From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
plugins/password/password.php | 94 +++++++++++++++++++++++++++++++++--------------
1 files changed, 66 insertions(+), 28 deletions(-)
diff --git a/plugins/password/password.php b/plugins/password/password.php
index 476e9ea..f84dc8f 100644
--- a/plugins/password/password.php
+++ b/plugins/password/password.php
@@ -6,7 +6,7 @@
* @version @package_version@
* @author Aleksander Machniak <alec@alec.pl>
*
- * Copyright (C) 2005-2013, The Roundcube Dev Team
+ * Copyright (C) 2005-2015, The Roundcube Dev Team
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -63,10 +63,6 @@
$this->register_action('plugin.password', array($this, 'password_init'));
$this->register_action('plugin.password-save', array($this, 'password_save'));
-
- if (strpos($rcmail->action, 'plugin.password') === 0) {
- $this->include_script('password.js');
- }
}
else if ($rcmail->config->get('password_force_new_user')) {
$this->add_hook('user_create', array($this, 'user_create'));
@@ -109,7 +105,8 @@
$rcmail = rcmail::get_instance();
$rcmail->output->set_pagetitle($this->gettext('changepasswd'));
- $confirm = $rcmail->config->get('password_confirm_current');
+ $form_disabled = $rcmail->config->get('password_disabled');
+ $confirm = $rcmail->config->get('password_confirm_current');
$required_length = intval($rcmail->config->get('password_minimum_length'));
$check_strength = $rcmail->config->get('password_require_nonalpha');
@@ -196,15 +193,22 @@
'password.passwordinconsistency'
);
+ $form_disabled = $rcmail->config->get('password_disabled');
+
$rcmail->output->set_env('product_name', $rcmail->config->get('product_name'));
+ $rcmail->output->set_env('password_disabled', !empty($form_disabled));
$table = new html_table(array('cols' => 2));
if ($rcmail->config->get('password_confirm_current')) {
// show current password selection
$field_id = 'curpasswd';
- $input_curpasswd = new html_passwordfield(array('name' => '_curpasswd', 'id' => $field_id,
- 'size' => 20, 'autocomplete' => 'off'));
+ $input_curpasswd = new html_passwordfield(array(
+ 'name' => '_curpasswd',
+ 'id' => $field_id,
+ 'size' => 20,
+ 'autocomplete' => 'off',
+ ));
$table->add('title', html::label($field_id, rcube::Q($this->gettext('curpasswd'))));
$table->add(null, $input_curpasswd->show());
@@ -212,16 +216,24 @@
// show new password selection
$field_id = 'newpasswd';
- $input_newpasswd = new html_passwordfield(array('name' => '_newpasswd', 'id' => $field_id,
- 'size' => 20, 'autocomplete' => 'off'));
+ $input_newpasswd = new html_passwordfield(array(
+ 'name' => '_newpasswd',
+ 'id' => $field_id,
+ 'size' => 20,
+ 'autocomplete' => 'off',
+ ));
$table->add('title', html::label($field_id, rcube::Q($this->gettext('newpasswd'))));
$table->add(null, $input_newpasswd->show());
// show confirm password selection
$field_id = 'confpasswd';
- $input_confpasswd = new html_passwordfield(array('name' => '_confpasswd', 'id' => $field_id,
- 'size' => 20, 'autocomplete' => 'off'));
+ $input_confpasswd = new html_passwordfield(array(
+ 'name' => '_confpasswd',
+ 'id' => $field_id,
+ 'size' => 20,
+ 'autocomplete' => 'off',
+ ));
$table->add('title', html::label($field_id, rcube::Q($this->gettext('confpasswd'))));
$table->add(null, $input_confpasswd->show());
@@ -244,19 +256,27 @@
$rules = html::tag('ul', array('id' => 'ruleslist'), $rules);
}
+ $disabled_msg = '';
+ if ($form_disabled) {
+ $disabled_msg = is_string($form_disabled) ? $form_disabled : $this->gettext('disablednotice');
+ $disabled_msg = html::div(array('class' => 'boxwarning', 'id' => 'password-notice'), $disabled_msg);
+ }
+
+ $submit_button = $rcmail->output->button(array(
+ 'command' => 'plugin.password-save',
+ 'type' => 'input',
+ 'class' => 'button mainaction',
+ 'label' => 'save',
+ ));
+
$out = html::div(array('class' => 'box'),
- html::div(array('id' => 'prefs-title', 'class' => 'boxtitle'), $this->gettext('changepasswd')) .
- html::div(array('class' => 'boxcontent'), $table->show() .
- $rules .
- html::p(null,
- $rcmail->output->button(array(
- 'command' => 'plugin.password-save',
- 'type' => 'input',
- 'class' => 'button mainaction',
- 'label' => 'save'
- )))));
+ html::div(array('id' => 'prefs-title', 'class' => 'boxtitle'), $this->gettext('changepasswd'))
+ . html::div(array('class' => 'boxcontent'),
+ $disabled_msg . $table->show() . $rules . html::p(null, $submit_button)));
$rcmail->output->add_gui_object('passform', 'password-form');
+
+ $this->include_script('password.js');
return $rcmail->output->form_tag(array(
'id' => 'password-form',
@@ -297,6 +317,7 @@
$object = new $class;
$result = $object->save($curpass, $passwd);
+ $message = '';
if (is_array($result)) {
$message = $result['message'];
@@ -384,6 +405,9 @@
{
$method = strtolower($method);
$rcmail = rcmail::get_instance();
+ $prefix = '';
+ $crypted = '';
+ $default = false;
if (empty($method) || $method == 'default') {
$method = $rcmail->config->get('password_algorithm');
@@ -420,12 +444,26 @@
break;
case 'sha256-crypt':
- $crypted = crypt($password, '$5$' . self::random_salt(16));
+ $rounds = (int) $rcmail->config->get('password_crypt_rounds');
+ $prefix = '$5$';
+
+ if ($rounds > 1000) {
+ $prefix .= 'rounds=' . $rounds . '$';
+ }
+
+ $crypted = crypt($password, $prefix . self::random_salt(16));
$prefix = '{CRYPT}';
break;
case 'sha512-crypt':
- $crypted = crypt($password, '$6$' . self::random_salt(16));
+ $rounds = (int) $rcmail->config->get('password_crypt_rounds');
+ $prefix = '$6$';
+
+ if ($rounds > 1000) {
+ $prefix .= 'rounds=' . $rounds . '$';
+ }
+
+ $crypted = crypt($password, $prefix . self::random_salt(16));
$prefix = '{CRYPT}';
break;
@@ -514,7 +552,7 @@
case 'samba':
if (function_exists('hash')) {
$crypted = hash('md4', rcube_charset::convert($password, RCUBE_CHARSET, 'UTF-16LE'));
- $crypted = strtoupper($crypted_password);
+ $crypted = strtoupper($crypted);
}
else {
rcube::raise_error(array(
@@ -552,14 +590,14 @@
return false;
}
else {
- fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); usleep(1000);
- fwrite($pipe, $passwd . "\n", 1+strlen($passwd));
+ fwrite($pipe, $password . "\n", 1+strlen($password)); usleep(1000);
+ fwrite($pipe, $password . "\n", 1+strlen($password));
pclose($pipe);
$crypted = trim(file_get_contents($tmpfile), "\n");
unlink($tmpfile);
- if (!preg_match('/^\{' . $method . '\}/', $newpass)) {
+ if (!preg_match('/^\{' . $method . '\}/', $crypted)) {
return false;
}
--
Gitblit v1.9.1