[RCD] Roundcube session management

Rosali myroundcube at mail4us.net
Thu May 22 14:55:07 CEST 2014


>>>> Not all crons run in CLI mode. You can't run in CLI mode if you want 
>>>> to give users the ability to use external
>>>> cronjob services unless you use a script which is called by the 
>>>> external service by HTTP to start a shell script.
>>> 
>>> which completly defeats the idea of CSRF
>> 
>> So, you are saying that those who are not able to run crons by calling 
>> a
>> shell script (shared hosting) should not be able to run Roundcube and
>> its plugins?
> 
> i would not do that and looking at the price of a VPS
> where you can run real cronjobs i don't see a reason
> 
>> As far as I understand CSFR it should prevent POST and AJAX-Requests 
>> from
>> not authorized sources and nothing else
> 
> * a cronjob is a serverside action
> * a serverside action must not be triggered uncrontrolled
> 
>> Why do you have concerns to run HTTP based cronjobs?
> 
> because it's likely unsecure in many situations and you open a can of 
> worms
> because it fights with server configurations and ressource limits
> because it fights with timeouts and what not
> 

Well, this is off topic here. So, let's move this discussion to another 
topic.

I don't want to have sessions started when it is not needed. I'm not 
convinced by your argumentation. Why? Because at the end of time you are 
saying that plugin developers don't know what they have to do and they 
have to be protected against their own code.

> 
> that's why possible ressource intensive and long running things
> typically are not done within the webserver process
> 

Isn't it true, that I have to know what is resource consuming when 
running code on Roundcube's startup hook? So, if your arguments are 
valid then you have to start a discussion about removal of 'startup' 
hook from Roundcube and to disallow code execution at all in not 
authenticated state. I'm curious what other plugin developers will say 
to such a consequence.

>> Of course there are IP or authorization token checks.
>> I didn't say that Devs should disable security features.
> 
> but don't start a session because a random GET parameter leads
> in two options, none of them makes sense
> 
> * your request does anyways not work because the CSFR
> * you disable also CSFR if the param is given which is not smart to
> say it polite

See my comments above in regards to Roundcube's 'startup' hook.



More information about the dev mailing list