Control: severity -1 important

Hi Sandro,

On Mon, 11 May 2020 at 18:34:06 +0200, Matus UHLAR - fantomas wrote:
> the imap retry patch added within bug 947320 locks my accounts when I enter
> invalid password.

Could you please have a look at this regression report?  You authored
the patch and my PHP-fu is failing me :-P  It should definitely not
retry the very same incorrect credentials.  Even on systems without
anti-bruteforce logic that locks the user out, Roundcube still takes 5
times longer to complain a about a failed login — which is not
negligible when an expensive PBKDF is used for credential verification.

I think it's rather unfortunate that 
was AFAICT never submitted upstream and landed into stable through -p-u.
I dunno whether program/lib/Roundcube/rcube_imap.php:connect() has
access to the IMAP state machine to determine whether a greeting was
seen (AFAICT your intention was to retry on missing greeting lines, not
on NO/BYE greeting conditions let alone failed authentication attempts)
or to another interface returning whether the error is transient or not.
Either way it'd be good to have upstream's blessing before adopting such
patches to Debian :-)


Attachment: signature.asc
Description: PGP signature

Reply via email to