From a5c03db798d258e776995ec7c860edc689acd3ee Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sun, 18 Oct 2015 03:37:46 -0400
Subject: [PATCH] Security: Added options to validate username/password on logon (#1490500)

---
 program/include/rcmail.php |   24 +++++++++++++++++++++---
 1 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 81a1c81..d74b705 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -493,7 +493,7 @@
      *
      * @return boolean True on success, False on failure
      */
-    function login($username, $pass, $host = null, $cookiecheck = false)
+    function login($username, $password, $host = null, $cookiecheck = false)
     {
         $this->login_error = null;
 
@@ -506,10 +506,22 @@
             return false;
         }
 
+        $username_filter = $this->config->get('login_username_filter');
+        $username_maxlen = $this->config->get('login_username_maxlen', 1024);
+        $password_maxlen = $this->config->get('login_password_maxlen', 1024);
         $default_host    = $this->config->get('default_host');
         $default_port    = $this->config->get('default_port');
         $username_domain = $this->config->get('username_domain');
         $login_lc        = $this->config->get('login_lc', 2);
+
+        // check input for security (#1490500)
+        if (($username_maxlen && strlen($username) > $username_maxlen)
+            || ($username_filter && !preg_match($username_filter, $username))
+            || ($password_maxlen && strlen($password) > $password_maxlen)
+        ) {
+            $this->login_error = self::ERROR_INVALID_REQUEST;
+            return false;
+        }
 
         // host is validated in rcmail::autoselect_host(), so here
         // we'll only handle unset host (if possible)
@@ -595,7 +607,7 @@
         $storage = $this->get_storage();
 
         // try to log in
-        if (!$storage->connect($host, $username, $pass, $port, $ssl)) {
+        if (!$storage->connect($host, $username, $password, $port, $ssl)) {
             // Wait a second to slow down brute-force attacks (#1490549)
             sleep(1);
             return false;
@@ -643,7 +655,7 @@
             $_SESSION['storage_host'] = $host;
             $_SESSION['storage_port'] = $port;
             $_SESSION['storage_ssl']  = $ssl;
-            $_SESSION['password']     = $this->encrypt($pass);
+            $_SESSION['password']     = $this->encrypt($password);
             $_SESSION['login_time']   = time();
 
             if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') {
@@ -1069,6 +1081,12 @@
 
         // failed login
         if ($failed_login) {
+            // don't fill the log with complete input, which could
+            // have been prepared by a hacker
+            if (strlen($user) > 256) {
+                $user = substr($user, 0, 256) . '...';
+            }
+
             $message = sprintf('Failed login for %s from %s in session %s (error: %d)',
                 $user, rcube_utils::remote_ip(), session_id(), $error_code);
         }

--
Gitblit v1.9.1