Not all crons run in CLI mode. You can't run in CLI mode if you want to give users the ability to use external cronjob services unless you use a script which is called by the external service by HTTP to start a shell script.
which completly defeats the idea of CSRF
So, you are saying that those who are not able to run crons by calling a shell script (shared hosting) should not be able to run Roundcube and its plugins? As far as I understand CSFR it should prevent POST and AJAX-Requests from not authorized sources and nothing else. Why do you have concerns to run HTTP based cronjobs? Of course there are IP or authorization token checks. I didn't say that Devs should disable security features.
Am 22.05.2014 12:41, schrieb Rosali:
Not all crons run in CLI mode. You can't run in CLI mode if you want to give users the ability to use external cronjob services unless you use a script which is called by the external service by HTTP to start a shell script.
which completly defeats the idea of CSRF
So, you are saying that those who are not able to run crons by calling a shell script (shared hosting) should not be able to run Roundcube and its plugins?
i would not do that and looking at the price of a VPS where you can run real cronjobs i don't see a reason
As far as I understand CSFR it should prevent POST and AJAX-Requests from not authorized sources and nothing else
Why do you have concerns to run HTTP based cronjobs?
because it's likely unsecure in many situations and you open a can of worms because it fights with server configurations and ressource limits because it fights with timeouts and what not
that's why possible ressource intensive and long running things typically are not done within the webserver process
Of course there are IP or authorization token checks. I didn't say that Devs should disable security features.
but don't start a session because a random GET parameter leads in two options, none of them makes sense