On Wed, November 14, 2018 00:07, Paul Lesniewski wrote:
>
>
> On 2018å¹´10æ??31æ?¥ 10:06, James B. Byrne via squirrelmail-users
> wrote:
>>
>>
>> On Wed, October 31, 2018 11:45, James B. Byrne via
>> squirrelmail-users
>> wrote:
>>> This is ridiculous. I cannot compose a message of any reasonable
>>> length in a separate window in SM without getting a security error
>>> when I try and send.
>>>
>>> SquirrelMail version 1.4.23 [SVN]
>>> By the SquirrelMail Project Team
>>> ERROR
>>> The current page request appears to have originated from an
>>> untrusted
>>> source.
>>> Go to the login page
>>>
>>>
>>> When I try to recover the message contents and go back to the
>>> previous
>>> page I get this:
>>>
>>> Document Expired
>>>
>>> This document is no longer available.
>>>
>>> The requested document is not available in Firefoxâ??s cache.
>>>
>>> As a security precaution, Firefox does not automatically
>>> re-request sensitive documents.
>>> Click Try Again to re-request the document from the website.
>>>
>>> Where is this 'FEATURE'? configured and how do I turn it off?
>>>
>>>
>>>
>>
>> These are all the places that the error message is set:
>>
>> find /usr/local/www/squirrelmail/ | xargs grep -in 'untrusted
>> source'
>>
>> /usr/local/www/squirrelmail/plugins/compatibility/includes/1.5.2/global.php:1287:
>> logout_error(_("The current page request appears to have
>> originated from an untrusted source."));
>>
>> /usr/local/www/squirrelmail/po/squirrelmail.pot:1479:"The current
>> page
>> request appears to have originated from an untrusted source."
>>
>> /usr/local/www/squirrelmail/functions/strings.php:1473:
>> logout_error(_("The current page request appears to have originated
>> from an untrusted source."));
>
> Along with checking what the server's PHP session lifetime is, you can
> consider updating to more recent snapshot of SquirrelMail, which has
> been changed to allow per-session anti-CSRF security tokens. Also,
> the
> Quicksave plugin will help in such situations, since it saves the text
> of unsent messages (and a new version is upcoming with greater storage
> capacity).
>
Thank you Paul.
The problem did not originate in SM at all. A user on the FreeBSD
mailing list twigged me to the real cause in the default configuration
for the Apache-2.4 httpd as shipped with FreeBSD. There were no
session modules loaded, which of course prevented authentication from
working if one took more than ~30 seconds on average to answer.
I thought that I had posted this resolution to the SM list but I must
have overlooked that.
Thank you for your help.
Regards,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
