From bac7d1742d45f256ded98656482ec9995e1c330a Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Tue, 18 Jul 2006 17:02:43 -0400
Subject: [PATCH] Fixed bugs #1364122, #1468895, ticket #1483811 and other minor bugs
---
CHANGELOG | 9 +++
index.php | 28 +++++----
program/include/rcube_shared.inc | 17 +++++
program/include/main.inc | 59 +++++++++++++++----
program/steps/mail/func.inc | 6 +-
config/main.inc.php.dist | 5 +
.htaccess | 2
program/include/rcube_imap.inc | 4
8 files changed, 98 insertions(+), 32 deletions(-)
diff --git a/.htaccess b/.htaccess
index 31495a4..9474105 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,5 +1,7 @@
# AddDefaultCharset UTF-8
php_flag display_errors Off
+php_flag log_errors On
+php_value error_log logs/errors
php_value upload_max_filesize 2M
<FilesMatch "(\.inc|\~)$|^_">
diff --git a/CHANGELOG b/CHANGELOG
index 0e0b360..18349ad 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,15 @@
CHANGELOG RoundCube Webmail
---------------------------
+2006/07/18
+----------
+- Fixed password with spaces issue (Bug #1364122)
+- Replaced _auth hash with second cookie (Ticket #1483811)
+- Don't use get_input_value() for passwords (Bug #1468895)
+- Made password encryption key configurable
+- Minor bugfixes with charset encoding
+
+
2006/07/07
----------
- Fixed INSTALL_PATH bug #1425663
diff --git a/config/main.inc.php.dist b/config/main.inc.php.dist
index ce05d80..f679d10 100644
--- a/config/main.inc.php.dist
+++ b/config/main.inc.php.dist
@@ -99,6 +99,11 @@
// check client IP in session athorization
$rcmail_config['ip_check'] = TRUE;
+// this key is used to encrypt the users imap password which is stored
+// in the session record (and the client cookie if remember password is enabled).
+// please provide a string of exactly 24 chars.
+$rcmail_config['des_key'] = 'rcmail-!24ByteDESkey*Str';
+
// the default locale setting
$rcmail_config['locale_string'] = 'en';
diff --git a/index.php b/index.php
index 33f28c0..9668d52 100644
--- a/index.php
+++ b/index.php
@@ -2,7 +2,7 @@
/*
+-----------------------------------------------------------------------+
| RoundCube Webmail IMAP Client |
- | Version 0.1-20060505 |
+ | Version 0.1-20060718 |
| |
| Copyright (C) 2005, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL |
@@ -40,7 +40,7 @@
*/
-define('RCMAIL_VERSION', '0.1-20060707');
+define('RCMAIL_VERSION', '0.1-20060718');
// define global vars
$CHARSET = 'UTF-8';
@@ -53,7 +53,13 @@
$INSTALL_PATH = './';
else
$INSTALL_PATH .= '/';
-
+
+
+// make sure path_separator is defined
+if (!defined('PATH_SEPARATOR'))
+ define('PATH_SEPARATOR', (eregi('win', PHP_OS) ? ';' : ':'));
+
+
// RC include folders MUST be included FIRST to avoid other
// possible not compatible libraries (i.e PEAR) to be included
// instead the ones provided by RC
@@ -89,7 +95,7 @@
// catch some url/post parameters
-$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
+//$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
$_task = get_input_value('_task', RCUBE_INPUT_GPC);
$_action = get_input_value('_action', RCUBE_INPUT_GPC);
$_framed = (!empty($_GET['_framed']) || !empty($_POST['_framed']));
@@ -104,8 +110,8 @@
rcmail_startup($_task);
// set session related variables
-$COMM_PATH = sprintf('./?_auth=%s&_task=%s', $sess_auth, $_task);
-$SESS_HIDDEN_FIELD = sprintf('<input type="hidden" name="_auth" value="%s" />', $sess_auth);
+$COMM_PATH = sprintf('./?_task=%s', $_task);
+$SESS_HIDDEN_FIELD = '';
// add framed parameter
@@ -146,9 +152,7 @@
show_message("cookiesdisabled", 'warning');
}
else if (isset($_POST['_user']) && isset($_POST['_pass']) &&
