'[SM-CVS] SF.net SVN: squirrelmail:[14272] branches/SM-1_4-STABLE/squirrelmail'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squirrelmail-cvs
Subject:    [SM-CVS] SF.net SVN: squirrelmail:[14272] branches/SM-1_4-STABLE/squirrelmail
From:       pdontthink () users ! sourceforge ! net
Date:       2012-02-07 22:50:13
Message-ID: E1RutrZ-00018w-Q6 () sfp-svn-2 ! v30 ! ch3 ! sourceforge ! com
[Download RAW message or body]

Revision: 14272
          http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=14272&view=rev
Author:   pdontthink
Date:     2012-02-07 22:50:13 +0000 (Tue, 07 Feb 2012)
Log Message:
-----------
Better performance by reducing token usage to only one at a time (also added an \
option to revert to old behavior if desired)

Modified Paths:
--------------
    branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog
    branches/SM-1_4-STABLE/squirrelmail/functions/strings.php

Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog	2012-02-05 02:25:24 UTC (rev \
                14271)
+++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog	2012-02-07 22:50:13 UTC (rev \
14272) @@ -36,6 +36,7 @@
     rendering mode" setting in the configuration tool (#3240356).
   - Added "search_index_before" hook (analog of the "mailbox_index_before"
     hook)
+  - Made performance improvements in security token handling
 
 Version 1.4.22 - 12 July 2011
 -----------------------------

Modified: branches/SM-1_4-STABLE/squirrelmail/functions/strings.php
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/functions/strings.php	2012-02-05 02:25:24 UTC \
                (rev 14271)
+++ branches/SM-1_4-STABLE/squirrelmail/functions/strings.php	2012-02-07 22:50:13 UTC \
(rev 14272) @@ -1325,6 +1325,15 @@
   * the user's preferences with a timestamp for later
   * verification/use.
   *
+  * NOTE: The administrator can force SquirrelMail to generate
+  * a new token every time one is requested (which may increase
+  * obscurity through token randomness at the cost of some
+  * performance) by adding the following to
+  * config/config_local.php:   $do_not_use_single_token = TRUE;
+  * Otherwise, only one token will be generated per user which
+  * will change only after it expires or is used outside of the
+  * validity period specified when calling sm_validate_security_token()
+  *
   * WARNING: If the administrator has turned the token system
   *          off by setting $disable_security_tokens to TRUE in
   *          config/config.php or the configuration tool, this
@@ -1332,19 +1341,27 @@
   *          preferences (but it will still generate and return
   *          a random string).
   *
+  * @param boolean $force_generate_new When TRUE, a new token will
+  *                                    always be created even if current
+  *                                    configuration dictates otherwise
+  *                                    (OPTION; default FALSE)
+  *
   * @return string A security token
   *
   * @since 1.4.19 and 1.5.2
   *
   */
-function sm_generate_security_token()
+function sm_generate_security_token($force_generate_new=FALSE)
 {
 
-   global $data_dir, $username, $disable_security_tokens;
+   global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token;
    $max_generation_tries = 1000;
 
    $tokens = sm_get_user_security_tokens();
 
+   if (!$force_generate_new && !$do_not_use_single_token && !empty($tokens))
+      return key($tokens);
+
    $new_token = GenerateRandomString(12, '', 7);
    $count = 0;
    while (isset($tokens[$new_token]))
@@ -1390,6 +1407,10 @@
   *                                 tokens to be reused for an hour)
   *                                 (OPTIONAL; default is to only allow tokens
   *                                 to be used once)
+  *                                 NOTE this is unrelated to $max_token_age_days
+  *                                 or rather is an additional time constraint on
+  *                                 tokens that allows them to be re-used (or not)
+  *                                 within a more narrow timeframe
   * @param boolean $show_error      Indicates that if the token is not
   *                                 valid, this function should display
   *                                 a generic error, log the user out

This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
-----
squirrelmail-cvs mailing list
List address: squirrelmail-cvs@lists.sourceforge.net
List info (subscribe/unsubscribe/change options): \
                https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
Repository: http://squirrelmail.org/svn


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic