From 8a535889403aa6820ffe9925d4d50fdee05d2cc0 Mon Sep 17 00:00:00 2001
From: Francis Russell <francis@unchartedbackwaters.co.uk>
Date: Thu, 14 Jan 2016 06:48:01 -0500
Subject: [PATCH] Make TLS method for IMAP parameterisable.
---
program/lib/Roundcube/rcube.php | 238 +++++++++++++++++++++++++++++++++++++++++++++++------------
1 files changed, 188 insertions(+), 50 deletions(-)
diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php
index eedc46c..13356f2 100644
--- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@@ -28,8 +28,14 @@
*/
class rcube
{
- const INIT_WITH_DB = 1;
+ // Init options
+ const INIT_WITH_DB = 1;
const INIT_WITH_PLUGINS = 2;
+
+ // Request status
+ const REQUEST_VALID = 0;
+ const REQUEST_ERROR_URL = 1;
+ const REQUEST_ERROR_TOKEN = 2;
/**
* Singleton instace of rcube
@@ -101,6 +107,12 @@
*/
public $user;
+ /**
+ * Request status
+ *
+ * @var int
+ */
+ public $request_status = 0;
/* private/protected vars */
protected $texts;
@@ -203,7 +215,10 @@
$this->mc_available = 0;
// add all configured hosts to pool
- $pconnect = $this->config->get('memcache_pconnect', true);
+ $pconnect = $this->config->get('memcache_pconnect', true);
+ $timeout = $this->config->get('memcache_timeout', 1);
+ $retry_interval = $this->config->get('memcache_retry_interval', 15);
+
foreach ($this->config->get('memcache_hosts', array()) as $host) {
if (substr($host, 0, 7) != 'unix://') {
list($host, $port) = explode(':', $host);
@@ -214,7 +229,7 @@
}
$this->mc_available += intval($this->memcache->addServer(
- $host, $port, $pconnect, 1, 1, 15, false, array($this, 'memcache_failure')));
+ $host, $port, $pconnect, 1, $timeout, $retry_interval, false, array($this, 'memcache_failure')));
}
// test connection and failover (will result in $this->mc_available == 0 on complete failure)
@@ -509,8 +524,13 @@
// use database for storing session data
$this->session = new rcube_session($this->get_dbh(), $this->config);
+ $path = $_SERVER['SCRIPT_NAME'];
+ if (strpos($path, '://')) {
+ $path = parse_url($path, PHP_URL_PATH); // #1490582
+ }
+
$this->session->register_gc_handler(array($this, 'gc'));
- $this->session->set_secret($this->config->get('des_key') . dirname($_SERVER['SCRIPT_NAME']));
+ $this->session->set_secret($this->config->get('des_key') . dirname($path));
$this->session->set_ip_check($this->config->get('ip_check'));
if ($this->config->get('session_auth_name')) {
@@ -842,6 +862,7 @@
* upon decryption; see http://php.net/mcrypt_generic#68082
*/
$clear = pack("a*H2", $clear, "80");
+ $ckey = $this->config->get_crypto_key($key);
if (function_exists('openssl_encrypt')) {
$method = 'DES-EDE3-CBC';
@@ -853,7 +874,7 @@
($td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CBC, ""))
) {
$iv = $this->create_iv(mcrypt_enc_get_iv_size($td));
- mcrypt_generic_init($td, $this->config->get_crypto_key($key), $iv);
+ mcrypt_generic_init($td, $ckey, $iv);
$cipher = $iv . mcrypt_generic($td, $clear);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
@@ -864,7 +885,7 @@
if (function_exists('des')) {
$des_iv_size = 8;
$iv = $this->create_iv($des_iv_size);
- $cipher = $iv . des($this->config->get_crypto_key($key), $clear, 1, 1, $iv);
+ $cipher = $iv . des($ckey, $clear, 1, 1, $iv);
}
else {
self::raise_error(array(
@@ -895,6 +916,7 @@
}
$cipher = $base64 ? base64_decode($cipher) : $cipher;
+ $ckey = $this->config->get_crypto_key($key);
if (function_exists('openssl_decrypt')) {
$method = 'DES-EDE3-CBC';
@@ -914,7 +936,7 @@
($td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CBC, ""))
) {
$iv_size = mcrypt_enc_get_iv_size($td);
- $iv = substr($cipher, 0, $iv_size);
+ $iv = substr($cipher, 0, $iv_size);
// session corruption? (#1485970)
if (strlen($iv) < $iv_size) {
@@ -922,7 +944,7 @@
}
$cipher = substr($cipher, $iv_size);
- mcrypt_generic_init($td, $this->config->get_crypto_key($key), $iv);
+ mcrypt_generic_init($td, $ckey, $iv);
$clear = mdecrypt_generic($td, $cipher);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
@@ -932,15 +954,15 @@
if (function_exists('des')) {
$des_iv_size = 8;
- $iv = substr($cipher, 0, $des_iv_size);
+ $iv = substr($cipher, 0, $des_iv_size);
$cipher = substr($cipher, $des_iv_size);
- $clear = des($this->config->get_crypto_key($key), $cipher, 0, 1, $iv);
+ $clear = des($ckey, $cipher, 0, 1, $iv);
}
else {
self::raise_error(array(
'code' => 500, 'type' => 'php',
'file' => __FILE__, 'line' => __LINE__,
- 'message' => "Could not perform decryption; make sure Mcrypt is installed or lib/des.inc is available"
+ 'message' => "Could not perform decryption; make sure OpenSSL or Mcrypt or lib/des.inc is available"
), true, true);
}
}
@@ -972,6 +994,102 @@
}
return $iv;
+ }
+
+
+ /**
+ * Returns session token for secure URLs
+ *
+ * @param bool $generate Generate token if not exists in session yet
+ *
+ * @return string|bool Token string, False when disabled
+ */
+ public function get_secure_url_token($generate = false)
+ {
+ if ($len = $this->config->get('use_secure_urls')) {
+ if (empty($_SESSION['secure_token']) && $generate) {
+ // generate x characters long token
+ $length = $len > 1 ? $len : 16;
+ $token = rcube_utils::random_bytes($length);
+
+ $plugin = $this->plugins->exec_hook('secure_token',
+ array('value' => $token, 'length' => $length));
+
+ $_SESSION['secure_token'] = $plugin['value'];
+ }
+
+ return $_SESSION['secure_token'];
+ }
+
+ return false;
+ }
+
+
+ /**
+ * Generate a unique token to be used in a form request
+ *
+ * @return string The request token
+ */
+ public function get_request_token()
+ {
+ if (empty($_SESSION['request_token'])) {
+ $plugin = $this->plugins->exec_hook('request_token', array(
+ 'value' => rcube_utils::random_bytes(32)));
+
+ $_SESSION['request_token'] = $plugin['value'];
+ }
+
+ return $_SESSION['request_token'];
+ }
+
+
+ /**
+ * Check if the current request contains a valid token.
+ * Empty requests aren't checked until use_secure_urls is set.
+ *
+ * @param int Request method
+ *
+ * @return boolean True if request token is valid false if not
+ */
+ public function check_request($mode = rcube_utils::INPUT_POST)
+ {
+ // check secure token in URL if enabled
+ if ($token = $this->get_secure_url_token()) {
+ foreach (explode('/', preg_replace('/[?#&].*$/', '', $_SERVER['REQUEST_URI'])) as $tok) {
+ if ($tok == $token) {
+ return true;
+ }
+ }
+
+ $this->request_status = self::REQUEST_ERROR_URL;
+
+ return false;
+ }
+
+ $sess_tok = $this->get_request_token();
+
+ // ajax requests
+ if (rcube_utils::request_header('X-Roundcube-Request') == $sess_tok) {
+ return true;
+ }
+
+ // skip empty requests
+ if (($mode == rcube_utils::INPUT_POST && empty($_POST))
+ || ($mode == rcube_utils::INPUT_GET && empty($_GET))
+ ) {
+ return true;
+ }
+
+ // default method of securing requests
+ $token = rcube_utils::get_input_value('_token', $mode);
+ $sess_id = $_COOKIE[ini_get('session.name')];
+
+ if (empty($sess_id) || $token != $sess_tok) {
+ $this->request_status = self::REQUEST_ERROR_TOKEN;
+ return false;
+ }
+
+ return true;
}
@@ -1280,6 +1398,9 @@
exit(1);
}
+ else if ($cli) {
+ fwrite(STDERR, 'ERROR: ' . $arg['message']);
+ }
}
@@ -1546,32 +1667,30 @@
// send thru SMTP server using custom SMTP library
if ($this->config->get('smtp_server')) {
// generate list of recipients
- $a_recipients = array($mailto);
+ $a_recipients = (array) $mailto;
if (strlen($headers['Cc']))
$a_recipients[] = $headers['Cc'];
if (strlen($headers['Bcc']))
$a_recipients[] = $headers['Bcc'];
- // clean Bcc from header for recipients
- $send_headers = $headers;
- unset($send_headers['Bcc']);
- // here too, it because txtHeaders() below use $message->_headers not only $send_headers
- unset($message->_headers['Bcc']);
-
- $smtp_headers = $message->txtHeaders($send_headers, true);
+ // remove Bcc header and get the whole head of the message as string
+ $smtp_headers = $this->message_head($message, array('Bcc'));
if ($message->getParam('delay_file_io')) {
// use common temp dir
- $temp_dir = $this->config->get('temp_dir');
- $body_file = tempnam($temp_dir, 'rcmMsg');
- if (PEAR::isError($mime_result = $message->saveMessageBody($body_file))) {
+ $temp_dir = $this->config->get('temp_dir');
+ $body_file = tempnam($temp_dir, 'rcmMsg');
+ $mime_result = $message->saveMessageBody($body_file);
+
+ if (is_a($mime_result, 'PEAR_Error')) {
self::raise_error(array('code' => 650, 'type' => 'php',
'file' => __FILE__, 'line' => __LINE__,
'message' => "Could not create message: ".$mime_result->getMessage()),
- TRUE, FALSE);
+ true, false);
return false;
}
+
$msg_body = fopen($body_file, 'r');
}
else {
@@ -1591,39 +1710,33 @@
if (!$sent) {
self::raise_error(array('code' => 800, 'type' => 'smtp',
'line' => __LINE__, 'file' => __FILE__,
- 'message' => "SMTP error: ".join("\n", $response)), TRUE, FALSE);
+ 'message' => join("\n", $response)), true, false);
}
}
// send mail using PHP's mail() function
else {
- // unset some headers because they will be added by the mail() function
- $headers_enc = $message->headers($headers);
- $headers_php = $message->_headers;
- unset($headers_php['To'], $headers_php['Subject']);
-
- // reset stored headers and overwrite
- $message->_headers = array();
- $header_str = $message->txtHeaders($headers_php);
+ // unset To,Subject headers because they will be added by the mail() function
+ $header_str = $this->message_head($message, array('To', 'Subject'));
// #1485779
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
- if (preg_match_all('/<([^@]+@[^>]+)>/', $headers_enc['To'], $m)) {
- $headers_enc['To'] = implode(', ', $m[1]);
+ if (preg_match_all('/<([^@]+@[^>]+)>/', $headers['To'], $m)) {
+ $headers['To'] = implode(', ', $m[1]);
}
}
$msg_body = $message->get();
- if (PEAR::isError($msg_body)) {
+ if (is_a($msg_body, 'PEAR_Error')) {
self::raise_error(array('code' => 650, 'type' => 'php',
'file' => __FILE__, 'line' => __LINE__,
'message' => "Could not create message: ".$msg_body->getMessage()),
- TRUE, FALSE);
+ true, false);
}
else {
$delim = $this->config->header_delimiter();
- $to = $headers_enc['To'];
- $subject = $headers_enc['Subject'];
+ $to = $headers['To'];
+ $subject = $headers['Subject'];
$header_str = rtrim($header_str);
if ($delim != "\r\n") {
@@ -1646,19 +1759,24 @@
// remove MDN headers after sending
unset($headers['Return-Receipt-To'], $headers['Disposition-Notification-To']);
- // get all recipients
- if ($headers['Cc'])
- $mailto .= $headers['Cc'];
- if ($headers['Bcc'])
- $mailto .= $headers['Bcc'];
- if (preg_match_all('/<([^@]+@[^>]+)>/', $mailto, $m))
- $mailto = implode(', ', array_unique($m[1]));
-
if ($this->config->get('smtp_log')) {
+ // get all recipient addresses
+ if (is_array($mailto)) {
+ $mailto = implode(',', $mailto);
+ }
+ if ($headers['Cc']) {
+ $mailto .= ',' . $headers['Cc'];
+ }
+ if ($headers['Bcc']) {
+ $mailto .= ',' . $headers['Bcc'];
+ }
+
+ $mailto = rcube_mime::decode_address_list($mailto, null, false, null, true);
+
self::write_log('sendmail', sprintf("User %s [%s]; Message for %s; %s",
$this->user->get_username(),
- $_SERVER['REMOTE_ADDR'],
- $mailto,
+ rcube_utils::remote_addr(),
+ implode(', ', $mailto),
!empty($response) ? join('; ', $response) : ''));
}
}
@@ -1671,12 +1789,32 @@
fclose($msg_body);
}
- $message->_headers = array();
- $message->headers($headers);
+ $message->headers($headers, true);
return $sent;
}
+ /**
+ * Return message headers as a string
+ */
+ protected function message_head($message, $unset = array())
+ {
+ // Mail_mime >= 1.9.0
+ if (method_exists($message, 'isMultipart')) {
+ foreach ($unset as $header) {
+ $headers[$header] = null;
+ }
+ }
+ else {
+ $headers = $message->headers();
+ foreach ($unset as $header) {
+ unset($headers[$header]);
+ }
+ $message->_headers = array();
+ }
+
+ return $message->txtHeaders($headers, true);
+ }
}
--
Gitblit v1.9.1