Protect message deletion with security token system. (Secunia Advisory SA34627)

functions/mailbox_display.php

@@ -1343,8 +1343,7 @@ function handleMessageListForm($imapConnection, &$aMailbox, $sButton='',
 
         // don't do anything to any messages until we have done security check
         // FIXME: not sure this code really belongs here, but there's nowhere else to put it with this architecture
-        // FIXME: we might need to open this up to SQ_FORM instead, especially for plugins (?)
-        sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
+        sqgetGlobalVar('smtoken', $submitted_token, SQ_GET, '');
         sm_validate_security_token($submitted_token, 3600, TRUE);
 
         // make sure message UIDs are sanitized (BIGINT)

src/read_body.php

@@ -554,7 +554,8 @@ function formatMenubar($aMailbox, $passed_id, $passed_ent_id, $message,
                        '&mailbox='.$urlMailbox.'&sort='.$sort.
                        '&startMessage='.$startMessage.'&show_more=0'.
                        "&where=$where&what=$what" .
-                       '&delete_id='.$passed_id;
+                       '&delete_id='.$passed_id .
+                       '&smtoken='.sm_generate_security_token();
             }
 
             if ($next >= 0) {
@@ -562,7 +563,8 @@ function formatMenubar($aMailbox, $passed_id, $passed_ent_id, $message,
                        '&mailbox='.$urlMailbox.'&sort='.$sort.
                        '&startMessage='.$startMessage.'&show_more=0'.
                        "&where=$where&what=$what" .
-                       '&delete_id='.$passed_id;
+                       '&delete_id='.$passed_id .
+                       '&smtoken='.sm_generate_security_token();
             }
         }
     }