From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 config/defaults.inc.php |   91 +++++++++++++++++++++++++++++++++++++++------
 1 files changed, 78 insertions(+), 13 deletions(-)

diff --git a/config/defaults.inc.php b/config/defaults.inc.php
index edc5b32..4339523 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -21,9 +21,10 @@
 
 // Database connection string (DSN) for read+write operations
 // Format (compatible with PEAR MDB2): db_provider://user:password@host/database
-// Currently supported db_providers: mysql, pgsql, sqlite, mssql or sqlsrv
+// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
 // For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
-// NOTE: for SQLite use absolute path: 'sqlite:////full/path/to/sqlite.db?mode=0646'
+// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
+//       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
 $config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
 
 // Database DSN for read-only operations (if empty write database will be used)
@@ -55,7 +56,7 @@
 // Use them if your server is not MySQL or for better performance.
 // For example Roundcube uses max_allowed_packet value (in bytes)
 // which limits query size for database cache operations.
-$config['db_max_allowed_packet'] = 23423440;
+$config['db_max_allowed_packet'] = null;
 
 
 // ----------------------------------
@@ -108,6 +109,13 @@
 // Log SMTP conversation to <log_dir>/smtp or to syslog
 $config['smtp_debug'] = false;
 
+// Log Memcache conversation to <log_dir>/memcache or to syslog
+$config['memcache_debug'] = false;
+
+// Log APC conversation to <log_dir>/apc or to syslog
+$config['apc_debug'] = false;
+
+
 // ----------------------------------
 // IMAP
 // ----------------------------------
@@ -158,6 +166,11 @@
 // Otherwise it will be determined automatically
 $config['imap_delimiter'] = null;
 
+// If you know your imap's folder vendor, you can specify it here.
+// Otherwise it will be determined automatically. Use lower-case
+// identifiers, e.g. 'dovecot', 'cyrus', 'gmail', 'hmail', 'uw-imap'.
+$config['imap_vendor'] = null;
+
 // If IMAP server doesn't support NAMESPACE extension, but you're
 // using shared folders or personal root folder is non-empty, you'll need to
 // set these options. All can be strings or arrays of strings.
@@ -183,6 +196,11 @@
 // Some server configurations (e.g. Courier) doesn't list folders in all namespaces
 // Enable this option to force listing of folders in all namespaces
 $config['imap_force_ns'] = false;
+
+// Some servers return hidden folders (name starting witha dot)
+// from user home directory. IMAP RFC does not forbid that.
+// Enable this option to hide them and disable possibility to create such.
+$config['imap_skip_hidden_folders'] = false;
 
 // List of disabled imap extensions.
 // Use if your IMAP server has broken implementation of some feature
@@ -288,6 +306,7 @@
 // Lifetime of LDAP cache. Possible units: s, m, h, d, w
 $config['ldap_cache_ttl'] = '10m';
 
+
 // ----------------------------------
 // SYSTEM
 // ----------------------------------
@@ -359,6 +378,18 @@
 //       UPDATE users SET username = LOWER(username);
 $config['login_lc'] = 2;
 
+// Maximum length (in bytes) of logon username and password.
+$config['login_username_maxlen'] = 1024;
+$config['login_password_maxlen'] = 1024;
+
+// Logon username filter. Regular expression for use with preg_match().
+// Example: '/^[a-z0-9_@.-]+$/'
+$config['login_username_filter'] = null;
+
+// Brute-force attacks prevention.
+// The value specifies maximum number of failed logon attempts per minute.
+$config['login_rate_limit'] = 3;
+
 // Includes should be interpreted as PHP files
 $config['skin_include_php'] = false;
 
@@ -380,9 +411,14 @@
 // Session path. Defaults to PHP session.cookie_path setting.
 $config['session_path'] = null;
 
-// Backend to use for session storage. Can either be 'db' (default), 'memcache' or 'php'
+// Backend to use for session storage. Can either be 'db' (default), 'redis', 'memcache', or 'php'
+//
 // If set to 'memcache', a list of servers need to be specified in 'memcache_hosts'
 // Make sure the Memcache extension (http://pecl.php.net/package/memcache) version >= 2.0.0 is installed
+//
+// If set to 'redis', a server needs to be specified in 'redis_hosts'
+// Make sure the Redis extension (http://pecl.php.net/package/redis) version >= 2.0.0 is installed
+//
 // Setting this value to 'php' will use the default session save handler configured in PHP
 $config['session_storage'] = 'db';
 
@@ -403,6 +439,13 @@
 // See http://php.net/manual/en/memcache.addserver.php
 $config['memcache_retry_interval'] = 15;
 
