Discussion:
[RCD] cookie issue with contacts plugin and google analytics
Brendan
2017-12-08 20:18:35 UTC
Permalink
i've had a strange bug happening with a couple users in our environment
that i finally managed to track down. before i submit a patch, i'd like
to hear opinions about the best way to do so.

the problem essentially boils down to overly permissive google
analytics(GA) cookies that some of our customers and end users are
using. in some cases, GA hands out a cookie named _gid - that cookie can
cause problems with roundcube if it's sent along as part of the request
for retrieving contacts on the compose page.

if you are using a custom contacts souce (as is the case with a contacts
plugin, ie the carddav one) in program/steps/mail/list_contacts.inc this
block is evaluated:

if ($group_id = rcube_utils::get_input_value('_gid',
rcube_utils::INPUT_GPC)) {
$CONTACTS->set_group($group_id);
}

the request comes in from a GET, but rcube_utils::INPUT_GPC causes
rcube_utils::get_input_value() to also consider cookies. if the GA _gid
cookie is present, things fall apart (as the value of the cookie does
not correspond to an existing group) and no contacts are returned.

the simplest fix would be to switch rcube_utils::INPUT_GPC to
rcube_utils::INPUT_GET so that roundcube would not consider the cookie.
but, there could be some historical use case where the cookie needs to
be considered?

as an alternate, list_contacts.inc could try and validate the content of
the $group_id that is returned and skip setting it if it doesn't seem
reasonable.

it would seem a little ugly to specifically check for a google specific
cookie in the code, so it seems like the INPUT_GET change would be
better... but i don't know if that would break other plugins.

thoughts?
A.L.E.C
2017-12-08 20:43:30 UTC
Permalink
Post by Brendan
i've had a strange bug happening with a couple users in our environment
that i finally managed to track down. before i submit a patch, i'd like
to hear opinions about the best way to do so.
It's been already fixed in the core of 1.3.0.
https://github.com/roundcube/roundcubemail/issues/5748.
--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer [http://kolab.org]
Roundcube Webmail Developer [http://roundcube.net]
----------------------------------------------------
PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
Loading...