diff -u squirrelmail-1.4.15/debian/changelog squirrelmail-1.4.15/debian/changelog
--- squirrelmail-1.4.15/debian/changelog
+++ squirrelmail-1.4.15/debian/changelog
@@ -1,3 +1,24 @@
+squirrelmail (2:1.4.15-3ubuntu0.4) intrepid-security; urgency=low
+
+  * SECURITY UPDATE: (LP: #446838)
+  * Multiple cross-site request forgery (CSRF) in all 
+    forms submissions
+  * edited:
+    src/addrbook_search_html.php,src/addressbook.php,src/compose.php
+    src/folders_create.php,src/folders_delete.php,src/folders.php,
+    src/folders_rename_do.php,src/folders_rename_getname.php,
+    src/folders_subscribe.php,functions/forms.php,
+    functions/mailbox_display.php,src/move_messages.php,
+    src/options_highlight.php,src/options_identities.php,
+    src/options_order.php,src/options.php,src/search.php,
+    functions/strings.php,src/vcard.php
+  * Fixes : CVE-2009-2964
+    - http://www.squirrelmail.org/security/issue/2009-08-12
+    - patches taken from upstream rev 13818
+    - patches applied inline
+
+ -- Leonel Nunez <leonel@enelserver.com>  Sun, 11 Oct 2009 21:33:16 -0600
+
 squirrelmail (2:1.4.15-3ubuntu0.3) intrepid-security; urgency=low
 
   * SECURITY UPDATE: (LP: #396306)
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/functions/mailbox_display.php
+++ squirrelmail-1.4.15/functions/mailbox_display.php
@@ -513,6 +513,7 @@
     $safe_name = preg_replace("/[^0-9A-Za-z_]/", '_', $mailbox);
     $form_name = "FormMsgs" . $safe_name;
     echo '<form name="' . $form_name . '" method="post" action="move_messages.php">' ."\n" .
+        '<input type="hidden" name="smtoken" value="'.sm_generate_security_token().'">' . "\n" .
         '<input type="hidden" name="mailbox" value="'.htmlspecialchars($mailbox).'">' . "\n" .
         '<input type="hidden" name="startMessage" value="'.htmlspecialchars($start_msg).'">' . "\n";
     
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/functions/strings.php
+++ squirrelmail-1.4.15/functions/strings.php
@@ -878,6 +878,186 @@
 function sq_trim_value ( &$value ) {
     $value = trim($value);
 }
+/**
+  * Gathers the list of secuirty tokens currently
+  * stored in the user's preferences and optionally
+  * purges old ones from the list.
+  *
+  * @param boolean $purge_old Indicates if old tokens
+  *                           should be purged from the
+  *                           list ("old" is 30 days or
+  *                           older unless the administrator
+  *                           overrides that value using
+  *                           $max_security_token_age in
+  *                           config/config_local.php)
+  *                           (OPTIONAL; default is to always
+  *                           purge old tokens)
+  *
+  * @return array The list of tokens
+  *
+  * @since 1.4.19 and 1.5.2
+  *
+  */
+function sm_get_user_security_tokens($purge_old=TRUE)
+{
 
