From ed1d212ae2daea5e4bd043417610177093e99f19 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 16 Jan 2016 03:03:51 -0500
Subject: [PATCH] Improved SVG cleanup code

---
 program/include/rcmail.php |   61 +++++++++++++++++++-----------
 1 files changed, 38 insertions(+), 23 deletions(-)

diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 81a1c81..bdf9405 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -60,6 +60,7 @@
     const ERROR_INVALID_REQUEST  = 1;
     const ERROR_INVALID_HOST     = 2;
     const ERROR_COOKIES_DISABLED = 3;
+    const ERROR_RATE_LIMIT       = 4;
 
 
     /**
@@ -493,7 +494,7 @@
      *
      * @return boolean True on success, False on failure
      */
-    function login($username, $pass, $host = null, $cookiecheck = false)
+    function login($username, $password, $host = null, $cookiecheck = false)
     {
         $this->login_error = null;
 
@@ -506,10 +507,22 @@
             return false;
         }
 
+        $username_filter = $this->config->get('login_username_filter');
+        $username_maxlen = $this->config->get('login_username_maxlen', 1024);
+        $password_maxlen = $this->config->get('login_password_maxlen', 1024);
         $default_host    = $this->config->get('default_host');
         $default_port    = $this->config->get('default_port');
         $username_domain = $this->config->get('username_domain');
         $login_lc        = $this->config->get('login_lc', 2);
+
+        // check input for security (#1490500)
+        if (($username_maxlen && strlen($username) > $username_maxlen)
+            || ($username_filter && !preg_match($username_filter, $username))
+            || ($password_maxlen && strlen($password) > $password_maxlen)
+        ) {
+            $this->login_error = self::ERROR_INVALID_REQUEST;
+            return false;
+        }
 
         // host is validated in rcmail::autoselect_host(), so here
         // we'll only handle unset host (if possible)
@@ -590,12 +603,22 @@
         // user already registered -> overwrite username
         if ($user = rcube_user::query($username, $host)) {
             $username = $user->data['username'];
+
+            // Brute-force prevention
+            if ($user->is_locked()) {
+                $this->login_error = self::ERROR_RATE_LIMIT;
+                return false;
+            }
         }
 
         $storage = $this->get_storage();
 
         // try to log in
-        if (!$storage->connect($host, $username, $pass, $port, $ssl)) {
+        if (!$storage->connect($host, $username, $password, $port, $ssl)) {
+            if ($user) {
+                $user->failed_login();
+            }
+
             // Wait a second to slow down brute-force attacks (#1490549)
             sleep(1);
             return false;
@@ -643,7 +666,7 @@
             $_SESSION['storage_host'] = $host;
             $_SESSION['storage_port'] = $port;
             $_SESSION['storage_ssl']  = $ssl;
-            $_SESSION['password']     = $this->encrypt($pass);
+            $_SESSION['password']     = $this->encrypt($password);
             $_SESSION['login_time']   = time();
 
             if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') {
@@ -1069,6 +1092,12 @@
 
         // failed login
         if ($failed_login) {
+            // don't fill the log with complete input, which could
+            // have been prepared by a hacker
+            if (strlen($user) > 256) {
+                $user = substr($user, 0, 256) . '...';
+            }
+
             $message = sprintf('Failed login for %s from %s in session %s (error: %d)',
                 $user, rcube_utils::remote_ip(), session_id(), $error_code);
         }
@@ -1866,6 +1895,8 @@
         $spelldict        = intval($this->config->get('spellcheck_dictionary'));
         $disabled_plugins = array();
         $disabled_buttons = array();
+        $extra_plugins    = array();
+        $extra_buttons    = array();
 
         if (!$spellcheck) {
             $disabled_plugins[] = 'spellchecker';
@@ -1875,6 +1906,8 @@
                 'mode'             => $mode,
                 'disabled_plugins' => $disabled_plugins,
                 'disabled_buttons' => $disabled_buttons,
+                'extra_plugins' => $extra_plugins,
+                'extra_buttons' => $extra_buttons,
         ));
 
         if ($hook['abort']) {
@@ -1906,6 +1939,8 @@
             'spelldict'  => $spelldict,
             'disabled_plugins' => $hook['disabled_plugins'],
             'disabled_buttons' => $hook['disabled_buttons'],
+            'extra_plugins'    => $hook['extra_plugins'],
+            'extra_buttons'    => $hook['extra_buttons'],
         );
 
         $this->output->add_label('selectimage', 'addimage', 'selectmedia', 'addmedia');
@@ -2332,26 +2367,6 @@
         }
 
         return $options['body'];
-    }
-
-
-    /************************************************************************
-     *********          Deprecated methods (to be removed)          *********
-     ***********************************************************************/
-
-    public static function setcookie($name, $value, $exp = 0)
-    {
-        rcube_utils::setcookie($name, $value, $exp);
-    }
-
-    public function imap_connect()
-    {
-        return $this->storage_connect();
-    }
-
-    public function imap_init()
-    {
-        return $this->storage_init();
     }
 
     /**

--
Gitblit v1.9.1