 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
3 messages in net.sourceforge.lists.courier-sqwebmail[sqwebmail] Checking SENDITSH in mult...| From | Sent On | Attachments |
|---|---|---|
| Pawel Tecza | Sep 3, 2007 6:18 am | |
| Sam Varshavchik | Sep 3, 2007 9:11 am | |
| Pawel Tecza | Sep 3, 2007 10:53 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | [sqwebmail] Checking SENDITSH in multiple front-ends environment | Actions... |
|---|---|---|
| From: | Pawel Tecza (pte...@uw.edu.pl) | |
| Date: | Sep 3, 2007 6:18:56 am | |
| List: | net.sourceforge.lists.courier-sqwebmail | |
Hi Sam,
We have a mail system with a few front-ends (SMTP/POP3/IMAP/webmail) and all of them work as virtual environments (OpenVZ). The DNS server does a load balancing.
Recently we noticed problems with redirecting some URLs in the webmail. We found that there're caused by the following piece of code:
webmail/folder.c:
const char *redirect_hash(const char *timestamp) { struct stat stat_buf;
char buffer[NUMBUFSIZE*2+10];
if (strlen(timestamp) >= NUMBUFSIZE || stat(SENDITSH, &stat_buf) < 0) return "";
strcat(strcpy(buffer, timestamp), " "); libmail_str_ino_t(stat_buf.st_ino, buffer+strlen(buffer));
return md5_hash_courier(buffer); }
As you can see above, you check stats of the _local_ SENDITSH file. I can understand that it's simple protection against malicious attack. I agree that it can work, however assuming that a webmail always runs on only _one_ machine.
In our environment it's not true and sometimes a redirect hash is not veryfied properly, because a DNS server directs a user to another front-end.
Could you please fix it? I think you can add any variable to a webmail configuration file instead of checking stats of SENDITSH file. What's your opinion?
BTW, I'm also sending you patch against hardcoded TIMEOUTHARD define. You should handle it exactly the same like TIMEOUTSOFT define, because webmail admin also can set it via CGI variable in web server like Apache.
My best regards,
Pawel
Index: webmail/sqwebmail.c =================================================================== RCS file: /cvsroot/courier/courier/webmail/sqwebmail.c,v retrieving revision 1.142 diff -u -r1.142 sqwebmail.c --- webmail/sqwebmail.c 5 Mar 2007 04:43:24 -0000 1.142 +++ webmail/sqwebmail.c 3 Sep 2007 13:02:42 -0000 @@ -177,6 +177,19 @@ return n; }
+size_t get_timeouthard() +{ + time_t n=TIMEOUTHARD; + const char *p; + + p=getenv("SQWEBMAIL_TIMEOUTHARD"); + + if (p && *p) + n=atoi(p); + + return n; +} + void fake_exit(int n) { maildir_cache_cancel(); @@ -2119,7 +2132,7 @@ timestamp_t=(time_t)timestamp_n; time(&now);
- if (now < timestamp_t || now > timestamp_t + TIMEOUTHARD) + if (now < timestamp_t || now > timestamp_t + get_timeouthard()) return 0;
p=redirect_hash(timestamp); @@ -2189,7 +2202,7 @@ char *pi; char *pi_malloced; int reset_cookie=0; -time_t timeouthard=TIMEOUTHARD; +time_t timeouthard=get_timeouthard();
#ifdef GZIP @@ -2217,10 +2230,7 @@ umask(0077);
{ - const char *p=getenv("SQWEBMAIL_TIMEOUTHARD"); - - if (p && *p) - timeouthard=atoi(p); + timeouthard=get_timeouthard(); }
if (maildir_cache_init(timeouthard, CACHEDIR, CACHEOWNER, authvars))