From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
plugins/password/drivers/domainfactory.php | 139 +++++++++++++++++++++++++---------------------
1 files changed, 76 insertions(+), 63 deletions(-)
diff --git a/plugins/password/drivers/domainfactory.php b/plugins/password/drivers/domainfactory.php
index e253faa..95088e9 100644
--- a/plugins/password/drivers/domainfactory.php
+++ b/plugins/password/drivers/domainfactory.php
@@ -10,78 +10,91 @@
* @author Till Krüss <me@tillkruess.com>
* @link http://tillkruess.com/projects/roundcube/
*
+ * Copyright (C) 2005-2014, The Roundcube Dev Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
*/
class rcube_domainfactory_password
{
- function save($curpass, $passwd)
- {
- $rcmail = rcmail::get_instance();
+ function save($curpass, $passwd)
+ {
+ $rcmail = rcmail::get_instance();
- if (is_null($curpass)) {
- $curpass = $rcmail->decrypt($_SESSION['password']);
- }
+ if (is_null($curpass)) {
+ $curpass = $rcmail->decrypt($_SESSION['password']);
+ }
- if ($ch = curl_init()) {
+ if ($ch = curl_init()) {
+ // initial login
+ curl_setopt_array($ch, array(
+ CURLOPT_RETURNTRANSFER => true,
+ CURLOPT_URL => 'https://ssl.df.eu/chmail.php',
+ CURLOPT_POST => true,
+ CURLOPT_POSTFIELDS => http_build_query(array(
+ 'login' => $rcmail->user->get_username(),
+ 'pwd' => $curpass,
+ 'action' => 'change'
+ ))
+ ));
- // initial login
- curl_setopt_array($ch, array(
- CURLOPT_RETURNTRANSFER => true,
- CURLOPT_URL => 'https://ssl.df.eu/chmail.php',
- CURLOPT_POST => true,
- CURLOPT_POSTFIELDS => array(
- 'login' => $rcmail->user->get_username(),
- 'pwd' => $curpass,
- 'action' => 'change'
- )
- ));
+ if ($result = curl_exec($ch)) {
+ // login successful, get token!
+ $postfields = array(
+ 'pwd1' => $passwd,
+ 'pwd2' => $passwd,
+ 'action[update]' => 'Speichern'
+ );
- if ($result = curl_exec($ch)) {
- // login successful, get token!
- $postfields = array(
- 'pwd1' => $passwd,
- 'pwd2' => $passwd,
- 'action[update]' => 'Speichern'
- );
+ preg_match_all('~<input name="(.+?)" type="hidden" value="(.+?)">~i', $result, $fields);
+ foreach ($fields[1] as $field_key => $field_name) {
+ $postfields[$field_name] = $fields[2][$field_key];
+ }
- preg_match_all('~<input name="(.+?)" type="hidden" value="(.+?)">~i', $result, $fields);
- foreach ($fields[1] as $field_key => $field_name) {
- $postfields[$field_name] = $fields[2][$field_key];
- }
+ // change password
+ $ch = curl_copy_handle($ch);
+ curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postfields));
+ if ($result = curl_exec($ch)) {
+ // has the password been changed?
+ if (strpos($result, 'Einstellungen erfolgreich') !== false) {
+ return PASSWORD_SUCCESS;
+ }
- // change password
- $ch = curl_copy_handle($ch);
- curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields);
- if ($result = curl_exec($ch)) {
+ // show error message(s) if possible
+ if (strpos($result, '<div class="d-msg-text">') !== false) {
+ preg_match_all('#<div class="d-msg-text">(.*?)</div>#s', $result, $errors);
+ if (isset($errors[1])) {
+ $error_message = '';
+ foreach ($errors[1] as $error) {
+ $error_message .= trim(mb_convert_encoding( $error, 'UTF-8', 'ISO-8859-15' )).' ';
+ }
+ return array('code' => PASSWORD_ERROR, 'message' => $error_message);
+ }
+ }
+ }
+ else {
+ return PASSWORD_CONNECT_ERROR;
+ }
+ }
+ else {
+ return PASSWORD_CONNECT_ERROR;
+ }
+ }
+ else {
+ return PASSWORD_CONNECT_ERROR;
+ }
- // did the new password match the requirements?
- if (strpos($result, '<div class="d-msg-text">') !== false) {
- preg_match_all('#<div class="d-msg-text">(.*?)</div>#s', $result, $errors);
- if (isset($errors[1])) {
- $error_message = '';
- foreach ( $errors[1] as $error ) {
- $error_message .= trim(mb_convert_encoding( $error, 'UTF-8', 'ISO-8859-15' )).' ';
- }
- return array('code' => PASSWORD_ERROR, 'message' => $error_message);
- }
- }
-
- if (strpos($result, 'Einstellungen erfolgreich') !== false) {
- return PASSWORD_SUCCESS;
- }
-
- } else {
- return PASSWORD_CONNECT_ERROR;
- }
-
- } else {
- return PASSWORD_CONNECT_ERROR;
- }
-
- } else {
- return PASSWORD_CONNECT_ERROR;
- }
-
- return PASSWORD_ERROR;
- }
+ return PASSWORD_ERROR;
+ }
}
--
Gitblit v1.9.1