Roundcubemail devel
blame | history | patch | commit | commitdiff | ignore whitespace
Aleksander Machniak
2016-01-16 ed1d212ae2daea5e4bd043417610177093e99f19 
 program/include/rcmail.php


@@ -60,6 +60,7 @@


    const ERROR_INVALID_REQUEST  = 1;


    const ERROR_INVALID_HOST     = 2;


    const ERROR_COOKIES_DISABLED = 3;


    const ERROR_RATE_LIMIT       = 4;






    /**


@@ -493,7 +494,7 @@


     *


     * @return boolean True on success, False on failure


     */


    function login($username, $pass, $host = null, $cookiecheck = false)


    function login($username, $password, $host = null, $cookiecheck = false)


    {


        $this->login_error = null;




@@ -506,10 +507,22 @@


            return false;


        }




        $username_filter = $this->config->get('login_username_filter');


        $username_maxlen = $this->config->get('login_username_maxlen', 1024);


        $password_maxlen = $this->config->get('login_password_maxlen', 1024);


        $default_host    = $this->config->get('default_host');


        $default_port    = $this->config->get('default_port');


        $username_domain = $this->config->get('username_domain');


        $login_lc        = $this->config->get('login_lc', 2);




        // check input for security (#1490500)


        if (($username_maxlen && strlen($username) > $username_maxlen)


            || ($username_filter && !preg_match($username_filter, $username))


            || ($password_maxlen && strlen($password) > $password_maxlen)


        ) {


            $this->login_error = self::ERROR_INVALID_REQUEST;


            return false;


        }




        // host is validated in rcmail::autoselect_host(), so here


        // we'll only handle unset host (if possible)


@@ -590,12 +603,22 @@


        // user already registered -> overwrite username


        if ($user = rcube_user::query($username, $host)) {


            $username = $user->data['username'];




            // Brute-force prevention


            if ($user->is_locked()) {


                $this->login_error = self::ERROR_RATE_LIMIT;


                return false;


            }


        }




        $storage = $this->get_storage();




        // try to log in


        if (!$storage->connect($host, $username, $pass, $port, $ssl)) {


        if (!$storage->connect($host, $username, $password, $port, $ssl)) {


            if ($user) {


                $user->failed_login();


            }




            // Wait a second to slow down brute-force attacks (#1490549)


            sleep(1);


            return false;


@@ -643,7 +666,7 @@


            $_SESSION['storage_host'] = $host;


            $_SESSION['storage_port'] = $port;


            $_SESSION['storage_ssl']  = $ssl;


            $_SESSION['password']     = $this->encrypt($pass);


            $_SESSION['password']     = $this->encrypt($password);


            $_SESSION['login_time']   = time();




            if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') {


@@ -1069,6 +1092,12 @@




        // failed login


        if ($failed_login) {


            // don't fill the log with complete input, which could


            // have been prepared by a hacker


            if (strlen($user) > 256) {


                $user = substr($user, 0, 256) . '...';


            }




            $message = sprintf('Failed login for %s from %s in session %s (error: %d)',


                $user, rcube_utils::remote_ip(), session_id(), $error_code);


        }


@@ -1866,6 +1895,8 @@


        $spelldict        = intval($this->config->get('spellcheck_dictionary'));


        $disabled_plugins = array();


        $disabled_buttons = array();


        $extra_plugins    = array();


        $extra_buttons    = array();




        if (!$spellcheck) {


            $disabled_plugins[] = 'spellchecker';


@@ -1875,6 +1906,8 @@


                'mode'             => $mode,


                'disabled_plugins' => $disabled_plugins,


                'disabled_buttons' => $disabled_buttons,


                'extra_plugins' => $extra_plugins,


                'extra_buttons' => $extra_buttons,


        ));




        if ($hook['abort']) {


@@ -1906,6 +1939,8 @@


            'spelldict'  => $spelldict,


            'disabled_plugins' => $hook['disabled_plugins'],


            'disabled_buttons' => $hook['disabled_buttons'],


            'extra_plugins'    => $hook['extra_plugins'],


            'extra_buttons'    => $hook['extra_buttons'],


        );




        $this->output->add_label('selectimage', 'addimage', 'selectmedia', 'addmedia');


@@ -2332,26 +2367,6 @@


        }




        return $options['body'];


    }






    /************************************************************************


     *********          Deprecated methods (to be removed)          *********


     ***********************************************************************/




    public static function setcookie($name, $value, $exp = 0)


    {


        rcube_utils::setcookie($name, $value, $exp);


    }




    public function imap_connect()


    {


        return $this->storage_connect();


    }




    public function imap_init()


    {


        return $this->storage_init();


    }




    /**