From ed1d212ae2daea5e4bd043417610177093e99f19 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 16 Jan 2016 03:03:51 -0500
Subject: [PATCH] Improved SVG cleanup code

---
 plugins/password/drivers/dbmail.php |   38 +++++++++++++++++++++++++++++++++-----
 1 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/plugins/password/drivers/dbmail.php b/plugins/password/drivers/dbmail.php
index a7c2f46..1207283 100644
--- a/plugins/password/drivers/dbmail.php
+++ b/plugins/password/drivers/dbmail.php
@@ -13,23 +13,51 @@
  * For installation instructions please read the README file.
  *
  * @version 1.0
+ *
+ * Copyright (C) 2005-2013, The Roundcube Dev Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
  */
 
 class rcube_dbmail_password
 {
-    function password_save($currpass, $newpass)
+    function save($currpass, $newpass)
     {
-        $curdir   = INSTALL_PATH . 'plugins/password/helpers';
-        $username = escapeshellcmd($_SESSION['username']);
+        $curdir   = RCUBE_PLUGINS_DIR . 'password/helpers';
+        $username = escapeshellarg($_SESSION['username']);
+        $password = escapeshellarg($newpass);
         $args     = rcmail::get_instance()->config->get('password_dbmail_args', '');
+        $command  = "$curdir/chgdbmailusers -c $username -w $password $args";
 
-        exec("$curdir/chgdbmailusers -c $username -w $newpass $args", $output, $returnvalue);
+        if (strlen($command) > 1024) {
+            rcube::raise_error(array(
+                'code' => 600,
+                'type' => 'php',
+                'file' => __FILE__, 'line' => __LINE__,
+                'message' => "Password plugin: The command is too long."
+                ), true, false);
+
+            return PASSWORD_ERROR;
+        }
+
+        exec($command, $output, $returnvalue);
 
         if ($returnvalue == 0) {
             return PASSWORD_SUCCESS;
         }
         else {
-            raise_error(array(
+            rcube::raise_error(array(
                 'code' => 600,
                 'type' => 'php',
                 'file' => __FILE__, 'line' => __LINE__,

--
Gitblit v1.9.1