RoundCube sets unneeded HTTP header

[EdSchouten]

For some reason, RoundCube feels the urge to set the session ID into a HTTP header, while that's already done in a cookie. The problem with that, is that some minimalistic HTTP servers don't understand this method, of passing HTTP headers to environment variables (which is how the value is obtained in the RoundCube sourcecode).

It has one advantage, which is that users will never see raw RoundCube data, which is actually just Security throught Obscurity.

The following patch fixes RoundCube on my XS-HTTPD webserver. I don't need to run it in devel_mode anymore to make it run out of the box.

[EdSchouten]

Remove the entire HTTP header code.

[thomasb]

This was added after an XSS report allowing get requests (e.g. message listing) from another site by including something like <script src="http://roundcubeinstall/?_task=mail&_action=list&_mbox=INBOX&_remote=1"></script>

RoundCube is made to run on Apache webservers and we do not support other minimalistic HTTP servers.

[EdSchouten]

Which makes the current code malformed as well.

if (empty($CONFIG['devel_mode']) && !rc_request_header('X-RoundCube-Referer')) 

Nothing is done with the X-Roundcube-Referer header. It just checks if it's set. So XSS is still possible anyway. Just make your own JS that sets X-RoundCube-Referer = ILikePeanutButter and you can still obtain the data. As I said: Security through Obscurity.

[thomasb]

You're right that the submitted data is not checked but please remember the fact that adding an extra header is only possible when using XMLHTTPRequest which is blocked for URLs to a foreign host. When including a script tag to a page form another domain the browser will load the script (and send the session cookie) but it will not add the x-roundcube-referer header. This was just added to check if the Request was really sent by a RoundCube client or not.