+   global $data_dir, $username, $max_token_age_days;
+
+   $tokens = getPref($data_dir, $username, 'security_tokens', '');
+   if (($tokens = unserialize($tokens)) === FALSE || !is_array($tokens))
+      $tokens = array();
+
+   // purge old tokens if necessary
+   //
+   if ($purge_old)
+   {
+      if (empty($max_token_age_days)) $max_token_age_days = 30;
+      $now = time();
+      $discard_token_date = $now - ($max_token_age_days * 86400);
+      $cleaned_tokens = array();
+      foreach ($tokens as $token => $timestamp)
+         if ($timestamp >= $discard_token_date)
+            $cleaned_tokens[$token] = $timestamp;
+      $tokens = $cleaned_tokens;
+   }
+
+   return $tokens;
+
+}
+
+/**
+  * Generates a security token that is then stored in
+  * the user's preferences with a timestamp for later
+  * verification/use.
+  *
+  * WARNING: If the administrator has turned the token system
+  *          off by setting $disable_security_tokens to TRUE in
+  *          config/config.php or the configuration tool, this
+  *          function will not store tokens in the user
+  *          preferences (but it will still generate and return
+  *          a random string).
+  *
+  * @return void
+  *
+  * @since 1.4.19 and 1.5.2
+  *
+  */
+function sm_generate_security_token()
+{
+
+   global $data_dir, $username, $disable_security_tokens;
+   $max_generation_tries = 1000;
+
+   $tokens = sm_get_user_security_tokens();
+
+   $new_token = GenerateRandomString(12, '', 7);
+   $count = 0;
+   while (isset($tokens[$new_token]))
+   {
+      $new_token = GenerateRandomString(12, '', 7);
+      if (++$count > $max_generation_tries)
+      {
+         logout_error(_("Fatal token generation error; please contact your system administrator or the SquirrelMail Team"));
+         exit;
+      }
+   }
+
+   // is the token system enabled?  CAREFUL!
+   //
+   if (!$disable_security_tokens)
+   {
+      $tokens[$new_token] = time();
+      setPref($data_dir, $username, 'security_tokens', serialize($tokens));
+   }
+
+   return $new_token;
+
+}
+
+/**
+  * Validates a given security token and optionally remove it
+  * from the user's preferences if it was valid.  If the token
+  * is too old but otherwise valid, it will still be rejected.
+  *
+  * "Too old" is 30 days or older unless the administrator
+  * overrides that value using $max_security_token_age in
+  * config/config_local.php
+  *
+  * WARNING: If the administrator has turned the token system
+  *          off by setting $disable_security_tokens to TRUE in
+  *          config/config.php or the configuration tool, this
+  *          function will always return TRUE.
+  *
+  * @param string  $token           The token to validate
+  * @param int     $validity_period The number of seconds tokens are valid
+  *                                 for (set to zero to remove valid tokens
+  *                                 after only one use; use 3600 to allow
+  *                                 tokens to be reused for an hour)
+  *                                 (OPTIONAL; default is to only allow tokens
+  *                                 to be used once)
+  * @param boolean $show_error      Indicates that if the token is not
+  *                                 valid, this function should display
+  *                                 a generic error, log the user out
+  *                                 and exit - this function will never
+  *                                 return in that case.
+  *                                 (OPTIONAL; default FALSE)
+  *
+  * @return boolean TRUE if the token validated; FALSE otherwise
+  *
+  * @since 1.4.19 and 1.5.2
+  *
+  */
+function sm_validate_security_token($token, $validity_period=0, $show_error=FALSE)
+{
+
+   global $data_dir, $username, $max_token_age_days,
+          $disable_security_tokens;
+
+   // bypass token validation?  CAREFUL!
+   //
+   if ($disable_security_tokens) return TRUE;
+
+   // don't purge old tokens here because we already
+   // do it when generating tokens
+   //
+   $tokens = sm_get_user_security_tokens(FALSE);
+
+   // token not found?
+   //
+   if (empty($tokens[$token]))
+   {
+      if (!$show_error) return FALSE;
+      logout_error(_("This page request could not be verified and appears to have expired."));
+      exit;
+   }
+
+   $now = time();
+   $timestamp = $tokens[$token];
+
+   // whether valid or not, we want to remove it from
+   // user prefs if it's old enough
+   //
+   if ($timestamp < $now - $validity_period)
+   {
+      unset($tokens[$token]);
+      setPref($data_dir, $username, 'security_tokens', serialize($tokens));
+   }
+
+   // reject tokens that are too old
+   //
+   if (empty($max_token_age_days)) $max_token_age_days = 30;
+   $old_token_date = $now - ($max_token_age_days * 86400);
+   if ($timestamp < $old_token_date)
+   {
+      if (!$show_error) return FALSE;
+      logout_error(_("The current page request appears to have originated from an untrusted source."));
+      exit;
+   }
+
+   // token OK!
+   //
+   return TRUE;
+
+}
 
 $PHP_SELF = php_self();
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/functions/forms.php
+++ squirrelmail-1.4.15/functions/forms.php
@@ -130,8 +130,24 @@
 
