login rate limiting sends local time to database (postgres) which causes undesired effects #5708
Comments
|
I'm afraid that's only one of many issues that you can hit when database uses different timezone than Roundcube. We do have a check for this in the installer. So, probably not something that we can fix easily. |
|
For MySQL we use datetime type which ignores timezone. So, I think the best solution here would be to convert all columns to timestamp without time zone. |
|
AFAIK the datetime types in MySQL are not timezone-aware and therefore we require the database to use the same timezone as the Roundcube webserver. For other database backends which are timezone-aware, we should produce datetime values that include timezone information of the webserver. I suppose that's what @scott323 suggests here and I think that's the right approach. |
|
@thomascube If we set timezone on input to db we'll need to make sure to handle it correctly on output. I tried to skip this requirement if possible and find a "global" solution. I was afraid we'll have to modify some more code, but maybe it's not that bad. |
|
While it could be fixed this way: --- a/program/lib/Roundcube/rcube_db_pgsql.php
+++ b/program/lib/Roundcube/rcube_db_pgsql.php
@@ -37,6 +52,7 @@ class rcube_db_pgsql extends rcube_db
protected function conn_configure($dsn, $dbh)
{
$dbh->query("SET NAMES 'utf8'");
+ $dbh->query("SET TIME ZONE '" . date_default_timezone_get() . "'");
}
.
/**I have a feeling this may be fragile. So, I'm going to fix this in a proposed way, though slightly improved. |
…than PHP host (#5708) Allow passing DateTime variables as query arguments. Their value will be converted to date/time input string in format specific to the database type (with timezone on postgres).
|
Fixed. Though I wouldn't apply the fix to a stable branch yet. |
* 'master' of https://github.com/roundcube/roundcubemail: (36 commits) Remove note about mail() function Update changelog Revert "extend plugin password to avoid sudo (use ssh instead calling chpasswd) (roundcube#5654)" Add Log to STDOUT Feature (roundcube#5721) extend plugin password to avoid sudo (use ssh instead calling chpasswd) (roundcube#5654) Fix bug where base_dn setting was ignored inside group_filters (roundcube#5720) Bump Net_Socket version Installer: Fix DB schema initialization on MS SQL Server Update to TinyMCE 4.5.6 Fix undesired effects when postgres database uses different timezone than PHP host (roundcube#5708) Fix bug where namespace prefix could not be truncated on folders list if show_real_foldernames=true (roundcube#5695) Fix (restore) Tab key behaviour in autocomplete popup (roundcube#5659) Fix regression in LDAP fuzzy search where it always used prefix search instead (roundcube#5713) Ignore js deps (roundcube#5704) Update changelog Add support for DelSp=Yes messages (roundcube#5702) Fix permission of temporary files and removal of them when generating thumbnails Remove redundant entry Fix require entry for crypt_gpg also in Enigma's composer.json Use jQuery 3.2.1 ...
My postgres db is set to use UTC as default timezone.
My system (and PHP) is set to use Europe/Bratislava as default timezone (currently it's UTC +01:00).
Column definition for users.failed_login is "timestamp with time zone", but roundcube omits timezone when setting it's value, which results in incorrect calculations in rate limiting function in rcube_user->failed_login().
Proposed (and tested) solution is simple patch:
The text was updated successfully, but these errors were encountered: