[horde] Forms/Link valid for 30 min only

[Paul Faure]

On Wed, 2008-04-30 at 10:52 -0400, Chuck Hagenbuch wrote:

> Quoting Paul Faure <faurep at AGR.GC.CA>:
> 
> > Any reason why forms are only valid for 30 min?
> >
> > /imp/lib/IMP.php:2091
> >
> > "This request cannot completed because the link you followed or the form
> > you submitted was only valid for half an hour"
> 
> To prevent cross-site request forgery.
> 
> > I quite often open new mail in a new window and sometimes dont get
> > around to looking at it or deleting it for 30 min, then I get this
> > message. This didnt happen in earlier version.
> >
> > Could it be a configuration option instead of hard coded?
> 
> I don't see a particular reason not to make it configurable. Patch?


Here is the diff, is there a better way I can submit this?


diff -r horde-webmail-1.1-rc3/imp/config/conf.xml horde/imp/config/conf.xml
150a151,153
>      <configinteger name="valid_form_length" desc="This is the length of time
>      in seconds that a mail form will be valid for. Lower values prevent
>      cross-site request forgery.">1800</configinteger>
diff -r horde-webmail-1.1-rc3/imp/lib/IMP.php horde/imp/lib/IMP.php
312a313
>         global $conf;
317,318c318,319
<         if ($_SESSION['horde_form_secrets'][$token] + 1800 < time()) {
<             return PEAR::raiseError(_("This request cannot completed because the link you followed or the form you submitted was only valid for half an hour."));
---
>         if ($_SESSION['horde_form_secrets'][$token] + $conf['server']['valid_form_length'] < time()) {
>             return PEAR::raiseError(_("This request cannot completed because the link you followed or the form you submitted was only valid for ".$conf['server']['valid_form_length']." seconds."));


Paul