 /**
  * Make a <form> start-tag.
+ *
+ * @param string $action
+ * @param string $method
+ * @param string $name
+ * @param string $enctype
+ * @param string $charset
+ * @param string $extra     Any other attributes can be added with this parameter;
+ *                          they should use double quotes around attribute values
+ *                          (OPTIONAL; default empty)
+ * @param mixed  $add_token When given as a string or as boolean TRUE, a hidden
+ *                          input is also added to the form containing a security
+ *                          token.  When given as TRUE, the input name is "smtoken";
+ *                          otherwise the name is the string that is given for this
+ *                          parameter.  When FALSE, no hidden token input field is
+ *                          added.  (OPTIONAL; default not used)
+ *
  */
-function addForm($action, $method = 'post', $name = '', $enctype = '', $charset = '')
+function addForm($action, $method = 'post', $name = '', $enctype = '', $charset = '', $extra = '', $add_token = FALSE)
 {
     if($name) {
         $name = ' name="'.$name.'"';
@@ -143,7 +159,15 @@
         $charset = ' accept-charset="'.htmlspecialchars($charset).'"';
     }
 
-    return '<form action="'. $action .'" method="'. $method .'"'.
-        $enctype . $name . $charset . ">\n";
+    $form_string = '<form action="'. $action .'" method="'. $method .'"'.
+        $enctype . $name . $charset . ' ' . $extra . " >\n";
+
+    if($add_token) {
+        $form_string .= '<input type="hidden" value="' . sm_generate_security_token()
+                      . '" name="' . (is_string($add_token) ? $add_token : 'smtoken')
+                      . "\" />\n";
+    }
+
+    return $form_string;
 }
 
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/vcard.php
+++ squirrelmail-1.4.15/src/vcard.php
@@ -155,6 +155,7 @@
      '</td></tr>' .
      '<tr><td align="center">' .
      '<form action="../src/addressbook.php" method="post" name="f_add">' .
+     '<input type="hidden" name="smtoken" value="' . sm_generate_security_token() . '" />' .
      '<table border="0" cellpadding="2" cellspacing="0" align="center">' .
      '<tr><td align="right"><b>' . _("Nickname") . ':</b></td>' .
      '<td>' .
@@ -236,4 +237,4 @@
 <table border="0" cellspacing="0" cellpadding="2" align="center">
 <tr><td bgcolor="<?php echo $color[4]; ?>">
 </td></tr></table>
-</body></html>
\ No newline at end of file
+</body></html>
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/search.php
+++ squirrelmail-1.4.15/src/search.php
@@ -28,6 +28,7 @@
 require_once(SM_PATH . 'functions/imap_search.php');
 require_once(SM_PATH . 'functions/imap_mailbox.php');
 require_once(SM_PATH . 'functions/strings.php');
+require_once(SM_PATH . 'functions/forms.php');
 
 global $allow_thread_sort;
 
@@ -67,6 +68,9 @@
 } else {
     unset($count);
 }
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_GET)) {
+    $submitted_token = '';
+}
 /* end of get globals */
 
 /*  here are some functions, could go in imap_search.php
@@ -240,7 +244,8 @@
         $form_name = "FormMsgs" . $safe_name;
         echo '<form name="' . $form_name . '" method="post" action="move_messages.php">' ."\n" .
              '<input type="hidden" name="mailbox" value="'.htmlspecialchars($mailbox).'">' . "\n" .
-             '<input type="hidden" name="startMessage" value="1">' . "\n";
+             '<input type="hidden" name="startMessage" value="1">' . "\n" .
+             addHidden('smtoken', sm_generate_security_token()) . "\n";
 
         echo '<table border="0" width="100%" cellpadding="0" cellspacing="0">';
         echo '<tr><td>';
@@ -301,6 +306,12 @@
     $submit = _("Search");
 }
 
+// need to verify security token if user wants to do anything
+if (!empty($submit)) {
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+}
+
+
 if ($submit == _("Search") && !empty($what)) {
     if ($recent_count > 0) {
         update_recent($what, $where, $mailbox, $username, $data_dir);
@@ -449,6 +460,7 @@
 /* Search Form */
 echo html_tag( 'div', '<b>' . _("Current Search") . '</b>', 'left' ) . "\n"
    . '<form action="search.php" name="s">'
+   . addHidden('smtoken', sm_generate_security_token())
    . html_tag( 'table', '', '', '', 'width="95%" cellpadding="0" cellspacing="0" border="0"' )
    . html_tag( 'tr' )
    . html_tag( 'td', '', 'left' )
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/addrbook_search_html.php
+++ squirrelmail-1.4.15/src/addrbook_search_html.php
@@ -83,7 +83,7 @@
 
     if (sizeof($res) <= 0) return;
 
