From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
plugins/password/drivers/cpanel.php | 151 +++++++++++++++++++++-----------------------------
1 files changed, 63 insertions(+), 88 deletions(-)
diff --git a/plugins/password/drivers/cpanel.php b/plugins/password/drivers/cpanel.php
index 7988710..9446fde 100644
--- a/plugins/password/drivers/cpanel.php
+++ b/plugins/password/drivers/cpanel.php
@@ -4,113 +4,88 @@
* cPanel Password Driver
*
* Driver that adds functionality to change the users cPanel password.
- * The cPanel PHP API code has been taken from: http://www.phpclasses.org/browse/package/3534.html
+ * Originally written by Fulvio Venturelli <fulvio@venturelli.org>
*
- * This driver has been tested with Hostmonster hosting and seems to work fine.
+ * Completely rewritten using the cPanel API2 call Email::passwdpop
+ * as opposed to the original coding against the UI, which is a fragile method that
+ * makes the driver to always return a failure message for any language other than English
+ * see http://trac.roundcube.net/ticket/1487015
*
- * @version 2.0
- * @author Fulvio Venturelli <fulvio@venturelli.org>
+ * This driver has been tested with o2switch hosting and seems to work fine.
+ *
+ * @version 3.0
+ * @author Christian Chech <christian@chech.fr>
+ *
+ * Copyright (C) 2005-2013, The Roundcube Dev Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
*/
class rcube_cpanel_password
{
public function save($curpas, $newpass)
{
+ require_once 'xmlapi.php';
+
$rcmail = rcmail::get_instance();
- // Create a cPanel email object
- $cPanel = new emailAccount($rcmail->config->get('password_cpanel_host'),
- $rcmail->config->get('password_cpanel_username'),
- $rcmail->config->get('password_cpanel_password'),
- $rcmail->config->get('password_cpanel_port'),
- $rcmail->config->get('password_cpanel_ssl'),
- $rcmail->config->get('password_cpanel_theme'),
- $_SESSION['username'] );
+ $this->cuser = $rcmail->config->get('password_cpanel_username');
- if ($cPanel->setPassword($newpass)) {
- return PASSWORD_SUCCESS;
- }
- else {
- return PASSWORD_ERROR;
- }
- }
-}
+ // Setup the xmlapi connection
+ $this->xmlapi = new xmlapi($rcmail->config->get('password_cpanel_host'));
+ $this->xmlapi->set_port($rcmail->config->get('password_cpanel_port'));
+ $this->xmlapi->password_auth($this->cuser, $rcmail->config->get('password_cpanel_password'));
+ $this->xmlapi->set_output('json');
+ $this->xmlapi->set_debug(0);
-
-class HTTP
-{
- function HTTP($host, $username, $password, $port, $ssl, $theme)
- {
- $this->ssl = $ssl ? 'ssl://' : '';
- $this->username = $username;
- $this->password = $password;
- $this->theme = $theme;
- $this->auth = base64_encode($username . ':' . $password);
- $this->port = $port;
- $this->host = $host;
- $this->path = '/frontend/' . $theme . '/';
- }
-
- function getData($url, $data = '')
- {
- $url = $this->path . $url;
- if (is_array($data)) {
- $url = $url . '?';
- foreach ($data as $key => $value) {
- $url .= urlencode($key) . '=' . urlencode($value) . '&';
- }
- $url = substr($url, 0, -1);
- }
-
- $response = '';
- $fp = fsockopen($this->ssl . $this->host, $this->port);
- if (!$fp) {
- return false;
- }
-
- $out = 'GET ' . $url . ' HTTP/1.0' . "\r\n";
- $out .= 'Authorization: Basic ' . $this->auth . "\r\n";
- $out .= 'Connection: Close' . "\r\n\r\n";
- fwrite($fp, $out);
- while (!feof($fp)) {
- $response .= @fgets($fp);
- }
- fclose($fp);
- return $response;
- }
-}
-
-
-class emailAccount
-{
- function emailAccount($host, $username, $password, $port, $ssl, $theme, $address)
- {
- $this->HTTP = new HTTP($host, $username, $password, $port, $ssl, $theme);
- if (strpos($address, '@')) {
- list($this->email, $this->domain) = explode('@', $address);
- }
- else {
- list($this->email, $this->domain) = array($address, '');
- }
+ return $this->setPassword($_SESSION['username'], $newpass);
}
/**
* Change email account password
*
- * Returns true on success or false on failure.
- * @param string $password email account password
- * @return bool
+ * @param string $address Email address/username
+ * @param string $password Email account password
+ *
+ * @return int|array Operation status
*/
- function setPassword($password)
+ function setPassword($address, $password)
{
- $data['email'] = $this->email;
- $data['domain'] = $this->domain;
- $data['password'] = $password;
- $response = $this->HTTP->getData('mail/dopasswdpop.html', $data);
-
- if (strpos($response, 'success') && !strpos($response, 'failure')) {
- return true;
+ if (strpos($address, '@')) {
+ list($data['email'], $data['domain']) = explode('@', $address);
}
- return false;
+ else {
+ list($data['email'], $data['domain']) = array($address, '');
+ }
+
+ $data['password'] = $password;
+
+ $query = $this->xmlapi->api2_query($this->cuser, 'Email', 'passwdpop', $data);
+ $query = json_decode($query, true);
+ $result = $query['cpanelresult']['data'][0];
+
+ if ($result['result'] == 1) {
+ return PASSWORD_SUCCESS;
+ }
+
+ if ($result['reason']) {
+ return array(
+ 'code' => PASSWORD_ERROR,
+ 'message' => $result['reason'],
+ );
+ }
+
+ return PASSWORD_ERROR;
}
}
--
Gitblit v1.9.1