search results expired?

> Hi there!
>
> With 1.4.20RC1 I'm getting this error:
>
> * search for anything using the "Search" link (e.g. Subject contains "test")
> * I'm getting several results back
> * I'm choosing a mail at random, and have it displayed
> * I decide it's the wrong one and go back to the list of search results by
>   clicking on the link labeled "Search results" which leads me to:
>   https://webmail.example.com/squirrelmail/src/search.php?where=SUBJECT&what=test&mailbox=INBOX.Sent
> * I'm getting an error page in the right frame:
>   "This page request could not be verified and appears to have expired."
>
> Could this be related to the recent changes in rc1 which are supposed
> to foil cross site scripting?

>* Ralf Hildebrandt <Ralf.Hildebrandt@...>:
>> Hi there!
>>
>> With 1.4.20RC1 I'm getting this error:
>>
>> * search for anything using the "Search" link (e.g. Subject contains "test")
>> * I'm getting several results back
>> * I'm choosing a mail at random, and have it displayed
>> * I decide it's the wrong one and go back to the list of search results by
>>   clicking on the link labeled "Search results" which leads me to:
>>   https://webmail.example.com/squirrelmail/src/search.php?where=SUBJECT&what=test&mailbox=INBOX.Sent
>> * I'm getting an error page in the right frame:
>>   "This page request could not be verified and appears to have expired."
>>
>> Could this be related to the recent changes in rc1 which are supposed
>> to foil cross site scripting?
>
>I tried 1.4.19, it doesn't show that particular behaviour!

> On Sun, 30 Aug 2009 14:28:31 +0200, Ralf Hildebrandt
> <Ralf.Hildebrandt@...> wrote:
>
>>* Ralf Hildebrandt <Ralf.Hildebrandt@...>:
>>> Hi there!
>>>
>>> With 1.4.20RC1 I'm getting this error:
>>>
>>> * search for anything using the "Search" link (e.g. Subject contains "test")
>>> * I'm getting several results back
>>> * I'm choosing a mail at random, and have it displayed
>>> * I decide it's the wrong one and go back to the list of search results by
>>>   clicking on the link labeled "Search results" which leads me to:
>>>   https://webmail.example.com/squirrelmail/src/search.php?where=SUBJECT&what=test&mailbox=INBOX.Sent
>>> * I'm getting an error page in the right frame:
>>>   "This page request could not be verified and appears to have expired."
>>>
>>> Could this be related to the recent changes in rc1 which are supposed
>>> to foil cross site scripting?
>>
>>I tried 1.4.19, it doesn't show that particular behaviour!
>
> That would be because of some new improved security.  Thanks for the
> catch.
>
> http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13833
>
> src/read_body.php is really the only change I can see you needing for
> this issue.  I did notice that the token validation only looked for
> GET whilst it passed in a post too, so I made a little change there in
> src/search.php as well.

> > That would be because of some new improved security.  Thanks for the
> > catch.
> >
> > http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13833
> >
> > src/read_body.php is really the only change I can see you needing for
> > this issue.  I did notice that the token validation only looked for
> > GET whilst it passed in a post too, so I made a little change there in
> > src/search.php as well.
>
> There are no forms using POST that point to src/search.php that I know
> of.  I switched it back.

> * Paul Lesniewski <paul@...>:
>
>> > That would be because of some new improved security.  Thanks for the
>> > catch.
>> >
>> > http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13833
>> >
>> > src/read_body.php is really the only change I can see you needing for
>> > this issue.  I did notice that the token validation only looked for
>> > GET whilst it passed in a post too, so I made a little change there in
>> > src/search.php as well.
>>
>> There are no forms using POST that point to src/search.php that I know
>> of.  I switched it back.
>
> Uhm, so what I the patch I need to apply?

>On Sun, Aug 30, 2009 at 4:55 PM, Jonathan Angliss<jon@...> wrote:
>> On Sun, 30 Aug 2009 14:28:31 +0200, Ralf Hildebrandt
>> <Ralf.Hildebrandt@...> wrote:
>>
>>>* Ralf Hildebrandt <Ralf.Hildebrandt@...>:
>>>> Hi there!
>>>>
>>>> With 1.4.20RC1 I'm getting this error:
>>>>
>>>> * search for anything using the "Search" link (e.g. Subject contains "test")
>>>> * I'm getting several results back
>>>> * I'm choosing a mail at random, and have it displayed
>>>> * I decide it's the wrong one and go back to the list of search results by
>>>>   clicking on the link labeled "Search results" which leads me to:
>>>>   https://webmail.example.com/squirrelmail/src/search.php?where=SUBJECT&what=test&mailbox=INBOX.Sent
>>>> * I'm getting an error page in the right frame:
>>>>   "This page request could not be verified and appears to have expired."
>>>>
>>>> Could this be related to the recent changes in rc1 which are supposed
>>>> to foil cross site scripting?
>>>
>>>I tried 1.4.19, it doesn't show that particular behaviour!
>>
>> That would be because of some new improved security.  Thanks for the
>> catch.
>>
>> http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13833
>>
>> src/read_body.php is really the only change I can see you needing for
>> this issue.  I did notice that the token validation only looked for
>> GET whilst it passed in a post too, so I made a little change there in
>> src/search.php as well.
>
>There are no forms using POST that point to src/search.php that I know
>of.  I switched it back.

> On Sun, 30 Aug 2009 20:44:17 -0700, Paul Lesniewski
> <paul@...> wrote:
>
>>On Sun, Aug 30, 2009 at 4:55 PM, Jonathan Angliss<jon@...> wrote:
>>> On Sun, 30 Aug 2009 14:28:31 +0200, Ralf Hildebrandt
>>> <Ralf.Hildebrandt@...> wrote:
>>>
>>>>* Ralf Hildebrandt <Ralf.Hildebrandt@...>:
>>>>> Hi there!
>>>>>
>>>>> With 1.4.20RC1 I'm getting this error:
>>>>>
>>>>> * search for anything using the "Search" link (e.g. Subject contains "test")
>>>>> * I'm getting several results back
>>>>> * I'm choosing a mail at random, and have it displayed
>>>>> * I decide it's the wrong one and go back to the list of search results by
>>>>>   clicking on the link labeled "Search results" which leads me to:
>>>>>   https://webmail.example.com/squirrelmail/src/search.php?where=SUBJECT&what=test&mailbox=INBOX.Sent
>>>>> * I'm getting an error page in the right frame:
>>>>>   "This page request could not be verified and appears to have expired."
>>>>>
>>>>> Could this be related to the recent changes in rc1 which are supposed
>>>>> to foil cross site scripting?
>>>>
>>>>I tried 1.4.19, it doesn't show that particular behaviour!
>>>
>>> That would be because of some new improved security.  Thanks for the
>>> catch.
>>>
>>> http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13833
>>>
>>> src/read_body.php is really the only change I can see you needing for
>>> this issue.  I did notice that the token validation only looked for
>>> GET whilst it passed in a post too, so I made a little change there in
>>> src/search.php as well.
>>
>>There are no forms using POST that point to src/search.php that I know
>>of.  I switched it back.
>
> src/search.php posts to src/search.php.  That being said, there is
> actually no method defined, so I guess the browser falls back to GET