Protect message deletion with security token system. (Secunia Advisory SA34627)
authorpdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Mon, 17 Aug 2009 23:18:47 +0000 (23:18 +0000)
committerpdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Mon, 17 Aug 2009 23:18:47 +0000 (23:18 +0000)
git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13826 7612ce4b-ef26-0410-bec9-ea0150e637f0

functions/mailbox_display.php
src/read_body.php

index 3b917b7..66cd62f 100644 (file)
@@ -1343,8 +1343,7 @@ function handleMessageListForm($imapConnection, &$aMailbox, $sButton='',
 
         // don't do anything to any messages until we have done security check
         // FIXME: not sure this code really belongs here, but there's nowhere else to put it with this architecture
-        // FIXME: we might need to open this up to SQ_FORM instead, especially for plugins (?)
-        sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
+        sqgetGlobalVar('smtoken', $submitted_token, SQ_GET, '');
         sm_validate_security_token($submitted_token, 3600, TRUE);
 
         // make sure message UIDs are sanitized (BIGINT)
index 11129f8..ab3f704 100644 (file)
@@ -554,7 +554,8 @@ function formatMenubar($aMailbox, $passed_id, $passed_ent_id, $message,
                        '&amp;mailbox='.$urlMailbox.'&amp;sort='.$sort.
                        '&amp;startMessage='.$startMessage.'&amp;show_more=0'.
                        "&amp;where=$where&amp;what=$what" .
-                       '&amp;delete_id='.$passed_id;
+                       '&amp;delete_id='.$passed_id .
+                       '&amp;smtoken='.sm_generate_security_token();
             }
 
             if ($next >= 0) {
@@ -562,7 +563,8 @@ function formatMenubar($aMailbox, $passed_id, $passed_ent_id, $message,
                        '&amp;mailbox='.$urlMailbox.'&amp;sort='.$sort.
                        '&amp;startMessage='.$startMessage.'&amp;show_more=0'.
                        "&amp;where=$where&amp;what=$what" .
-                       '&amp;delete_id='.$passed_id;
+                       '&amp;delete_id='.$passed_id .
+                       '&amp;smtoken='.sm_generate_security_token();
             }
         }
     }