-    echo addForm($PHP_SELF, 'POST', 'addrbook').
+    echo addForm($PHP_SELF, 'POST', 'addrbook', '', '', '', TRUE).
          addHidden('html_addr_search_done', 'true');
     addr_insert_hidden();
     $line = 0;
@@ -308,7 +308,7 @@
 if ($addrquery == '' || sizeof($res) == 0) {
     /* printf('<center><form method="post" name="k" action="compose.php">'."\n", $PHP_SELF); */
     echo '<center>'.
-        addForm('compose.php','POST','k');
+        addForm('compose.php','POST','k', '', '', '', TRUE);
     addr_insert_hidden();
     echo '<input type="submit" value="' . _("Return") . '" name="return" />' . "\n" .
          '</form></center></nobr>';
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/options.php
+++ squirrelmail-1.4.15/src/options.php
@@ -143,6 +143,10 @@
 sqgetGlobalVar('optpage',     $optpage);
 sqgetGlobalVar('optmode',     $optmode,      SQ_FORM);
 sqgetGlobalVar('optpage_data',$optpage_data, SQ_POST);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+    $submitted_token = '';
+}
+
 /* end of getting globals */
 
 /* Make sure we have an Option Page set. Default to main. */
@@ -226,6 +230,12 @@
 /*** Next, process anything that needs to be processed. ***/
 /***********************************************************/
 
+// security check before saving anything...
+//FIXME: what about SMOPT_MODE_LINK??
+if ($optmode == SMOPT_MODE_SUBMIT) {
+   sm_validate_security_token($submitted_token, 3600, TRUE);
+}
+
 // set empty error message
 $optpage_save_error=array();
 
@@ -424,7 +434,7 @@
 /* If we are not looking at the main option page, display the page here. */
 /*************************************************************************/
 } else {
-    echo addForm('options.php', 'POST', 'f')
+    echo addForm('options.php', 'POST', 'f', '', '', '', TRUE)
        . create_optpage_element($optpage)
        . create_optmode_element(SMOPT_MODE_SUBMIT)
        . html_tag( 'table', '', '', '', 'width="100%" cellpadding="2" cellspacing="0" border="0"' ) . "\n"
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/folders.php
+++ squirrelmail-1.4.15/src/folders.php
@@ -103,7 +103,7 @@
             ) .
             html_tag( 'tr' ) .
                 html_tag( 'td', '', 'center', $color[0] ) .
-     addForm('folders_create.php', 'POST', 'cf').
+     addForm('folders_create.php', 'POST', 'cf', '', '', '', TRUE).
      addInput('folder_name', '', 25).
      "<br />\n". _("as a subfolder of"). '<br />'.
      "<tt><select name=\"subfolder\">\n";
@@ -228,7 +228,7 @@
                 html_tag( 'td', '', 'center', $color[0], 'width="50%"' );
 
 if (count($skip_folders) < count($boxes)) {
-    echo addForm('folders_subscribe.php?method=unsub')
+    echo addForm('folders_subscribe.php?method=unsub', 'post', '', '', '', '', TRUE)
        . "<tt><select name=\"mailbox[]\" multiple=\"multiple\" size=\"8\">\n";
     for ($i = 0; $i < count($boxes); $i++) {
         $use_folder = true;
@@ -273,7 +273,7 @@
   }
   
   if (count($box) > 0) {
-    echo addForm('folders_subscribe.php?method=sub')
+    echo addForm('folders_subscribe.php?method=sub', 'post', '', '', '', '', TRUE)
        . '<tt><select name="mailbox[]" multiple="multiple" size="8">';
 
     for ($q = 0; $q < count($box); $q++) {      
@@ -288,7 +288,7 @@
   }
 } else {
   /* don't perform the list action -- this is much faster */
-  echo addForm('folders_subscribe.php?method=sub')
+  echo addForm('folders_subscribe.php?method=sub', 'post', '', '', '', '', TRUE)
      . _("Subscribe to:") . '<br />'
      . '<tt><input type="text" name="mailbox[]" size="35" />'
      . '<input type="submit" value="'. _("Subscribe") . "\" />\n"
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/move_messages.php
+++ squirrelmail-1.4.15/src/move_messages.php
@@ -138,7 +138,14 @@
 sqgetGlobalVar('attache',         $attache,         SQ_POST);
 sqgetGlobalVar('location',        $location,        SQ_POST);
 
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+    $submitted_token = '';
+}
+
 /* end of get globals */
+// security check
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
 
 $imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0);
 $mbx_response=sqimap_mailbox_select($imapConnection, $mailbox);
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/options_highlight.php
+++ squirrelmail-1.4.15/src/options_highlight.php
@@ -39,6 +39,9 @@
 sqGetGlobalVar('color_type', $color_type);
 sqGetGlobalVar('match_type', $match_type);
 sqGetGlobalVar('value', $value);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+    $submitted_token = '';
+}
 
 /* end of get globals */
  
@@ -59,6 +62,10 @@
 if (isset($theid) && ($action == 'delete') ||
                      ($action == 'up')     ||
                      ($action == 'down')) {
+
+    // security check
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+
     $new_rules = array();
     switch($action) {
         case('delete'):
@@ -92,6 +99,8 @@
     header( 'Location: options_highlight.php' );
     exit;
 } else if ($action == 'save') {
+    // security check
+    sm_validate_security_token($submitted_token, 3600, TRUE);
 
     if ($color_type == 1) $newcolor = $newcolor_choose;
     elseif ($color_type == 2) $newcolor = $newcolor_input;
@@ -364,7 +373,7 @@
     else if ($selected_choose == '')
         $selected_input = TRUE;
 
-    echo addForm('options_highlight.php', 'POST', 'f').
+    echo addForm('options_highlight.php', 'POST', 'f', '', '', '', TRUE).
          addHidden('action', 'save');
     if($action == 'edit') {
         echo addHidden('theid', (isset($theid)?$theid:''));
@@ -468,4 +477,4 @@
 }
 do_hook('options_highlight_bottom');
 ?>
-</table></body></html>
\ No newline at end of file
+</table></body></html>
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/compose.php
+++ squirrelmail-1.4.15/src/compose.php
@@ -67,6 +67,9 @@
     $SQ_GLOBAL = SQ_FORM;
 }
 sqgetGlobalVar('smaction',$action, $SQ_GLOBAL);
+if (!sqgetGlobalVar('smtoken',$submitted_token, $SQ_GLOBAL)) {
+    $submitted_token = '';
+}
 sqgetGlobalVar('session',$session, $SQ_GLOBAL);
 sqgetGlobalVar('mailbox',$mailbox, $SQ_GLOBAL);
 if ( !sqgetGlobalVar('identity',$identity, $SQ_GLOBAL) ) {
@@ -377,6 +380,11 @@
 }
 
 if ($draft) {
+
+    // validate security token
+    //
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+
     /*
      * Set $default_charset to correspond with the user's selection
      * of language interface.
@@ -428,6 +436,12 @@
 }
 
 if ($send) {
+
+    // validate security token
+    //
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+
+
     if (isset($_FILES['attachfile']) &&
             $_FILES['attachfile']['tmp_name'] &&
             $_FILES['attachfile']['tmp_name'] != 'none') {
@@ -513,6 +527,11 @@
         /* sqimap_logout($imapConnection); */
     }
 } elseif (isset($html_addr_search_done)) {
+
+    // validate security token
+    //
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+
     if ($compose_new_win == '1') {
         compose_Header($color, $mailbox);
     }
@@ -557,6 +576,11 @@
      */
     include_once('./addrbook_search_html.php');
 } elseif (isset($attach)) {
+
+    // validate security token
+    //
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+
     if (saveAttachedFiles($session)) {
         plain_error_message(_("Could not move/copy file. File not attached"), $color);
     }
@@ -568,6 +592,11 @@
     showInputForm($session);
 }
 elseif (isset($sigappend)) {
+
+    // validate security token
+    //
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+
     $signature = $idents[$identity]['signature'];
     
     $body .= "\n\n".($prefix_sig==true? "-- \n":'').$signature;
@@ -578,6 +607,11 @@
     }
     showInputForm($session);
 } elseif (isset($do_delete)) {
+
+    // validate security token
+    //
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+
     if ($compose_new_win == '1') {
         compose_Header($color, $mailbox);
     } else {
@@ -1029,6 +1063,7 @@
 
     echo ">\n";
 
