githubFork/roundcubemail.git

			@@ -60,6 +60,7 @@
			const ERROR_INVALID_REQUEST = 1;
			const ERROR_INVALID_HOST = 2;
			const ERROR_COOKIES_DISABLED = 3;
			const ERROR_RATE_LIMIT = 4;


			/**
			@@ -178,9 +179,11 @@
			// set localization
			setlocale(LC_ALL, $lang . '.utf8', $lang . '.UTF-8', 'en_US.utf8', 'en_US.UTF-8');

			// workaround for http://bugs.php.net/bug.php?id=18556
			if (PHP_VERSION_ID < 50500 && in_array($lang, array('tr_TR', 'ku', 'az_AZ'))) {
			setlocale(LC_CTYPE, 'en_US.utf8', 'en_US.UTF-8');
			// Workaround for http://bugs.php.net/bug.php?id=18556
			// Also strtoupper/strtolower and other methods are locale-aware
			// for these locales it is problematic (#1490519)
			if (in_array($lang, array('tr_TR', 'ku', 'az_AZ'))) {
			setlocale(LC_CTYPE, 'en_US.utf8', 'en_US.UTF-8', 'C');
			}
			}

			@@ -491,7 +494,7 @@
			*
			* @return boolean True on success, False on failure
			*/
			function login($username, $pass, $host = null, $cookiecheck = false)
			function login($username, $password, $host = null, $cookiecheck = false)
			{
			$this->login_error = null;

			@@ -504,10 +507,22 @@
			return false;
			}

			$username_filter = $this->config->get('login_username_filter');
			$username_maxlen = $this->config->get('login_username_maxlen', 1024);
			$password_maxlen = $this->config->get('login_password_maxlen', 1024);
			$default_host = $this->config->get('default_host');
			$default_port = $this->config->get('default_port');
			$username_domain = $this->config->get('username_domain');
			$login_lc = $this->config->get('login_lc', 2);

			// check input for security (#1490500)
			if (($username_maxlen && strlen($username) > $username_maxlen)
			\|\| ($username_filter && !preg_match($username_filter, $username))
			\|\| ($password_maxlen && strlen($password) > $password_maxlen)
			) {
			$this->login_error = self::ERROR_INVALID_REQUEST;
			return false;
			}

			// host is validated in rcmail::autoselect_host(), so here
			// we'll only handle unset host (if possible)
			@@ -588,12 +603,24 @@
			// user already registered -> overwrite username
			if ($user = rcube_user::query($username, $host)) {
			$username = $user->data['username'];

			// Brute-force prevention
			if ($user->is_locked()) {
			$this->login_error = self::ERROR_RATE_LIMIT;
			return false;
			}
			}

			$storage = $this->get_storage();

			// try to log in
			if (!$storage->connect($host, $username, $pass, $port, $ssl)) {
			if (!$storage->connect($host, $username, $password, $port, $ssl)) {
			if ($user) {
			$user->failed_login();
			}

			// Wait a second to slow down brute-force attacks (#1490549)
			sleep(1);
			return false;
			}

			@@ -639,7 +666,7 @@
			$_SESSION['storage_host'] = $host;
			$_SESSION['storage_port'] = $port;
			$_SESSION['storage_ssl'] = $ssl;
			$_SESSION['password'] = $this->encrypt($pass);
			$_SESSION['password'] = $this->encrypt($password);
			$_SESSION['login_time'] = time();

			if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') {
			@@ -808,7 +835,7 @@

			// remove old token from the path
			$base_path = rtrim($base_path, '/');
			$base_path = preg_replace('/\/[a-f0-9]{' . strlen($token) . '}$/', '', $base_path);
			$base_path = preg_replace('/\/[a-zA-Z0-9]{' . strlen($token) . '}$/', '', $base_path);

			// this need to be full url to make redirects work
			$absolute = true;
			@@ -1065,6 +1092,12 @@

			// failed login
			if ($failed_login) {
			// don't fill the log with complete input, which could
			// have been prepared by a hacker
			if (strlen($user) > 256) {
			$user = substr($user, 0, 256) . '...';
			}

			$message = sprintf('Failed login for %s from %s in session %s (error: %d)',
			$user, rcube_utils::remote_ip(), session_id(), $error_code);
			}
			@@ -1862,6 +1895,8 @@
			$spelldict = intval($this->config->get('spellcheck_dictionary'));
			$disabled_plugins = array();
			$disabled_buttons = array();
			$extra_plugins = array();
			$extra_buttons = array();

			if (!$spellcheck) {
			$disabled_plugins[] = 'spellchecker';
			@@ -1871,6 +1906,8 @@
			'mode' => $mode,
			'disabled_plugins' => $disabled_plugins,
			'disabled_buttons' => $disabled_buttons,
			'extra_plugins' => $extra_plugins,
			'extra_buttons' => $extra_buttons,
			));

			if ($hook['abort']) {
			@@ -1902,6 +1939,8 @@
			'spelldict' => $spelldict,
			'disabled_plugins' => $hook['disabled_plugins'],
			'disabled_buttons' => $hook['disabled_buttons'],
			'extra_plugins' => $hook['extra_plugins'],
			'extra_buttons' => $hook['extra_buttons'],
			);

			$this->output->add_label('selectimage', 'addimage', 'selectmedia', 'addmedia');
			@@ -2305,7 +2344,7 @@
			*
			* @return string Plain text
			*/
			public function html2text($html, $options)
			public function html2text($html, $options = array())
			{
			$default_options = array(
			'links' => true,
			@@ -2314,7 +2353,7 @@
			'charset' => RCUBE_CHARSET,
			);

			$options = array_merge($default_options, $options);
			$options = array_merge($default_options, (array) $options);

			// Plugins may want to modify HTML in another/additional way
			$options = $this->plugins->exec_hook('html2text', $options);
			@@ -2328,26 +2367,6 @@
			}

			return $options['body'];
			}


			/************************************************************************
			******* Deprecated methods (to be removed) *******
			***********************************************************************/

			public static function setcookie($name, $value, $exp = 0)
			{
			rcube_utils::setcookie($name, $value, $exp);
			}

			public function imap_connect()
			{
			return $this->storage_connect();
			}

			public function imap_init()
			{
			return $this->storage_init();
			}

			/**