diff --git a/src/options_highlight.php b/src/options_highlight.php
index a1c6a545876b0ce36bf68723b62c4636e2e63459..6e9af744258efe8649bfa45c460bc3c3593746c4 100644 (file)
--- a/src/options_highlight.php
+++ b/src/options_highlight.php
@@ -55,7 +55,7 @@ if (isset($theid) && ($action == 'delete') ||
                      ($action == 'down')) {
 
     // security check
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     $new_rules = array();
     switch($action) {
@@ -92,7 +92,7 @@ if (isset($theid) && ($action == 'delete') ||
 } else if ($action == 'save') {
 
     // security check
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     if ($color_type == 1) $newcolor = $newcolor_choose;
     elseif ($color_type == 2) $newcolor = $newcolor_input;

diff --git a/src/options_identities.php b/src/options_identities.php
index 92a4600dab087433296d109df1aa430cfeaf5476..69efa2481cfbeffc787902182598f21cbe84096b 100644 (file)
--- a/src/options_identities.php
+++ b/src/options_identities.php
@@ -44,7 +44,7 @@ sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
 if (!empty($smaction) && is_array($smaction)) {
 
     // first do a security check
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     $doaction = '';
     $identid = 0;

diff --git a/src/search.php b/src/search.php
index e6dfe1167e21297e03e82c5cdb460fa2f6f86d1f..90c9bdb3db8d27772e82b5ee37429f9504c366c4 100644 (file)
--- a/src/search.php
+++ b/src/search.php
@@ -1184,7 +1184,7 @@ if (!isset($submit)) {
 } else {
 
     // first validate security token
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     switch ($submit) {
       case $search_button_text: