lub
/
mailu
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

Merge #2098

Browse Source 
2098: Sessions tweaks2 r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Additional tweaks suggested by `@ghostwheel42:`
- fix cleanup_sessions (important)
- ensure we delete tokens on delete()

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
master
bors[bot] 3 years ago committed by GitHub
parent 18865bf03b bee6e980e3
commit ee5fc81b07
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 13 deletions
Show Stats Download Patch File Download Diff File

30
core/admin/mailu/utils.py
Unescape Escape View File

@ -231,8 +231,6 @@ class MailuSession(CallbackDict, SessionMixin):
def destroy(self): def destroy(self):
""" destroy session for security reasons. """ """ destroy session for security reasons. """
if 'webmail_token' in self:
self.app.session_store.delete(self['webmail_token'])
self.delete() self.delete()
self._uid = None self._uid = None
@ -246,13 +244,15 @@ class MailuSession(CallbackDict, SessionMixin):
def regenerate(self): def regenerate(self):
""" generate new id for session to avoid `session fixation`. """ """ generate new id for session to avoid `session fixation`. """
self.delete() self.delete(clear_token=False)
self._sid = None self._sid = None
self.modified = True self.modified = True
def delete(self): def delete(self, clear_token=True):
""" Delete stored session. """ """ Delete stored session. """
if self.saved: if self.saved:
if clear_token and 'webmail_token' in self:
self.app.session_store.delete(self['webmail_token'])
self.app.session_store.delete(self._key) self.app.session_store.delete(self._key)
self._key = None self._key = None
@ -268,9 +268,9 @@ class MailuSession(CallbackDict, SessionMixin):
self._sid = self.app.session_config.gen_sid() self._sid = self.app.session_config.gen_sid()
set_cookie = True set_cookie = True
if 'webmail_token' in self: if 'webmail_token' in self:
app.session_store.put(self['webmail_token'], self.app.session_store.put(self['webmail_token'],
self.sid, self.sid,
app.config['PERMANENT_SESSION_LIFETIME'], self.app.config['PERMANENT_SESSION_LIFETIME'],
) )
# get new session key # get new session key
@ -357,7 +357,7 @@ class MailuSessionConfig:
if now is None: if now is None:
now = int(time.time()) now = int(time.time())
created = int.from_bytes(created, byteorder='big') created = int.from_bytes(created, byteorder='big')
if not created <= now <= created + app.config['PERMANENT_SESSION_LIFETIME']: if not created <= now <= created + self.app.config['PERMANENT_SESSION_LIFETIME']:
return None return None
return (uid, sid, crt) return (uid, sid, crt)
@ -422,7 +422,16 @@ class MailuSessionExtension:
count = 0 count = 0
for key in app.session_store.list(): for key in app.session_store.list():
if not app.session_config.parse_key(key, app, now=now): if key.startswith('token-'):
if sessid := app.session_store.get(token):
if not app.session_config.parse_key(sessid, app, now=now):
app.session_store.delete(sessid)
app.session_store.delete(key)
count += 1
else:
app.session_store.delete(key)
count += 1
elif not app.session_config.parse_key(key, app, now=now):
app.session_store.delete(key) app.session_store.delete(key)
count += 1 count += 1
@ -442,7 +451,7 @@ class MailuSessionExtension:
count = 0 count = 0
for key in app.session_store.list(prefix): for key in app.session_store.list(prefix):
if key not in keep: if key not in keep and not key.startswith('token-'):
app.session_store.delete(key) app.session_store.delete(key)
count += 1 count += 1
@ -481,8 +490,7 @@ session = MailuSessionExtension()
def verify_temp_token(email, token): def verify_temp_token(email, token):
try: try:
if token.startswith('token-'): if token.startswith('token-'):
sessid = app.session_store.get(token) if sessid := app.session_store.get(token):
if sessid:
session = MailuSession(sessid, app) session = MailuSession(sessid, app)
if session.get('_user_id', '') == email: if session.get('_user_id', '') == email:
return True return True

3
webmails/roundcube/start.py
Unescape Escape View File

@ -63,8 +63,7 @@ context["PLUGINS"] = ",".join(f"'{p}'" for p in plugins)
context["INCLUDES"] = sorted(inc for inc in os.listdir("/overrides") if inc.endswith(".inc")) if os.path.isdir("/overrides") else [] context["INCLUDES"] = sorted(inc for inc in os.listdir("/overrides") if inc.endswith(".inc")) if os.path.isdir("/overrides") else []
# calculate variables for config file # calculate variables for config file
env["SESSION_TIMEOUT_MINUTES"] = str(int(env.get("SESSION_TIMEOUT", "3600")) // 60 ) if int(env.get("SESSION_TIMEOUT", "3600")) >= 60 else "1" context["SESSION_TIMEOUT_MINUTES"] = max(int(env.get("SESSION_TIMEOUT", "3600")) // 60, 1)
context.update(env)
# create config files # create config files
conf.jinja("/php.ini", context, "/usr/local/etc/php/conf.d/roundcube.ini") conf.jinja("/php.ini", context, "/usr/local/etc/php/conf.d/roundcube.ini")

Write Preview
Loading…
Cancel
Save