Bug 203260

Summary: mail/roundcube: FreeBSD patch in the port re-introduces the "Your session is invalid or expired" bug
Product: Ports & Packages Reporter: Mark.Martinec
Component: Individual Port(s)Assignee: Alex Dupre <ale>
Status: Closed FIXED    
Severity: Affects Some People CC: rainer
Priority: --- Flags: bugzilla: maintainer-feedback? (ale)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Fix encoding when suhosin session encryption is not enabled. none

Description Mark.Martinec 2015-09-22 12:36:32 UTC 
The full issue is described at:

  http://trac.roundcube.net/ticket/1490546

It turns out that this SQL issue has long been fixed (or better:
worked-around) in the Roundcube distribution, yet the patch in the
FreeBSD port (files/patch-program_lib_Roundcube_rcube_session.php)
re-introduces the problem by avoiding base64 encoding of the
session.vars field in SQL, naively hoping that PHP's interface
to SQL won't choke on a NULL byte in a data string. As a result
a user gets logged out with a "Your session is invalid or expired"
message on certain operations.

Using roundcube-1.1.3, php 5.5.29, postgresql 9.3.9, FreeBSD 10.2
Comment 1 Alex Dupre freebsd_committer freebsd_triage 2015-09-22 16:19:32 UTC 
Created attachment 161278 [details]
Fix encoding when suhosin session encryption is not enabled.

Can you try replacing the session patch with the attached one? Not tested (it may have syntax errors), but the logic should be correct.
Comment 2 Mark.Martinec 2015-09-22 16:45:23 UTC 
> Fix encoding when suhosin session encryption is not enabled.
> Can you try replacing the session patch with the attached one?

Yes, seems to work, session.vars is now base64-encoded. Thanks!

Haven't yet tried with suhosin enabled.
Comment 3 Mark.Martinec 2015-09-22 17:20:24 UTC 
It works too with suhosin session encription enabled, nice!
Comment 4 Alex Dupre freebsd_committer freebsd_triage 2015-09-22 18:22:31 UTC 
Thanks for testing, committed.
Comment 5 commit-hook freebsd_committer freebsd_triage 2015-09-22 18:23:06 UTC 
A commit references this bug:

Author: ale
Date: Tue Sep 22 18:22:13 UTC 2015
New revision: 397565
URL: https://svnweb.freebsd.org/changeset/ports/397565

Log:
  Fix session handling when php-suhosin session encryption is not enabled.

  PR:		203260
  Submitted by:	Mark.Martinec@ijs.si

Changes:
  head/mail/roundcube/Makefile
  head/mail/roundcube/files/patch-program_lib_Roundcube_rcube_session.php
Comment 6 Mark.Martinec 2015-09-23 10:59:02 UTC 
Perfect. I have now installed it on our production system, seems to work fine.

In my php-fpm.conf (running under nginx) I now have:
  php_flag[suhosin.session.encrypt] = On
  php_flag[suhosin.cookie.encrypt] = On
and the security/php-suhosin port is installed. Guessing from the changes
in contents of our PostgreSQL database for roundcube (table 'session')
it seems the suhosin is now active.

... but see the last comment in http://trac.roundcube.net/ticket/1490546 :

> SQL session backend does not work with suhosin.session.encrypt=On anyway.

Any comment on that?
Comment 7 Alex Dupre freebsd_committer freebsd_triage 2015-09-23 12:37:36 UTC 
The reason for having a patch in the FreeBSD port is exactly to make roundcube working with suhosin session encryption.
Comment 8 Mark.Martinec 2015-09-23 13:06:32 UTC 
> The reason for having a patch in the FreeBSD port is exactly to make
> roundcube working with suhosin session encryption.

Has it been attempted to bring these patches upstream?
Is there an Trac ticket for this?
Comment 9 Alex Dupre freebsd_committer freebsd_triage 2015-09-23 13:36:03 UTC 
Nope.
Comment 10 rainer 2015-11-14 16:00:39 UTC 
Hi,

I have the same problem.
I have opened a ticket in the roundcube trac:
http://trac.roundcube.net/ticket/1490587#comment:7

Basically, I have:
FreeBSD 10.1 amd64
PHP55 (running as PHP-FPM)
in a jail
nginx
everything else (mailserver, imap-server) is running in different jails.
I build my own packages.
I have no suhosin.

When I try to login, I get the following debug output:

root@webmail:/usr/local/www/roundcube/logs # ll
total 20
-r--r--r--  1 root  wheel    1 Sep 13 21:04 .gitignore
-r--r--r--  1 root  wheel   56 Sep 13 21:04 .htaccess
-rw-r--r--  1 www   www    238 Nov 14 14:42 session
-rw-r--r--  1 www   www    570 Nov 14 14:42 sql
-rw-r--r--  1 www   www    180 Nov 14 14:42 userlogins
root@webmail:/usr/local/www/roundcube/logs # cat session 
[14-Nov-2015 14:42:17 +0100]: <hpavspk5> Session auth check failed for ; timeslot = 2015-11-14 14:30:00
[14-Nov-2015 14:42:17 +0100]: <hpavspk5> Session authentication failed for ; invalid auth cookie sent; timeslot = 2015-11-14 13:30:00
root@webmail:/usr/local/www/roundcube/logs # cat userlogins 
[14-Nov-2015 14:42:17 +0100]: <hpavspk5> Successful login for user@domain (ID: 1) from my.ip (X-Forwarded-For: my.ip) in session hpavspk5u8pknqqiuh3j609o43
root@webmail:/usr/local/www/roundcube/logs # cat s
session  sql      
root@webmail:/usr/local/www/roundcube/logs # cat sql 
[14-Nov-2015 14:42:17 +0100]: <s8horu4m> [1] DELETE FROM `session` WHERE `sess_id` = 's8horu4m00itrq5cdsk1443ff6';
[14-Nov-2015 14:42:17 +0100]: <s8horu4m> [2] SELECT * FROM `users` WHERE `mail_host` = '127.0.0.8' AND `username` = 'rainer@ultra-secure.de';
[14-Nov-2015 14:42:17 +0100]: <s8horu4m> [3] UPDATE `users` SET `last_login` = now() WHERE `user_id` = '1';
[14-Nov-2015 14:42:17 +0100]: <hpavspk5> [1] SELECT * FROM `users` WHERE `user_id` = '1';
[14-Nov-2015 14:42:17 +0100]: <hpavspk5> [2] DELETE FROM `session` WHERE `sess_id` = 'hpavspk5u8pknqqiuh3j609o43';


For some reason, the "$this->key"-thing is empty.

I tried rebuilding my package without the patch in this ticket (because I don't have suhosin), but that does not work either.

The installation itself did work and if I comment out the part of the code that does the various checks that are the reason for me immediate logout after login, I can use the thing like normal.
Comment 11 rainer 2015-11-18 23:14:42 UTC 
Installed php-suhosin.
Made no difference :-(