[RCU] Search Via HTTP GET
andrew at amdavidson.com
Tue May 12 15:29:00 CEST 2015
On 2015-05-12 09:15, Reindl Harald wrote:
> if that would work it would deserve a bugreport and a CVE because you
> would bypass the
> http://en.wikipedia.org/wiki/Cross-site_request_forgery protection
I don't see why that would be the case. It's similar to entering
https://www.google.com/?q=query+string into your browser's address bar.
This wouldn't require any loss of security as RC can already verify
authentication state before processing a request. For example, if you
request this URL before logging in, you'll get a login page rather than
the actual mailbox: https://roundcube/?_task=mail&_mbox=Archive is
requested the same as if you were to request
It may not be possible with RC, but that's what I want to understand.
More information about the users