Allow more liberal reuse of tokens to avoid cross-frame conflicts

functions/mailbox_display.php

@@ -1297,7 +1297,7 @@ function handleMessageListForm($imapConnection, &$aMailbox, $sButton='',
         // don't do anything to any messages until we have done security check
         // FIXME: not sure this code really belongs here, but there's nowhere else to put it with this architecture
         sqgetGlobalVar('smtoken', $submitted_token, SQ_FORM, '');
-        sm_validate_security_token($submitted_token, 3600, TRUE);
+        sm_validate_security_token($submitted_token, -1, TRUE);
 
         // make sure message UIDs are sanitized (BIGINT)
         foreach ($aUid as $i => $uid)

functions/strings.php

@@ -1601,10 +1601,12 @@ function sm_generate_security_token($force_generate_new=FALSE)
   * @param string  $token           The token to validate
   * @param int     $validity_period The number of seconds tokens are valid
   *                                 for (set to zero to remove valid tokens
-  *                                 after only one use; use 3600 to allow
-  *                                 tokens to be reused for an hour)
-  *                                 (OPTIONAL; default is to only allow tokens
-  *                                 to be used once)
+  *                                 after only one use; set to -1 to allow
+  *                                 indefinite re-use (but still subject to
+  *                                 $max_token_age_days - see elsewhere);
+  *                                 use 3600 to allow tokens to be reused for
+  *                                 an hour) (OPTIONAL; default is to only
+  *                                 allow tokens to be used once)
   *                                 NOTE this is unrelated to $max_token_age_days
   *                                 or rather is an additional time constraint on
   *                                 tokens that allows them to be re-used (or not)
@@ -1649,9 +1651,11 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS
    $timestamp = $tokens[$token];
 
    // whether valid or not, we want to remove it from
-   // user prefs if it's old enough
+   // user prefs if it's old enough (unless requested to
+   // bypass this (in which case $validity_period is -1))
    //
-   if ($timestamp < $now - $validity_period)
+   if ($validity_period >= 0
+    && $timestamp < $now - $validity_period)
    {
       unset($tokens[$token]);
       setPref($data_dir, $username, 'security_tokens', serialize($tokens));

plugins/change_password/options.php

@@ -56,7 +56,7 @@ if(sqgetGlobalVar('cpw_go', $cpw_go, SQ_POST)) {
 
     // security check
     sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     /* perform basic checks */
     $Messages = cpw_check_input();

plugins/squirrelspell/modules/lang_change.mod

@@ -17,7 +17,7 @@
  */
 
 sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
-sm_validate_security_token($submitted_token, 3600, TRUE);
+sm_validate_security_token($submitted_token, -1, TRUE);
 
 global $SQSPELL_APP_DEFAULT;
 

src/addressbook.php

@@ -99,7 +99,7 @@ $form_url = 'addressbook.php';
 if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'POST') {
 
     // first, validate security token
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     /**************************************************
      * Add new address                                *

src/compose.php

@@ -415,7 +415,7 @@ if ($draft) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     /*
      * Set $default_charset to correspond with the user's selection
@@ -474,7 +474,7 @@ if ($send) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     if (isset($_FILES['attachfile']) &&
             $_FILES['attachfile']['tmp_name'] &&
@@ -601,7 +601,7 @@ if ($send) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     if ($compose_new_win == '1') {
         compose_Header($color, $mailbox);
@@ -650,7 +650,7 @@ if ($send) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     if ($compose_new_win == '1') {
         compose_Header($color, $mailbox);
@@ -666,7 +666,7 @@ elseif (isset($sigappend)) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     $signature = $idents[$identity]['signature'];
 
@@ -681,7 +681,7 @@ elseif (isset($sigappend)) {
 
     // validate security token
     //
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     if ($compose_new_win == '1') {
         compose_Header($color, $mailbox);

src/empty_trash.php

@@ -32,7 +32,7 @@ sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION);
 
 // first do a security check
 sqgetGlobalVar('smtoken', $submitted_token, SQ_GET, '');
-sm_validate_security_token($submitted_token, 3600, TRUE);
+sm_validate_security_token($submitted_token, -1, TRUE);
 
 $imap_stream = sqimap_login($username, false, $imapServerAddress, $imapPort, 0);
 

src/folders.php

@@ -43,7 +43,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
         case 'create':
 
             // first, validate security token
-            sm_validate_security_token($submitted_token, 3600, TRUE);
+            sm_validate_security_token($submitted_token, -1, TRUE);
 
             sqgetGlobalVar('folder_name',  $folder_name,  SQ_POST);
             sqgetGlobalVar('subfolder',    $subfolder,    SQ_POST);
@@ -61,7 +61,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
             } else {
 
                 // first, validate security token
-                sm_validate_security_token($submitted_token, 3600, TRUE);
+                sm_validate_security_token($submitted_token, -1, TRUE);
 
                 sqgetGlobalVar('orig',        $orig,     SQ_POST);
                 sqgetGlobalVar('old_name',    $old_name, SQ_POST);
@@ -77,7 +77,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
             if ( sqgetGlobalVar('confirmed', $dummy, SQ_POST) ) {
 
                 // first, validate security token
-                sm_validate_security_token($submitted_token, 3600, TRUE);
+                sm_validate_security_token($submitted_token, -1, TRUE);
 
                 folders_delete_do($imapConnection, $delimiter, $folder_name);
                 $td_str =  _("Deleted folder successfully.");
@@ -88,7 +88,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
         case 'subscribe':
 
             // first, validate security token
-            sm_validate_security_token($submitted_token, 3600, TRUE);
+            sm_validate_security_token($submitted_token, -1, TRUE);
 
             sqgetGlobalVar('folder_names',  $folder_names,  SQ_POST);
             folders_subscribe($imapConnection, $folder_names);
@@ -97,7 +97,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
         case 'unsubscribe':
 
             // first, validate security token
-            sm_validate_security_token($submitted_token, 3600, TRUE);
+            sm_validate_security_token($submitted_token, -1, TRUE);
 
             sqgetGlobalVar('folder_names',  $folder_names,  SQ_POST);
             folders_unsubscribe($imapConnection, $folder_names);

src/options.php

@@ -203,7 +203,7 @@ if ( !@is_file( $optpage_file ) ) {
 // security check before saving anything...
 //FIXME: what about SMOPT_MODE_LINK??
 if ($optmode == SMOPT_MODE_SUBMIT) {
-   sm_validate_security_token($submitted_token, 3600, TRUE);
+   sm_validate_security_token($submitted_token, -1, TRUE);
 }
 
 $optpage_save_error=array();

src/options_highlight.php

@@ -55,7 +55,7 @@ if (isset($theid) && ($action == 'delete') ||
                      ($action == 'down')) {
 
     // security check
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     $new_rules = array();
     switch($action) {
@@ -92,7 +92,7 @@ if (isset($theid) && ($action == 'delete') ||
 } else if ($action == 'save') {
 
     // security check
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     if ($color_type == 1) $newcolor = $newcolor_choose;
     elseif ($color_type == 2) $newcolor = $newcolor_input;

src/options_identities.php

@@ -44,7 +44,7 @@ sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
 if (!empty($smaction) && is_array($smaction)) {
 
     // first do a security check
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     $doaction = '';
     $identid = 0;

src/search.php

@@ -1184,7 +1184,7 @@ if (!isset($submit)) {
 } else {
 
     // first validate security token
-    sm_validate_security_token($submitted_token, 3600, TRUE);
+    sm_validate_security_token($submitted_token, -1, TRUE);
 
     switch ($submit) {
       case $search_button_text: