X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=src%2Ffolders.php;h=92c2d2ead1282a745f1c7278625b8ee53c8fa599;hp=cb1797f6215c1e0c82f095ffccbfefdee4622652;hb=975f298f1182a9dcba556e644c76ce7b62659026;hpb=d4e46166df04792c6b939356ea5dfda8e47bba7b diff --git a/src/folders.php b/src/folders.php index cb1797f6..92c2d2ea 100644 --- a/src/folders.php +++ b/src/folders.php @@ -6,7 +6,7 @@ * scripts which do most of the work. Also handles the Special * Folders. * - * @copyright © 1999-2009 The SquirrelMail Project Team + * @copyright 1999-2017 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -30,16 +30,22 @@ displayPageHeader($color); /* get globals we may need */ sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); sqgetGlobalVar('smaction', $action, SQ_POST); +sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, ''); /* end of get globals */ -$imapConnection = sqimap_login ($username, false, $imapServerAddress, $imapPort, 0); +global $imap_stream_options; // in case not defined in config +$imapConnection = sqimap_login ($username, false, $imapServerAddress, $imapPort, 0, $imap_stream_options); /* switch to the right function based on what the user selected */ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) { switch ($action) { case 'create': + + // first, validate security token + sm_validate_security_token($submitted_token, -1, TRUE); + sqgetGlobalVar('folder_name', $folder_name, SQ_POST); sqgetGlobalVar('subfolder', $subfolder, SQ_POST); sqgetGlobalVar('contain_subs', $contain_subs, SQ_POST); @@ -54,6 +60,10 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) { sqgetGlobalVar('old_name', $old_name, SQ_POST); folders_rename_getname($imapConnection, $delimiter, $old_name); } else { + + // first, validate security token + sm_validate_security_token($submitted_token, -1, TRUE); + sqgetGlobalVar('orig', $orig, SQ_POST); sqgetGlobalVar('old_name', $old_name, SQ_POST); folders_rename_do($imapConnection, $delimiter, $orig, $old_name, $new_name); @@ -66,6 +76,10 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) { } sqgetGlobalVar('folder_name', $folder_name, SQ_POST); if ( sqgetGlobalVar('confirmed', $dummy, SQ_POST) ) { + + // first, validate security token + sm_validate_security_token($submitted_token, -1, TRUE); + folders_delete_do($imapConnection, $delimiter, $folder_name); $td_str = _("Deleted folder successfully."); } else { @@ -73,11 +87,19 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) { } break; case 'subscribe': + + // first, validate security token + sm_validate_security_token($submitted_token, -1, TRUE); + sqgetGlobalVar('folder_names', $folder_names, SQ_POST); folders_subscribe($imapConnection, $folder_names); $td_str = _("Subscribed successfully."); break; case 'unsubscribe': + + // first, validate security token + sm_validate_security_token($submitted_token, -1, TRUE); + sqgetGlobalVar('folder_names', $folder_names, SQ_POST); folders_unsubscribe($imapConnection, $folder_names); $td_str = _("Unsubscribed successfully."); @@ -91,7 +113,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) { } if (isset($td_str)) { - $oTemplate->assign('note', htmlspecialchars($td_str)); + $oTemplate->assign('note', sm_encode_html_special_chars($td_str)); $oTemplate->display('note.tpl'); } @@ -176,8 +198,8 @@ if ($show_only_subscribed_folders && !$no_list_for_subscribe) { } if ($use_folder) { - $box_enc = htmlspecialchars($box_a['unformatted-dm']); - $box_disp = htmlspecialchars(imap_utf7_decode_local($box_a['unformatted-disp'])); + $box_enc = sm_encode_html_special_chars($box_a['unformatted-dm']); + $box_disp = sm_encode_html_special_chars(imap_utf7_decode_local($box_a['unformatted-disp'])); $subbox_option_list[] = array( 'Value' => $box_enc, 'Display' => $box_disp); } }