From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 plugins/password/password.php |   31 +++++++++++++++++++++++++------
 1 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/plugins/password/password.php b/plugins/password/password.php
index 4dc5909..f84dc8f 100644
--- a/plugins/password/password.php
+++ b/plugins/password/password.php
@@ -256,6 +256,7 @@
             $rules = html::tag('ul', array('id' => 'ruleslist'), $rules);
         }
 
+        $disabled_msg = '';
         if ($form_disabled) {
             $disabled_msg = is_string($form_disabled) ? $form_disabled : $this->gettext('disablednotice');
             $disabled_msg = html::div(array('class' => 'boxwarning', 'id' => 'password-notice'), $disabled_msg);
@@ -316,6 +317,7 @@
 
         $object = new $class;
         $result = $object->save($curpass, $passwd);
+        $message = '';
 
         if (is_array($result)) {
             $message = $result['message'];
@@ -403,6 +405,9 @@
     {
         $method = strtolower($method);
         $rcmail = rcmail::get_instance();
+        $prefix = '';
+        $crypted = '';
+        $default = false;
 
         if (empty($method) || $method == 'default') {
             $method   = $rcmail->config->get('password_algorithm');
@@ -439,12 +444,26 @@
             break;
 
         case 'sha256-crypt':
-            $crypted = crypt($password, '$5$' . self::random_salt(16));
+            $rounds = (int) $rcmail->config->get('password_crypt_rounds');
+            $prefix = '$5$';
+
+            if ($rounds > 1000) {
+                $prefix .= 'rounds=' . $rounds . '$';
+            }
+
+            $crypted = crypt($password, $prefix . self::random_salt(16));
             $prefix  = '{CRYPT}';
             break;
 
         case 'sha512-crypt':
-            $crypted = crypt($password, '$6$' . self::random_salt(16));
+            $rounds = (int) $rcmail->config->get('password_crypt_rounds');
+            $prefix = '$6$';
+
+            if ($rounds > 1000) {
+                $prefix .= 'rounds=' . $rounds . '$';
+            }
+
+            $crypted = crypt($password, $prefix . self::random_salt(16));
             $prefix  = '{CRYPT}';
             break;
 
@@ -533,7 +552,7 @@
         case 'samba':
             if (function_exists('hash')) {
                 $crypted = hash('md4', rcube_charset::convert($password, RCUBE_CHARSET, 'UTF-16LE'));
-                $crypted = strtoupper($crypted_password);
+                $crypted = strtoupper($crypted);
             }
             else {
                 rcube::raise_error(array(
@@ -571,14 +590,14 @@
                 return false;
             }
             else {
-                fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); usleep(1000);
-                fwrite($pipe, $passwd . "\n", 1+strlen($passwd));
+                fwrite($pipe, $password . "\n", 1+strlen($password)); usleep(1000);
+                fwrite($pipe, $password . "\n", 1+strlen($password));
                 pclose($pipe);
 
                 $crypted = trim(file_get_contents($tmpfile), "\n");
                 unlink($tmpfile);
 
-                if (!preg_match('/^\{' . $method . '\}/', $newpass)) {
+                if (!preg_match('/^\{' . $method . '\}/', $crypted)) {
                     return false;
                 }
 

--
Gitblit v1.9.1