1 Sep 2009 03:35
Re: [Regression] search results expired?
Jonathan Angliss <jon <at> squirrelmail.org>
2009-09-01 01:35:28 GMT
2009-09-01 01:35:28 GMT
On Sun, 30 Aug 2009 20:44:17 -0700, Paul Lesniewski <paul <at> squirrelmail.org> wrote: >On Sun, Aug 30, 2009 at 4:55 PM, Jonathan Angliss<jon <at> squirrelmail.org> wrote: >> On Sun, 30 Aug 2009 14:28:31 +0200, Ralf Hildebrandt >> <Ralf.Hildebrandt <at> charite.de> wrote: >> >>>* Ralf Hildebrandt <Ralf.Hildebrandt <at> charite.de>: >>>> Hi there! >>>> >>>> With 1.4.20RC1 I'm getting this error: >>>> >>>> * search for anything using the "Search" link (e.g. Subject contains "test") >>>> * I'm getting several results back >>>> * I'm choosing a mail at random, and have it displayed >>>> * I decide it's the wrong one and go back to the list of search results by >>>> clicking on the link labeled "Search results" which leads me to: >>>> https://webmail.example.com/squirrelmail/src/search.php?where=SUBJECT&what=test&mailbox=INBOX.Sent >>>> * I'm getting an error page in the right frame: >>>> "This page request could not be verified and appears to have expired." >>>> >>>> Could this be related to the recent changes in rc1 which are supposed >>>> to foil cross site scripting? >>> >>>I tried 1.4.19, it doesn't show that particular behaviour! >> >> That would be because of some new improved security. Thanks for the >> catch. >> >> http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13833 >> >> src/read_body.php is really the only change I can see you needing for >> this issue. I did notice that the token validation only looked for >> GET whilst it passed in a post too, so I made a little change there in >> src/search.php as well. > >There are no forms using POST that point to src/search.php that I know >of. I switched it back. src/search.php posts to src/search.php. That being said, there is actually no method defined, so I guess the browser falls back to GET instead? Interesting, wonder why that was done. -- -- Jonathan Angliss <jon <at> squirrelmail.org> ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-devel mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-devel <at> lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
RSS Feed