Roundcube Community Forum

 

Multiple entries in DB for same user.

Started by rdugaue, May 03, 2013, 03:34:27 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

rdugaue

May 03, 2013, 03:34:27 PM Last Edit: May 03, 2013, 04:12:37 PM by rdugaue
When consolidating my DB, I noticed that I have multiple usernames for essentially the same user on a server.

The mail server does not require a hostname to login, so the config for RC is:

$rcmail_config['default_host'] = 'domain.tld';
$rcmail_config['username_domain'] = '';

However, I noticed with this config, that RC allows for ANY domain to be included in the username login, which then creates multiple records for the same username (so different RC configs/contacts/identities). 

I watched the mail server logs, and in this configuration, RC strips the domain part out of the username and sends authentication to IMAP server. I used [email protected] in username field, but IMAP shows:

May  3 12:20:38 mail dovecot: imap-login: Login: user=<myname>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x

So what happens is a user can basically enter "[email protected]" in the username field of the login form. Authentication succeeds but now there is a new entry in the DB of a username of "[email protected]" associated with the actual host field of the mail server.
This can cause user confusion, since now there are 2 (or more) entries of same user, but different contacts/etc. IE a user logging in with a username of "myname", but later with a username of "[email protected]" succeeds however they wont seem the same configs.

Also, this could be used maliciously to easily fill up RC's DB with 1000s of entries of a user creating multiple DB entries of "[email protected]", "[email protected]", etc...

I guess I could fill in the username_domain field to domain.tld, but then similar to my other report, there should be some way to have DB creation of a new user to use just the username portion of the login field and the mail server host for the hostname field to prevent multiple entries as described above.

Edit: adding "domain.tld" to the username_domain field did not work. I'm still able to create new user entries with username of "[email protected]" on login..

alec

#1
May 04, 2013, 03:22:45 AM
You can write a plugin similiar to virtuser_file, but I suppose the patch from this pull request should do what you want https://github.com/roundcube/roundcubemail/pull/3.
Print
Go Up Pages1
User actions