+// use this for accessing redis
+// currently only one host is supported. cluster support may come in a future release.
+// you can pass 4 fields, host, port, database and password.
+// unset fields will be set to the default values host=127.0.0.1, port=6379, database=0, password=  (empty)
+
+$config['redis_hosts'] = null; // e.g. array( 'localhost:6379' );  array( '192.168.1.1:6379:1:secret' );
+
 // check client IP in session authorization
 $config['ip_check'] = false;
 
@@ -417,10 +460,15 @@
 // Possible values: sameorigin|deny. Set to false in order to disable sending them
 $config['x_frame_options'] = 'sameorigin';
 
-// this key is used to encrypt the users imap password which is stored
-// in the session record (and the client cookie if remember password is enabled).
-// please provide a string of exactly 24 chars.
+// This key is used for encrypting purposes, like storing of imap password
+// in the session. For historical reasons it's called DES_key, but it's used
+// with any configured cipher_method (see below).
 $config['des_key'] = 'rcmail-!24ByteDESkey*Str';
+
+// Encryption algorithm. You can use any method supported by openssl.
+// Default is set for backward compatibility to DES-EDE3-CBC,
+// but you can choose e.g. AES-256-CBC which we consider a better choice.
+$config['cipher_method'] = 'DES-EDE3-CBC';
 
 // Automatically add this domain to user names for login
 // Only for IMAP servers that require full e-mail addresses for login
@@ -459,7 +507,7 @@
 // Maximum number of recipients per message. Default: 0 (no limit)
 $config['max_recipients'] = 0; 
 
-// Maximum allowednumber of members of an address group. Default: 0 (no limit)
+// Maximum allowed number of members of an address group. Default: 0 (no limit)
 // If 'max_recipients' is set this value should be less or equal
 $config['max_group_members'] = 0; 
 
@@ -652,8 +700,6 @@
 $config['quota_zero_as_unlimited'] = false;
 
 // Make use of the built-in spell checker. It is based on GoogieSpell.
-// Since Google only accepts connections over https your PHP installatation
-// requires to be compiled with Open SSL support
 $config['enable_spellcheck'] = true;
 
 // Enables spellchecker exceptions dictionary.
@@ -786,6 +832,10 @@
   // DN and password to bind as before searching for bind DN, if anonymous search is not allowed
   'search_bind_dn' => '',
   'search_bind_pw' => '',
+  // Base DN and filter used for resolving the user's domain root DN which feeds the %dc variables
+  // Leave empty to skip this lookup and derive the root DN from the username domain
+  'domain_base_dn' => '',
+  'domain_filter'  => '',
   // Optional map of replacement strings => attributes used when binding for an individual address book
   'search_bind_attrib' => array(),  // e.g. array('%udc' => 'ou')
   // Default for %dn variable if search doesn't return DN value
@@ -816,8 +866,11 @@
   'required_fields' => array('cn', 'sn', 'mail'),
   'search_fields'   => array('mail', 'cn'),  // fields to search in
   // mapping of contact fields to directory attributes
-  //   for every attribute one can specify the number of values (limit) allowed.
-  //   default is 1, a wildcard * means unlimited
+  //   1. for every attribute one can specify the number of values (limit) allowed.
+  //      default is 1, a wildcard * means unlimited
+  //   2. another possible parameter is separator character for composite fields
+  //   3. it's possible to define field format for write operations, e.g. for date fields
+  //      example: 'birthday:date[YmdHis\\Z]'
   'fieldmap' => array(
     // Roundcube  => LDAP:limit
     'name'        => 'cn',
@@ -992,7 +1045,11 @@
 $config['compose_extwin'] = false;
 
 // compose html formatted messages by default
-// 0 - never, 1 - always, 2 - on reply to HTML message, 3 - on forward or reply to HTML message
+//  0 - never,
+//  1 - always,
+//  2 - on reply to HTML message,
+//  3 - on forward or reply to HTML message
+//  4 - always, except when replying to plain text message
 $config['htmleditor'] = 0;
 
 // save copies of compose messages in the browser's local storage
@@ -1074,6 +1131,14 @@
 // 3 - Forwards and Replies only
 $config['show_sig'] = 1;
 
+// By default the signature is placed depending on cursor position (reply_mode).
+// Sometimes it might be convenient to start the reply on top but keep
+// the signature below the quoted text (sig_below = true).
+$config['sig_below'] = false;
+
+// Enables adding of standard separator to the signature
+$config['sig_separator'] = true;
+
 // Use MIME encoding (quoted-printable) for 8bit characters in message body
 $config['force_7bit'] = false;
 

--
Gitblit v1.9.1