[RCU] Search Via HTTP GET

Andrew Davidson andrew at amdavidson.com
Tue May 12 15:29:00 CEST 2015


On 2015-05-12 09:15, Reindl Harald wrote:
> if that would work it would deserve a bugreport and a CVE because you
> would bypass the
> http://en.wikipedia.org/wiki/Cross-site_request_forgery protection

I don't see why that would be the case. It's similar to entering 
https://www.google.com/?q=query+string into your browser's address bar.

This wouldn't require any loss of security as RC can already verify 
authentication state before processing a request. For example, if you 
request this URL before logging in, you'll get a login page rather than 
the actual mailbox: https://roundcube/?_task=mail&_mbox=Archive is 
requested the same as if you were to request 
https://roundcube/?_task=mail&_mbox=Not%20Real

It may not be possible with RC, but that's what I want to understand.


More information about the users mailing list