+    echo addHidden('smtoken', sm_generate_security_token());
     echo addHidden('startMessage', $startMessage);
 
     if ($action == 'draft') {
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/folders_rename_getname.php
+++ squirrelmail-1.4.15/src/folders_rename_getname.php
@@ -82,7 +82,7 @@
         ) .
         html_tag( 'tr' ) .
             html_tag( 'td', '', 'center', $color[4] ) .
-            addForm('folders_rename_do.php').
+            addForm('folders_rename_do.php', 'post', '', '', '', '', TRUE).
      _("New name:").
      '<br /><b>'. $parent . '</b>'.
      addInput('new_name', $old_name, 25) . '<br />' . "\n";
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/folders_create.php
+++ squirrelmail-1.4.15/src/folders_create.php
@@ -37,8 +37,14 @@
 if (! sqgetGlobalVar('contain_subs', $contain_subs,  SQ_POST)) {
     unset($contain_subs);
 }
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+    $submitted_token = '';
+}
 /* end of get globals */
 
+// first, validate security token
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
 $folder_name = trim($folder_name);
 
 if (substr_count($folder_name, '"') || substr_count($folder_name, "\\") ||
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/addressbook.php
+++ squirrelmail-1.4.15/src/addressbook.php
@@ -31,6 +31,9 @@
 require_once(SM_PATH . 'functions/forms.php');
 
 /** lets get the global vars we may need */
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+    $submitted_token = '';
+}
 sqgetGlobalVar('key',       $key,           SQ_COOKIE);
 
 sqgetGlobalVar('username',  $username,      SQ_SESSION);
@@ -176,6 +179,9 @@
 /* Handle user's actions */
 if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'POST') {
 
+    // first, validate security token
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+
     /**************************************************
      * Add new address                                *
      **************************************************/
@@ -306,7 +312,7 @@
                         $olddata = $abook->lookup($enick, $ebackend);
 
                         /* Display the "new address" form */
-                        echo addForm($form_url, 'post').
+                        echo addForm($form_url, 'post', '', '', '', '', TRUE).
                             html_tag( 'table',
                                     html_tag( 'tr',
                                         html_tag( 'td',
@@ -338,7 +344,7 @@
                                        'center', '', 'width="100%"' );
 
                         /* Display the "new address" form again */
-                        echo addForm($form_url, 'post').
+                        echo addForm($form_url, 'post', '', '', '', '', TRUE).
                             html_tag( 'table',
                                 html_tag( 'tr',
                                     html_tag( 'td',
@@ -419,7 +425,7 @@
 
     /* List addresses */
     if (count($alist) > 0) {
-        echo addForm($form_url, 'post', 'address_book_form');
+        echo addForm($form_url, 'post', 'address_book_form', '', '', '', TRUE);
         if ($abook->add_extra_field) {
             $abook_fields = 6;
         } else {
@@ -566,7 +572,7 @@
 
 /* Display the "new address" form */
 echo '<a name="AddAddress"></a>' . "\n" .
-    addForm($form_url, 'post', 'f_add').
+    addForm($form_url, 'post', 'f_add', '', '', '', TRUE).
     html_tag( 'table',  
         html_tag( 'tr',
             html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n",
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/folders_delete.php
+++ squirrelmail-1.4.15/src/folders_delete.php
@@ -41,6 +41,9 @@
 sqgetGlobalVar('onetimepad',$onetimepad,    SQ_SESSION);
 sqgetGlobalVar('delimiter', $delimiter,     SQ_SESSION);
 sqgetGlobalVar('mailbox',   $mailbox,       SQ_POST);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+    $submitted_token = '';
+}
 /* end globals */
 
 if ($mailbox == '') {
@@ -76,7 +79,7 @@
         html_tag( 'tr' ) .
         html_tag( 'td', '', 'center', $color[4] ) .
         sprintf(_("Are you sure you want to delete %s?"), str_replace(array(' ','<','>'),array('&nbsp;','&lt;','&gt;'),imap_utf7_decode_local($mailbox_unformatted_disp))).
-        addForm('folders_delete.php', 'post')."<p>\n".
+        addForm('folders_delete.php', 'post', '', '', '', '', TRUE)."<p>\n".
         addHidden('mailbox', $mailbox).
         addSubmit(_("Yes"), 'confirmed').
         addSubmit(_("No"), 'backingout').
@@ -85,6 +88,9 @@
     exit;
 }
 
+// first, validate security token
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
 $imap_stream = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0);
 
 $boxes = sqimap_mailbox_list ($imap_stream);
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/folders_subscribe.php
+++ squirrelmail-1.4.15/src/folders_subscribe.php
@@ -33,8 +33,14 @@
 sqgetGlobalVar('onetimepad',$onetimepad,    SQ_SESSION);
 sqgetGlobalVar('method',    $method,        SQ_GET);
 sqgetGlobalVar('mailbox',   $mailbox,       SQ_POST);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+    $submitted_token = '';
+}
 /* end globals */
 