- rcmail_login(get_input_value('_user', RCUBE_INPUT_POST),
- get_input_value('_pass', RCUBE_INPUT_POST),
- $host))
+ rcmail_login(get_input_value('_user', RCUBE_INPUT_POST), $_POST['_pass'], $host))
{
// send redirect
header("Location: $COMM_PATH");
@@ -168,10 +172,10 @@
rcmail_kill_session();
}
-// check session cookie and auth string
-else if ($_action!='login' && $sess_auth && $_SESSION['user_id'])
+// check session and auth cookie
+else if ($_action!='login' && $_SESSION['user_id'])
{
- if ($_auth !== $sess_auth || $_auth != rcmail_auth_hash($_SESSION['client_id'], $_SESSION['auth_time']) ||
+ if (!rcmail_authenticate_session() ||
($CONFIG['session_lifetime'] && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime()))
{
$message = show_message('sessionerror', 'error');
diff --git a/program/include/main.inc b/program/include/main.inc
index cc019af..34e21c2 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -46,7 +46,7 @@
// load host-specific configuration
rcmail_load_host_config($CONFIG);
- $CONFIG['skin_path'] = $CONFIG['skin_path'] ? preg_replace('/\/$/', '', $CONFIG['skin_path']) : 'skins/default';
+ $CONFIG['skin_path'] = $CONFIG['skin_path'] ? unslashify($CONFIG['skin_path']) : 'skins/default';
// load db conf
include_once('config/db.inc.php');
@@ -55,7 +55,7 @@
if (empty($CONFIG['log_dir']))
$CONFIG['log_dir'] = $INSTALL_PATH.'logs';
else
- $CONFIG['log_dir'] = ereg_replace('\/$', '', $CONFIG['log_dir']);
+ $CONFIG['log_dir'] = unslashify($CONFIG['log_dir']);
// set PHP error logging according to config
if ($CONFIG['debug_level'] & 1)
@@ -67,7 +67,8 @@
ini_set('display_errors', 1);
else
ini_set('display_errors', 0);
-
+
+
// set session garbage collecting time according to session_lifetime
if (!empty($CONFIG['session_lifetime']))
ini_set('session.gc_maxlifetime', ($CONFIG['session_lifetime']+2)*60);
@@ -81,7 +82,6 @@
$DB->db_connect('w');
// we can use the database for storing session data
- // session queries do not work with MDB2
if (!$DB->is_error())
include_once('include/session.inc');
@@ -90,17 +90,14 @@
$sess_id = session_id();
// create session and set session vars
- if (!$_SESSION['client_id'])
+ if (!isset($_SESSION['auth_time']))
{
- $_SESSION['client_id'] = $sess_id;
$_SESSION['user_lang'] = rcube_language_prop($CONFIG['locale_string']);
$_SESSION['auth_time'] = mktime();
- $_SESSION['auth'] = rcmail_auth_hash($sess_id, $_SESSION['auth_time']);
- unset($GLOBALS['_auth']);
+ setcookie('sessauth', rcmail_auth_hash($sess_id, $_SESSION['auth_time']));
}
// set session vars global
- $sess_auth = $_SESSION['auth'];
$sess_user_lang = rcube_language_prop($_SESSION['user_lang']);
@@ -148,7 +145,7 @@
$config = array_merge($config, $rcmail_config);
}
}
-
+
// create authorization hash
function rcmail_auth_hash($sess_id, $ts)
@@ -167,6 +164,22 @@
return md5($auth_string);
}
+
+// compare the auth hash sent by the client with the local session credentials
+function rcmail_authenticate_session()
+ {
+ $now = mktime();
+ $valid = ($_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['auth_time']));
+
+ // renew auth cookie every 5 minutes
+ if (!$valid || ($now-$_SESSION['auth_time'] > 300))
+ {
+ $_SESSION['auth_time'] = $now;
+ setcookie('sessauth', rcmail_auth_hash(session_id(), $now));
+ }
+
+ return $valid;
+ }
// create IMAP object and connect to server
@@ -718,17 +731,35 @@
}
+// encrypt IMAP password using DES encryption
function encrypt_passwd($pass)
{
- $cypher = des('rcmail?24BitPwDkeyF**ECB', $pass, 1, 0, NULL);
+ $cypher = des(get_des_key(), $pass, 1, 0, NULL);
