Fix broken'Thread' and the no-javascript 'All' links (add security tokens)

[squirrelmail.git] / functions / mailbox_display.php

diff --git a/functions/mailbox_display.php b/functions/mailbox_display.php
index 07cb1ca56fb70a434f5a63810e09e80641343d8a..d16679a4d6373132154b04c6897a288e2b73e0cc 100644 (file)
--- a/functions/mailbox_display.php
+++ b/functions/mailbox_display.php
@@ -6,7 +6,7 @@
  * This contains functions that display mailbox information, such as the
  * table row that has sender, date, subject, etc...
  *
- * @copyright © 1999-2007 The SquirrelMail Project Team
+ * @copyright © 1999-2009 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -624,17 +624,19 @@ function prepareMessageList(&$aMailbox, $aProps) {
                     $aFlagColumn = array('seen' => false,
                                          'deleted'=>false,
                                          'answered'=>false,
+                                         'forwarded'=>false,
                                          'flagged' => false,
                                          'draft' => false);
 
                     if(!is_array($value)) $value = array();
                     foreach ($value as $sFlag => $v) {
                         switch ($sFlag) {
-                          case '\\seen'    : $aFlagColumn['seen']     = true; break;
-                          case '\\deleted' : $aFlagColumn['deleted']  = true; break;
-                          case '\\answered': $aFlagColumn['answered'] = true; break;
-                          case '\\flagged' : $aFlagColumn['flagged']  = true; break;
-                          case '\\draft'   : $aFlagColumn['draft']    = true; break;
+                          case '\\seen'    : $aFlagColumn['seen']      = true; break;
+                          case '\\deleted' : $aFlagColumn['deleted']   = true; break;
+                          case '\\answered': $aFlagColumn['answered']  = true; break;
+                          case '$forwarded': $aFlagColumn['forwarded'] = true; break;
+                          case '\\flagged' : $aFlagColumn['flagged']   = true; break;
+                          case '\\draft'   : $aFlagColumn['draft']     = true; break;
                           default:  break;
                         }
                     }
@@ -973,7 +975,7 @@ function showMessagesForMailbox($imapConnection, &$aMailbox,$aProps, &$iError) {
         $source_url = $php_self;
     }
 
-    $baseurl = $source_url.'?mailbox=' . urlencode($aMailbox['NAME']) .'&account='.$aMailbox['ACCOUNT'];
+    $baseurl = $source_url.'?mailbox=' . urlencode($aMailbox['NAME']) .'&account='.$aMailbox['ACCOUNT'] . (strpos($source_url, 'src/search.php') ? '&smtoken=' . sm_generate_security_token() : '');
     $where = urlencode($aMailbox['SEARCH'][$iSetIndx][0]);
     $what = urlencode($aMailbox['SEARCH'][$iSetIndx][1]);
     $baseurl .= '&where=' . $where .  '&what=' .  $what;
@@ -1339,6 +1341,11 @@ function handleMessageListForm($imapConnection, &$aMailbox, $sButton='',
     $aUid = (isset($msg) && is_array($msg)) ? array_values($msg) : $aUid;
     if (count($aUid) && $sButton != 'expunge') {
 
+        // don't do anything to any messages until we have done security check
+        // FIXME: not sure this code really belongs here, but there's nowhere else to put it with this architecture
+        sqgetGlobalVar('smtoken', $submitted_token, SQ_FORM, '');
+        sm_validate_security_token($submitted_token, 3600, TRUE);
+
         // make sure message UIDs are sanitized (BIGINT)
         foreach ($aUid as $i => $uid)
            $aUid[$i] = (preg_match('/^[0-9]+$/', $uid) ? $uid : '0');
@@ -1385,7 +1392,8 @@ function handleMessageListForm($imapConnection, &$aMailbox, $sButton='',
             if (count($aMsgHeaders)) {
                 $composesession = attachSelectedMessages($imapConnection,$aMsgHeaders);
                 // dirty hack, add info to $aMailbox
-                $aMailbox['FORWARD_SESSION'] = $composesession;
+                $aMailbox['FORWARD_SESSION']['SESSION_NUMBER'] = $composesession;
+                $aMailbox['FORWARD_SESSION']['UIDS'] = $aUid;
             }
             break;
           default:
@@ -1419,6 +1427,7 @@ function handleMessageListForm($imapConnection, &$aMailbox, $sButton='',
                         $message = $aMailbox['MSG_HEADERS'][$iUid]['MESSAGE_OBJECT'];
                         $message->is_seen = false;
                         $message->is_answered = false;
+                        $message->is_forwarded = false;
                         $message->is_deleted = false;
                         $message->is_flagged = false;
                         $message->is_mdnsent = false;
@@ -1427,6 +1436,8 @@ function handleMessageListForm($imapConnection, &$aMailbox, $sButton='',
                                 $message->is_seen = true;
                             else if (strtolower($flag) == '\\answered' && $value)
                                 $message->is_answered = true;
+                            else if (strtolower($flag) == '$forwarded' && $value)
+                                $message->is_forwarded = true;
                             else if (strtolower($flag) == '\\deleted' && $value)
                                 $message->is_deleted = true;
                             else if (strtolower($flag) == '\\flagged' && $value)