On Mon, Oct 15, 2001 at 10:09:51PM +0000, Sam Varshavchik wrote:
> This is going to scribble all over your maildir, as root - not something you
> really want to happen.
Duly noted, and thanks for the feedback.
> Setting this tiny glitch aside, the problem with this is that now anyone who
> knows at least one valid mail account name on this server will now be able
> to fill the account with crap. Do it long enough, and you'll run out of
> disk space.
Hmmm...wouldn't it be easy to take care of this condition by breaking
up the connection validation? Right now it checks everything at once
and if any one of them fails then it kicks you back to the login form.
If you checked the session token, the hard time out, and validate the
IP address before saving to the drafts if a soft timeout has occurred,
wouldn't that prevent the above DOS? In that case they've succeeded
in every step of the authentication except for the soft time out,
right?
> Of course, there may be other ways to bomb the account, or to DOS
> the server, but that's somebody else's problem.
Agreed, I certainly wouldn't want to open up a security hole but this
is a feature that I think is useful, so I appreciate your constructive
comments. If I understand your criticisms I'm thinking something like
this addresses them:
--- /usr/src/sqwebmail/sqwebmail-3.1.0.20011006/sqwebmail/sqwebmail.c Thu Sep 27
02:15:08 2001
+++ sqwebmail.c Mon Oct 15 21:55:29 2001
@@ -1733,11 +1733,10 @@
** session has reached its soft timeout.
*/
- || !read_sqconfig(".", TIMESTAMP, &last_time)
+ || !read_sqconfig(".", TIMESTAMP, &last_time))
/* || last_time > current_time */
- || last_time + timeoutsoft < current_time)
{
setgid(getgid());
setuid(getuid()); /* Drop root prevs */
@@ -1757,6 +1756,34 @@
output_form("expired.html");
return (0);
}
+
+ if (last_time + timeoutsoft < current_time) {
+ setgid(getgid());
+ setuid(getuid());
+ cgi_setup();
+ cgiformdatatempdir("tmp");
+ if (*cgi("savedraft") || *cgi("sendmsg")) {
+ char* newmsg_createdraft (const char *curdraft);
+ char* p = newmsg_createdraft (cgi("draftmessage"));
+ if (!p) enomem();
+ free (p);
+ }
+ /* duplication of above code */
+ chdir("/");
+ init_default_locale();
+ free(pi);
+ if (strcmp(cgi("form"), "logout") == 0)
+ /* Already logged out, and the link
+ ** had target=_parent tag.
+ */
+ {
+ http_redirect_top("");
+ return (0);
+ }
+ output_form("expired.html");
+ return (0);
+ }
+
free(q);
cgiformdatatempdir("tmp");
cgi_setup(); /* Read CGI environment */
