From e704cd71434c6119c5d32856fd8f060179eadd93 Mon Sep 17 00:00:00 2001
From: Michael M Slusarz <slusarz@horde.org>
Date: Tue, 8 Apr 2014 20:29:17 -0600
Subject: [PATCH] confirm email entires should be purged if not used within a
 certain time (1 day)

---
 .../Core/lib/Horde/Core/Prefs/Identity.php    | 66 ++++++++++++++++---
 .../SystemTask/GarbageCollection.php          |  3 +
 2 files changed, 61 insertions(+), 8 deletions(-)

diff --git a/framework/Core/lib/Horde/Core/Prefs/Identity.php b/framework/Core/lib/Horde/Core/Prefs/Identity.php
index fd85ac2abc6..72f451448e3 100644
--- a/framework/Core/lib/Horde/Core/Prefs/Identity.php
+++ b/framework/Core/lib/Horde/Core/Prefs/Identity.php
@@ -24,11 +24,18 @@
  */
 class Horde_Core_Prefs_Identity extends Horde_Prefs_Identity
 {
+    /** Identity entry containing the expiration time. */
+    const EXPIRE = 'confirm_expire';
+
+    /** Expiration (in seconds) of a confirmation request. */
+    const EXPIRE_SECS = 86400;
+
     /**
      * Sends a message to an email address supposed to be added to the
      * identity.
-     * A message is send to this address containing a link to confirm that the
-     * address really belongs to that user.
+     *
+     * A message is send to this address containing a time-sensitive link to
+     * confirm that the address really belongs to that user.
      *
      * @param integer $id       The identity's ID.
      * @param string $old_addr  The old From: address.
@@ -41,11 +48,11 @@ public function verifyIdentity($id, $old_addr)
 
         $hash = strval(new Horde_Support_Randomid());
 
-        if (!($pref = @unserialize($this->_prefs->getValue('confirm_email')))) {
-            $pref = array();
-        }
+        $pref = $this->_confirmEmail();
         $pref[$hash] = $this->get($id);
-        $this->_prefs->setValue('confirm_email', serialize($pref));
+        $pref[$hash][self::EXPIRE] = time() + self::EXPIRE_SECS;
+
+        $this->_confirmEmail($pref);
 
         $new_addr = $this->getValue($this->_prefnames['from_addr'], $id);
         $confirm = Horde::url(
@@ -96,7 +103,7 @@ public function confirmIdentity($hash)
     {
         global $notification;
 
-        $confirm = @unserialize($this->_prefs->getValue('confirm_email'));
+        $confirm = $this->_confirmEmail();
         if (empty($confirm) || !isset($confirm[$hash])) {
             $notification->push(
                 Horde_Core_Translation::t("Email address to confirm not found."),
@@ -106,6 +113,8 @@ public function confirmIdentity($hash)
         }
 
         $identity = $confirm[$hash];
+        unset($identity[self::EXPIRE]);
+
         $id = array_search(
             $identity['id'],
             $this->getAll($this->_prefnames['id'])
@@ -126,9 +135,10 @@ public function confirmIdentity($hash)
                 $this->setValue($key, $value, $id);
             }
         }
+
         $this->save();
         unset($confirm[$hash]);
-        $this->_prefs->setValue('confirm_email', serialize($confirm));
+        $this->_confirmEmail($confirm);
 
         $notification->push(
             sprintf(
@@ -139,6 +149,27 @@ public function confirmIdentity($hash)
         );
     }
 
+    /**
+     * Perform garbage collection on preferences used by identities.
+     */
+    public function prefsGc()
+    {
+        /* Clean out expired confirm_email entries. */
+        $confirm = $this->_confirmEmail();
+        $changed = false;
+
+        foreach ($confirm as $key => $val) {
+            if (!isset($val[self::EXPIRE]) || ($val[self::EXPIRE] < time())) {
+                unset($confirm[$key]);
+                $changed = true;
+            }
+        }
+
+        if ($changed) {
+            $this->_confirmEmail($confirm);
+        }
+    }
+
     /**
      * Returns the from address based on the chosen identity. If no
      * address can be found it is built from the current user name and
@@ -174,4 +205,23 @@ public function getMatchingIdentity($addresses, $search_own = true)
         return null;
     }
 
+    /**
+     * Manage the storage of the confirm_email preference.
+     *
+     * @param array $confirm  If set, save this in the pref backend.
+     *
+     * @return array  Confirm email array.
+     */
+    protected function _confirmEmail($confirm = null)
+    {
+        if (is_null($confirm)) {
+            return ($pref = @unserialize($this->_prefs->getValue('confirm_email')))
+                ? $pref
+                : array();
+        }
+
+        $this->_prefs->setValue('confirm_email', serialize($confirm));
+        return $confirm;
+    }
+
 }
diff --git a/horde/lib/LoginTasks/SystemTask/GarbageCollection.php b/horde/lib/LoginTasks/SystemTask/GarbageCollection.php
index e4c499ca247..f30dc1e1c2c 100644
--- a/horde/lib/LoginTasks/SystemTask/GarbageCollection.php
+++ b/horde/lib/LoginTasks/SystemTask/GarbageCollection.php
@@ -47,6 +47,9 @@ public function execute()
             /* Javascript files. */
             $injector->getInstance('Horde_Core_JavascriptCache')->gc();
         }
+
+        /* GC on identity prefs. */
+        $injector->getInstance('Horde_Core_Factory_Identity')->create()->prefsGc();
     }
 
 }