From c161a2c98751aab0787a4f67730337047181f990 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 21 Dec 2021 15:42:12 +0100 Subject: [PATCH 1/6] syntax --- core/admin/mailu/utils.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py index fa27948f..e4dc4d07 100644 --- a/core/admin/mailu/utils.py +++ b/core/admin/mailu/utils.py @@ -481,8 +481,7 @@ session = MailuSessionExtension() def verify_temp_token(email, token): try: if token.startswith('token-'): - sessid = app.session_store.get(token) - if sessid: + if sessid := app.session_store.get(token) session = MailuSession(sessid, app) if session.get('_user_id', '') == email: return True From f0247a2faf72740acf66237680be1ca766f702c3 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 21 Dec 2021 15:45:05 +0100 Subject: [PATCH 2/6] Use self where appropriate --- core/admin/mailu/utils.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py index e4dc4d07..087357a5 100644 --- a/core/admin/mailu/utils.py +++ b/core/admin/mailu/utils.py @@ -268,9 +268,9 @@ class MailuSession(CallbackDict, SessionMixin): self._sid = self.app.session_config.gen_sid() set_cookie = True if 'webmail_token' in self: - app.session_store.put(self['webmail_token'], + self.app.session_store.put(self['webmail_token'], self.sid, - app.config['PERMANENT_SESSION_LIFETIME'], + self.app.config['PERMANENT_SESSION_LIFETIME'], ) # get new session key @@ -357,7 +357,7 @@ class MailuSessionConfig: if now is None: now = int(time.time()) created = int.from_bytes(created, byteorder='big') - if not created <= now <= created + app.config['PERMANENT_SESSION_LIFETIME']: + if not created <= now <= created + self.app.config['PERMANENT_SESSION_LIFETIME']: return None return (uid, sid, crt) From 2b29cfb3f0183ceda035d8a882395b92001f5bf5 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 21 Dec 2021 15:55:59 +0100 Subject: [PATCH 3/6] fix cleanup_sessions() --- core/admin/mailu/utils.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py index 087357a5..5d51a730 100644 --- a/core/admin/mailu/utils.py +++ b/core/admin/mailu/utils.py @@ -422,7 +422,16 @@ class MailuSessionExtension: count = 0 for key in app.session_store.list(): - if not app.session_config.parse_key(key, app, now=now): + if key.startswith('token-'): + if sessid := app.session_store.get(token): + if not app.session_config.parse_key(sessid, app, now=now): + app.session_store.delete(sessid) + app.session_store.delete(key) + count += 1 + else: + app.session_store.delete(key) + count += 1 + elif not app.session_config.parse_key(key, app, now=now): app.session_store.delete(key) count += 1 @@ -442,7 +451,7 @@ class MailuSessionExtension: count = 0 for key in app.session_store.list(prefix): - if key not in keep: + if key not in keep and not key.startswith('token-'): app.session_store.delete(key) count += 1 From 58d0faff7f2d8d987136fea33e1086a0ba8438db Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 21 Dec 2021 15:59:00 +0100 Subject: [PATCH 4/6] ensure we clear the token on delete() --- core/admin/mailu/utils.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py index 5d51a730..73c2c058 100644 --- a/core/admin/mailu/utils.py +++ b/core/admin/mailu/utils.py @@ -231,8 +231,6 @@ class MailuSession(CallbackDict, SessionMixin): def destroy(self): """ destroy session for security reasons. """ - if 'webmail_token' in self: - self.app.session_store.delete(self['webmail_token']) self.delete() self._uid = None @@ -246,13 +244,15 @@ class MailuSession(CallbackDict, SessionMixin): def regenerate(self): """ generate new id for session to avoid `session fixation`. """ - self.delete() + self.delete(clear_token=False) self._sid = None self.modified = True - def delete(self): + def delete(self, clear_token=True): """ Delete stored session. """ if self.saved: + if clear_token and 'webmail_token' in self: + self.app.session_store.delete(self['webmail_token']) self.app.session_store.delete(self._key) self._key = None From 6d5926ef29f628b5f8db59efd2b75e2b5258ee72 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 21 Dec 2021 16:06:34 +0100 Subject: [PATCH 5/6] prettify --- webmails/roundcube/start.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/webmails/roundcube/start.py b/webmails/roundcube/start.py index db9e5ccd..217a24e9 100755 --- a/webmails/roundcube/start.py +++ b/webmails/roundcube/start.py @@ -63,8 +63,7 @@ context["PLUGINS"] = ",".join(f"'{p}'" for p in plugins) context["INCLUDES"] = sorted(inc for inc in os.listdir("/overrides") if inc.endswith(".inc")) if os.path.isdir("/overrides") else [] # calculate variables for config file -env["SESSION_TIMEOUT_MINUTES"] = str(int(env.get("SESSION_TIMEOUT", "3600")) // 60 ) if int(env.get("SESSION_TIMEOUT", "3600")) >= 60 else "1" -context.update(env) +context["SESSION_TIMEOUT_MINUTES"] = max(int(env.get("SESSION_TIMEOUT", "3600")) // 60, 1) # create config files conf.jinja("/php.ini", context, "/usr/local/etc/php/conf.d/roundcube.ini") From bee6e980e31c2f2a88c1ea74b901822324f2d903 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 21 Dec 2021 16:23:27 +0100 Subject: [PATCH 6/6] doh --- core/admin/mailu/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py index 73c2c058..f2adfc2a 100644 --- a/core/admin/mailu/utils.py +++ b/core/admin/mailu/utils.py @@ -490,7 +490,7 @@ session = MailuSessionExtension() def verify_temp_token(email, token): try: if token.startswith('token-'): - if sessid := app.session_store.get(token) + if sessid := app.session_store.get(token): session = MailuSession(sessid, app) if session.get('_user_id', '') == email: return True