Fix broken'Thread' and the no-javascript 'All' links (add security tokens)

[squirrelmail.git] / functions / mailbox_display.php

diff --git a/functions/mailbox_display.php b/functions/mailbox_display.php
index 3b917b741ab322a450b8f5cfe7a08ce205b6afb4..d16679a4d6373132154b04c6897a288e2b73e0cc 100644 (file)
--- a/functions/mailbox_display.php
+++ b/functions/mailbox_display.php
@@ -975,7 +975,7 @@ function showMessagesForMailbox($imapConnection, &$aMailbox,$aProps, &$iError) {
         $source_url = $php_self;
     }
 
-    $baseurl = $source_url.'?mailbox=' . urlencode($aMailbox['NAME']) .'&account='.$aMailbox['ACCOUNT'];
+    $baseurl = $source_url.'?mailbox=' . urlencode($aMailbox['NAME']) .'&account='.$aMailbox['ACCOUNT'] . (strpos($source_url, 'src/search.php') ? '&smtoken=' . sm_generate_security_token() : '');
     $where = urlencode($aMailbox['SEARCH'][$iSetIndx][0]);
     $what = urlencode($aMailbox['SEARCH'][$iSetIndx][1]);
     $baseurl .= '&where=' . $where .  '&what=' .  $what;
@@ -1343,8 +1343,7 @@ function handleMessageListForm($imapConnection, &$aMailbox, $sButton='',
 
         // don't do anything to any messages until we have done security check
         // FIXME: not sure this code really belongs here, but there's nowhere else to put it with this architecture
-        // FIXME: we might need to open this up to SQ_FORM instead, especially for plugins (?)
-        sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
+        sqgetGlobalVar('smtoken', $submitted_token, SQ_FORM, '');
         sm_validate_security_token($submitted_token, 3600, TRUE);
 
         // make sure message UIDs are sanitized (BIGINT)