Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 292692 - mail-client/roundcube-0.3.1 doesn't play nicely with suhosin
Summary: mail-client/roundcube-0.3.1 doesn't play nicely with suhosin
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Web Application Packages Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-10 17:07 UTC by Richard Scott
Modified: 2010-09-28 05:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
htaccess file (.htaccess,1.27 KB, text/plain)
2009-11-12 06:25 UTC, Peter Kerwien 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Scott 2009-11-10 17:07:16 UTC 
After configuring roundcube-0.3.1 I have found that having suhosin.session.encrypt = On results in an automatic logout.

From what I can guess, it seems that roundcube bypasses the php session management when checking if your an authenticated user and checks the db directly rather than the session variable. As this entry in the DB will be encrypted it logs you out!

Reproducible: Always

Steps to Reproduce:
1. emerge and configure roundcube-0.3.1
2. set the suhosin.session.encrypt in /etc/php/apache2-php5/ext-active/suhosin.ini
3. try and login to roundcube, after 2 seconds you'll be logged out.
Comment 1 Peter Kerwien 2009-11-12 06:25:31 UTC 
Created attachment 209980 [details]
htaccess file

It could also be solved by including the .htaccess file from roundcube-0.3.1, which locallay sets suhosin.session.encrypt = Off.
Comment 2 Richard Scott 2009-11-18 09:58:23 UTC 
(In reply to comment #1)

Thanks for this, its worked... However, I'm unable to find reference to it in the roundcube-0.3.1.ebuild. Was this a gentoo addition that's gone missing or is this something that upstream have removed?
Comment 3 Peter Kerwien 2009-11-18 13:49:24 UTC 
Perhaps the ebuild should be modified with the following:

...
doins -r [[:lower:]]* SQL
...

To:

...
doins -r [[:lower:]]* SQL
doins .htaccess
...

so also the .htaccess file is installed.
Comment 4 Tim Harder gentoo-dev 2010-09-28 05:37:05 UTC 
Fixed in the latest revision bump.