Well, yesterday out of nothing my webmailer roundcube started to refuse to work. At least as I remember it. For some reasons reloading the Inbox just showed the "Loading…" message on the screen, but there was no list of mails anymore. Funny enough other folders do actually work as before. But anyway, doing an update did not help and improve anything. (I really don’t know whether I updated before or after because of the first occurence of this issue.)
There’s an entry in syslog when loading the Inbox folder:
Oct 26 07:24:59 muaddib suhosin: ALERT – Include filename (‘http://www.gnu.org/s/hello/manual/automake/ ?.php’) is an URL that is not allowed (attacker ‘127.0.0.1’, file ‘/usr/share/roundcube/program/include/iniset.php’, line 110
This lead to bug #1488086 in the Roundcube issue tracker which states:
This messages made me wonder why suhosin thinks there’s an include going on. Line 111 of iniset.php shows:
It seems like roundcube wants to include what is displayed in the subject, which happens to be a url – and suhosin legitimately blocks this attempt.
In short, I can send an email to a user on a suhosin protected mail server and make his inbox unavailable. Needless to say, the user cannot delete this email himself via RoundCube. In my case, I had to delete the email file on the server to make roundcube show the inbox again.
In Debian there’s bug #619411 that is related to PATH setting in iniset.php, but I’m not sure if this is really related to #1488086 in the Roundcube issue tracker and my problem? However, disabling suhosin doesn’t seem the right way to "solve" this issue and the trac issue tracker suggests a security related problem.
Anyway, I filed this as bug #646675 in Debian, waiting for the bug number. But when someone else knows some quick fixes or something I can try, please speak up! 🙂
UPDATE: It seems as if some mail triggered this issue like reported in the Roundcube ticket. After filtering my mails with Iceweasel, I’m being able to read my Inbox now again.