From 5f2c00dd9089adc62676ec4ff4dc89d37d5cae85 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Mon, 17 Aug 2009 23:18:47 +0000 Subject: [PATCH] Protect message deletion with security token system. (Secunia Advisory SA34627) git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13826 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- functions/mailbox_display.php | 3 +-- src/read_body.php | 6 ++++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/functions/mailbox_display.php b/functions/mailbox_display.php index 3b917b74..66cd62fe 100644 --- a/functions/mailbox_display.php +++ b/functions/mailbox_display.php @@ -1343,8 +1343,7 @@ function handleMessageListForm($imapConnection, &$aMailbox, $sButton='', // don't do anything to any messages until we have done security check // FIXME: not sure this code really belongs here, but there's nowhere else to put it with this architecture - // FIXME: we might need to open this up to SQ_FORM instead, especially for plugins (?) - sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, ''); + sqgetGlobalVar('smtoken', $submitted_token, SQ_GET, ''); sm_validate_security_token($submitted_token, 3600, TRUE); // make sure message UIDs are sanitized (BIGINT) diff --git a/src/read_body.php b/src/read_body.php index 11129f88..ab3f7040 100644 --- a/src/read_body.php +++ b/src/read_body.php @@ -554,7 +554,8 @@ function formatMenubar($aMailbox, $passed_id, $passed_ent_id, $message, '&mailbox='.$urlMailbox.'&sort='.$sort. '&startMessage='.$startMessage.'&show_more=0'. "&where=$where&what=$what" . - '&delete_id='.$passed_id; + '&delete_id='.$passed_id . + '&smtoken='.sm_generate_security_token(); } if ($next >= 0) { @@ -562,7 +563,8 @@ function formatMenubar($aMailbox, $passed_id, $passed_ent_id, $message, '&mailbox='.$urlMailbox.'&sort='.$sort. '&startMessage='.$startMessage.'&show_more=0'. "&where=$where&what=$what" . - '&delete_id='.$passed_id; + '&delete_id='.$passed_id . + '&smtoken='.sm_generate_security_token(); } } } -- 2.25.1