On 05/22/2014 09:59 AM, Reindl Harald wrote:
i am not a roundcube dev but my job is development and security
- if you don't pass the token verification no login code is running
- the login in case of roundcube implies network connections
- the login in case of roundcube affects also the mailserver
the django project thought the same as you: https://www.djangoproject.com/weblog/2013/sep/15/security/
It's worth noting that django's mitigation of this issue *didn't* have to do with CSRF protection -- rather, they limited the size of the submitted passwords to 4KiB.
--dkg