return base64_encode($cypher);
}
+// decrypt IMAP password using DES encryption
function decrypt_passwd($cypher)
{
- $pass = des('rcmail?24BitPwDkeyF**ECB', base64_decode($cypher), 0, 0, NULL);
- return trim($pass);
+ $pass = des(get_des_key(), base64_decode($cypher), 0, 0, NULL);
+ return preg_replace('/\x00/', '', $pass);
+ }
+
+
+// return a 24 byte key for the DES encryption
+function get_des_key()
+ {
+ $key = !empty($GLOBALS['CONFIG']['des_key']) ? $GLOBALS['CONFIG']['des_key'] : 'rcmail?24BitPwDkeyF**ECB';
+ $len = strlen($key);
+
+ // make sure the key is exactly 24 chars long
+ if ($len<24)
+ $key .= str_repeat('_', 24-$len);
+ else if ($len>24)
+ substr($key, 0, 24);
+
+ return $key;
}
@@ -802,7 +833,7 @@
{
global $CONFIG;
- $temp_dir = $CONFIG['temp_dir'].(!eregi('\/$', $CONFIG['temp_dir']) ? '/' : '');
+ $temp_dir = slashify($CONFIG['temp_dir']);
$cache_dir = $temp_dir.$sess_id;
if (is_dir($cache_dir))
diff --git a/program/include/rcube_imap.inc b/program/include/rcube_imap.inc
index bb31464..bc12eac 100644
--- a/program/include/rcube_imap.inc
+++ b/program/include/rcube_imap.inc
@@ -1732,7 +1732,7 @@
*
* @access static
*/
- function decode_mime_string($input)
+ function decode_mime_string($input, $recursive=false)
{
$out = '';
@@ -1753,7 +1753,7 @@
return $out;
}
-
+
// no encoding information, defaults to what is specified in the class header
return rcube_charset_convert($input, 'ISO-8859-1');
}
diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc
index fe1a560..8f4efdb 100644
--- a/program/include/rcube_shared.inc
+++ b/program/include/rcube_shared.inc
@@ -1334,7 +1334,8 @@
}
-
+// replace the middle part of a string with ...
+// if it is longer than the allowed length
function abbrevate_string($str, $maxlength, $place_holder='...')
{
$length = strlen($str);
@@ -1350,6 +1351,20 @@
}
+// make sure the string ends with a slash
+function slashify($str)
+ {
+ return unslashify($str).'/';
+ }
+
+
+// remove slash at the end of the string
+function unslashify($str)
+ {
+ return preg_replace('/\/$/', '', $str);
+ }
+
+
// delete all files within a folder
function clear_directory($dir_path)
{
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 261cbdd..376c0bf 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -214,7 +214,7 @@
else if ($folder['id']==$CONFIG['junk_mbox'])
$class_name = 'junk';
- $out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="%s&_mbox=%s"'.
+ $out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="%s&_mbox=%s"'.
' onclick="return %s.command(\'list\',\'%s\')"'.
' onmouseup="return %s.mbox_mouse_up(\'%s\')"%s>%s</a>',
$folder_css,
@@ -437,7 +437,7 @@
{
$cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
// firefox/mozilla temporary workaround to pad subject with content so that whitespace in rows responds to drag+drop
- $cont .= sprintf('<img src="%s%s" height="11" width="1000">', $skin_path, "/images/cleardot.png");
+ $cont .= '<img src="./program/blank.gif" height="5" width="1000" alt="" />';
}
else if ($col=='size')
$cont = show_bytes($header->$col);
@@ -1017,7 +1017,7 @@
if ($hkey=='date' && !empty($headers[$hkey]))
$header_value = format_date(strtotime($headers[$hkey]));
else if (in_array($hkey, array('from', 'to', 'cc', 'bcc', 'reply-to')))
- $header_value = rep_specialchars_output(rcmail_address_string($IMAP->decode_header($headers[$hkey]), NULL, $attrib['addicon']));
+ $header_value = rep_specialchars_output(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']));
else
$header_value = rep_specialchars_output($IMAP->decode_header($headers[$hkey]), '', 'all');
--
Gitblit v1.9.1