+// first, validate security token
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
 $location = get_location();
 
 if (!isset($mailbox) || !isset($mailbox[0]) || $mailbox[0] == '') {
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/folders_rename_do.php
+++ squirrelmail-1.4.15/src/folders_rename_do.php
@@ -35,7 +35,12 @@
 sqgetGlobalVar('orig',      $orig,          SQ_POST);
 sqgetGlobalVar('old_name',  $old_name,      SQ_POST);
 sqgetGlobalVar('new_name',  $new_name,      SQ_POST);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+    $submitted_token = '';
+}
 /* end globals */
+// first, validate security token
+sm_validate_security_token($submitted_token, 3600, TRUE);
 
 $new_name = trim($new_name);
 
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/options_identities.php
+++ squirrelmail-1.4.15/src/options_identities.php
@@ -27,6 +27,7 @@
 include_once(SM_PATH . 'functions/global.php');
 include_once(SM_PATH . 'functions/display_messages.php');
 include_once(SM_PATH . 'functions/html.php');
+include_once(SM_PATH . 'functions/forms.php');
 include_once(SM_PATH . 'functions/identity.php');
 
 /* make sure that page is not available when $edit_identity is false */
@@ -42,9 +43,16 @@
 sqgetGlobalVar('smaction', $smaction, SQ_POST);
 sqgetGlobalVar('return', $return, SQ_POST);
 
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+    $submitted_token = '';
+}
+
 // First lets see if there are any actions to perform //
 if (!empty($smaction) && is_array($smaction)) {
 
+    // first do a security check
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+
     $doaction = '';
     $identid = 0;
 
@@ -72,9 +80,10 @@
 
 do_hook('options_identities_top');
 
-$td_str = '';
-$td_str .= '<form name="f" action="options_identities.php" method="post"><br />' . "\n";
-$td_str .= '<table border="0" cellspacing="0" cellpadding="0" width="100%">' . "\n";
+$td_str = '<form name="f" action="options_identities.php" method="post"><br />' . "\n"
+        . addHidden('smtoken', sm_generate_security_token()) . "\n"
+        . '<table border="0" cellspacing="0" cellpadding="0" width="100%">' . "\n";
+
 $cnt = count($identities);
 foreach( $identities as $iKey=>$ident ) {
 
only in patch2:
unchanged:
--- squirrelmail-1.4.15.orig/src/options_order.php
+++ squirrelmail-1.4.15/src/options_order.php
@@ -28,6 +28,7 @@
 require_once(SM_PATH . 'functions/imap.php');
 require_once(SM_PATH . 'functions/plugin.php');
 require_once(SM_PATH . 'functions/html.php');
+require_once(SM_PATH . 'functions/forms.php');
 
 /* get globals */
 sqgetGlobalVar('num',       $num,       SQ_GET);  
@@ -35,6 +36,10 @@
 
 sqgetGlobalVar('submit',    $submit);
 sqgetGlobalVar('method',    $method);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+    $submitted_token = '';
+}
+
 /* end of get globals */
 
 displayPageHeader($color, 'None');
@@ -83,6 +88,10 @@
            include_once(SM_PATH . 'include/load_prefs.php');
         }
     } else if ($method == 'add' && $add) {
+
+        // first do a security check
+        sm_validate_security_token($submitted_token, 3600, TRUE);
+
         /* User should not be able to insert PHP-code here */
         $add = str_replace ('<?', '..', $add);
         $add = ereg_replace ('<.*script.*language.*php.*>', '..', $add);
@@ -128,8 +137,9 @@
     }
     
     if (count($index_order) != count($available)) {
-        echo '<form name="f" method="post" action="options_order.php">';
-        echo '<select name="add">';
+        echo '<form name="f" method="post" action="options_order.php">' . "\n"
+           . addHidden('smtoken', sm_generate_security_token())
+           . '<select name="add">' . "\n";
         for ($i=1; $i <= count($available); $i++) {
             $found = false;
             for ($j=1; $j <= count($index_order); $j++) {
@@ -155,4 +165,4 @@
 
 </td></tr>
 </table>
-</body></html>
\ No newline at end of file
+</body></html>