On 05/22/2014 09:59 AM, Reindl Harald wrote: > i am not a roundcube dev but my job is development and security > > * if you don't pass the token verification no login code is running > * the login in case of roundcube implies network connections > * the login in case of roundcube affects also the mailserver > > the django project thought the same as you: > https://www.djangoproject.com/weblog/2013/sep/15/security/
It's worth noting that django's mitigation of this issue *didn't* have
to do with CSRF protection -- rather, they limited the size of the
submitted passwords to 4KiB.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
