From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 config/defaults.inc.php |   27 ++++++++++++++++++++++-----
 1 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/config/defaults.inc.php b/config/defaults.inc.php
index 6e441cd..4339523 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -21,9 +21,10 @@
 
 // Database connection string (DSN) for read+write operations
 // Format (compatible with PEAR MDB2): db_provider://user:password@host/database
-// Currently supported db_providers: mysql, pgsql, sqlite, mssql or sqlsrv
+// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
 // For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
-// NOTE: for SQLite use absolute path: 'sqlite:////full/path/to/sqlite.db?mode=0646'
+// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
+//       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
 $config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
 
 // Database DSN for read-only operations (if empty write database will be used)
@@ -305,6 +306,7 @@
 // Lifetime of LDAP cache. Possible units: s, m, h, d, w
 $config['ldap_cache_ttl'] = '10m';
 
+
 // ----------------------------------
 // SYSTEM
 // ----------------------------------
@@ -375,6 +377,18 @@
 // Note: After enabling it all user records need to be updated, e.g. with query:
 //       UPDATE users SET username = LOWER(username);
 $config['login_lc'] = 2;
+
+// Maximum length (in bytes) of logon username and password.
+$config['login_username_maxlen'] = 1024;
+$config['login_password_maxlen'] = 1024;
+
+// Logon username filter. Regular expression for use with preg_match().
+// Example: '/^[a-z0-9_@.-]+$/'
+$config['login_username_filter'] = null;
+
+// Brute-force attacks prevention.
+// The value specifies maximum number of failed logon attempts per minute.
+$config['login_rate_limit'] = 3;
 
 // Includes should be interpreted as PHP files
 $config['skin_include_php'] = false;
@@ -493,7 +507,7 @@
 // Maximum number of recipients per message. Default: 0 (no limit)
 $config['max_recipients'] = 0; 
 
-// Maximum allowednumber of members of an address group. Default: 0 (no limit)
+// Maximum allowed number of members of an address group. Default: 0 (no limit)
 // If 'max_recipients' is set this value should be less or equal
 $config['max_group_members'] = 0; 
 
@@ -852,8 +866,11 @@
   'required_fields' => array('cn', 'sn', 'mail'),
   'search_fields'   => array('mail', 'cn'),  // fields to search in
   // mapping of contact fields to directory attributes
-  //   for every attribute one can specify the number of values (limit) allowed.
-  //   default is 1, a wildcard * means unlimited
+  //   1. for every attribute one can specify the number of values (limit) allowed.
+  //      default is 1, a wildcard * means unlimited
+  //   2. another possible parameter is separator character for composite fields
+  //   3. it's possible to define field format for write operations, e.g. for date fields
+  //      example: 'birthday:date[YmdHis\\Z]'
   'fieldmap' => array(
     // Roundcube  => LDAP:limit
     'name'        => 'cn',

--
Gitblit v1.9.1