From ed1d212ae2daea5e4bd043417610177093e99f19 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 16 Jan 2016 03:03:51 -0500
Subject: [PATCH] Improved SVG cleanup code
---
program/lib/Roundcube/rcube_user.php | 339 ++++++++++++++++++++++++++++++++++++++------------------
1 files changed, 229 insertions(+), 110 deletions(-)
diff --git a/program/lib/Roundcube/rcube_user.php b/program/lib/Roundcube/rcube_user.php
index 7bd73e0..bda6e54 100644
--- a/program/lib/Roundcube/rcube_user.php
+++ b/program/lib/Roundcube/rcube_user.php
@@ -1,9 +1,7 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
- | program/include/rcube_user.inc |
- | |
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2005-2012, The Roundcube Dev Team |
| |
@@ -14,13 +12,11 @@
| PURPOSE: |
| This class represents a system user linked and provides access |
| to the related database records. |
- | |
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
| Author: Aleksander Machniak <alec@alec.pl> |
+-----------------------------------------------------------------------+
*/
-
/**
* Class representing a system user
@@ -33,6 +29,7 @@
public $ID;
public $data;
public $language;
+ public $prefs;
/**
* Holds database connection.
@@ -55,6 +52,14 @@
*/
private $identities = array();
+ /**
+ * Internal emails cache
+ *
+ * @var array
+ */
+ private $emails;
+
+
const SEARCH_ADDRESSBOOK = 1;
const SEARCH_MAIL = 2;
@@ -71,7 +76,8 @@
if ($id && !$sql_arr) {
$sql_result = $this->db->query(
- "SELECT * FROM ".$this->db->table_name('users')." WHERE user_id = ?", $id);
+ "SELECT * FROM " . $this->db->table_name('users', true)
+ . " WHERE `user_id` = ?", $id);
$sql_arr = $this->db->fetch_assoc($sql_result);
}
@@ -82,16 +88,20 @@
}
}
-
/**
* Build a user name string (as e-mail address)
*
- * @param string $part Username part (empty or 'local' or 'domain')
+ * @param string $part Username part (empty or 'local' or 'domain', 'mail')
* @return string Full user name or its part
*/
function get_username($part = null)
{
if ($this->data['username']) {
+ // return real name
+ if (!$part) {
+ return $this->data['username'];
+ }
+
list($local, $domain) = explode('@', $this->data['username']);
// at least we should always have the local part
@@ -116,7 +126,6 @@
return false;
}
-
/**
* Get the preferences saved for this user
*
@@ -124,8 +133,14 @@
*/
function get_prefs()
{
+ if (isset($this->prefs)) {
+ return $this->prefs;
+ }
+
+ $this->prefs = array();
+
if (!empty($this->language))
- $prefs = array('language' => $this->language);
+ $this->prefs['language'] = $this->language;
if ($this->ID) {
// Preferences from session (write-master is unavailable)
@@ -143,75 +158,133 @@
}
if ($this->data['preferences']) {
- $prefs += (array)unserialize($this->data['preferences']);
+ $this->prefs += (array)unserialize($this->data['preferences']);
}
}
- return $prefs;
+ return $this->prefs;
}
-
/**
* Write the given user prefs to the user's record
*
* @param array $a_user_prefs User prefs to save
+ * @param bool $no_session Simplified language/preferences handling
+ *
* @return boolean True on success, False on failure
*/
- function save_prefs($a_user_prefs)
+ function save_prefs($a_user_prefs, $no_session = false)
{
if (!$this->ID)
return false;
- $config = $this->rc->config;
- $old_prefs = (array)$this->get_prefs();
+ $plugin = $this->rc->plugins->exec_hook('preferences_update', array(
+ 'userid' => $this->ID, 'prefs' => $a_user_prefs, 'old' => (array)$this->get_prefs()));
+
+ if (!empty($plugin['abort'])) {
+ return;
+ }
+
+ $a_user_prefs = $plugin['prefs'];
+ $old_prefs = $plugin['old'];
+ $config = $this->rc->config;
// merge (partial) prefs array with existing settings
- $save_prefs = $a_user_prefs + $old_prefs;
+ $this->prefs = $save_prefs = $a_user_prefs + $old_prefs;
unset($save_prefs['language']);
// don't save prefs with default values if they haven't been changed yet
foreach ($a_user_prefs as $key => $value) {
- if ($value === null || (!isset($old_prefs[$key]) && ($value == $config->get($key))))
+ if ($value === null || (!isset($old_prefs[$key]) && ($value == $config->get($key)))) {
unset($save_prefs[$key]);
+ }
}
$save_prefs = serialize($save_prefs);
+ if (!$no_session) {
+ $this->language = $_SESSION['language'];
+ }
$this->db->query(
- "UPDATE ".$this->db->table_name('users').
- " SET preferences = ?".
- ", language = ?".
- " WHERE user_id = ?",
+ "UPDATE ".$this->db->table_name('users', true).
+ " SET `preferences` = ?, `language` = ?".
+ " WHERE `user_id` = ?",
$save_prefs,
- $_SESSION['language'],
+ $this->language,
$this->ID);
-
- $this->language = $_SESSION['language'];
// Update success
if ($this->db->affected_rows() !== false) {
- $config->set_user_prefs($a_user_prefs);
$this->data['preferences'] = $save_prefs;
- if (isset($_SESSION['preferences'])) {
- $this->rc->session->remove('preferences');
- $this->rc->session->remove('preferences_time');
+ if (!$no_session) {
+ $config->set_user_prefs($this->prefs);
+
+ if (isset($_SESSION['preferences'])) {
+ $this->rc->session->remove('preferences');
+ $this->rc->session->remove('preferences_time');
+ }
}
+
return true;
}
// Update error, but we are using replication (we have read-only DB connection)
// and we are storing session not in the SQL database
// we can store preferences in session and try to write later (see get_prefs())
- else if ($this->db->is_replicated() && $config->get('session_storage', 'db') != 'db') {
+ else if (!$no_session && $this->db->is_replicated()
+ && $config->get('session_storage', 'db') != 'db'
+ ) {
$_SESSION['preferences'] = $save_prefs;
$_SESSION['preferences_time'] = time();
- $config->set_user_prefs($a_user_prefs);
+ $config->set_user_prefs($this->prefs);
$this->data['preferences'] = $save_prefs;
}
return false;
}
+ /**
+ * Generate a unique hash to identify this user whith
+ */
+ function get_hash()
+ {
+ $prefs = $this->get_prefs();
+
+ // generate a random hash and store it in user prefs
+ if (empty($prefs['client_hash'])) {
+ $prefs['client_hash'] = md5($this->data['username'] . mt_rand() . $this->data['mail_host']);
+ $this->save_prefs(array('client_hash' => $prefs['client_hash']));
+ }
+
+ return $prefs['client_hash'];
+ }
+
+ /**
+ * Return a list of all user emails (from identities)
+ *
+ * @param bool Return only default identity
+ *
+ * @return array List of emails (identity_id, name, email)
+ */
+ function list_emails($default = false)
+ {
+ if ($this->emails === null) {
+ $this->emails = array();
+
+ $sql_result = $this->db->query(
+ "SELECT `identity_id`, `name`, `email`"
+ ." FROM " . $this->db->table_name('identities', true)
+ ." WHERE `user_id` = ? AND `del` <> 1"
+ ." ORDER BY `standard` DESC, `name` ASC, `email` ASC, `identity_id` ASC",
+ $this->ID);
+
+ while ($sql_arr = $this->db->fetch_assoc($sql_result)) {
+ $this->emails[] = $sql_arr;
+ }
+ }
+
+ return $default ? $this->emails[0] : $this->emails;
+ }
/**
* Get default identity of this user
@@ -224,38 +297,47 @@
$id = (int)$id;
// cache identities for better performance
if (!array_key_exists($id, $this->identities)) {
- $result = $this->list_identities($id ? 'AND identity_id = ' . $id : '');
+ $result = $this->list_identities($id ? "AND `identity_id` = $id" : '');
$this->identities[$id] = $result[0];
}
return $this->identities[$id];
}
-
/**
* Return a list of all identities linked with this user
*
- * @param string $sql_add Optional WHERE clauses
+ * @param string $sql_add Optional WHERE clauses
+ * @param bool $formatted Format identity email and name
+ *
* @return array List of identities
*/
- function list_identities($sql_add = '')
+ function list_identities($sql_add = '', $formatted = false)
{
$result = array();
$sql_result = $this->db->query(
- "SELECT * FROM ".$this->db->table_name('identities').
- " WHERE del <> 1 AND user_id = ?".
+ "SELECT * FROM ".$this->db->table_name('identities', true).
+ " WHERE `del` <> 1 AND `user_id` = ?".
($sql_add ? " ".$sql_add : "").
- " ORDER BY ".$this->db->quoteIdentifier('standard')." DESC, name ASC, identity_id ASC",
+ " ORDER BY `standard` DESC, `name` ASC, `email` ASC, `identity_id` ASC",
$this->ID);
while ($sql_arr = $this->db->fetch_assoc($sql_result)) {
+ if ($formatted) {
+ $ascii_email = format_email($sql_arr['email']);
+ $utf8_email = format_email(rcube_utils::idn_to_utf8($ascii_email));
+
+ $sql_arr['email_ascii'] = $ascii_email;
+ $sql_arr['email'] = $utf8_email;
+ $sql_arr['ident'] = format_email_recipient($ascii_email, $sql_arr['name']);
+ }
+
$result[] = $sql_arr;
}
return $result;
}
-
/**
* Update a specific identity record
@@ -272,26 +354,27 @@
$query_cols = $query_params = array();
foreach ((array)$data as $col => $value) {
- $query_cols[] = $this->db->quoteIdentifier($col) . ' = ?';
+ $query_cols[] = $this->db->quote_identifier($col) . ' = ?';
$query_params[] = $value;
}
$query_params[] = $iid;
$query_params[] = $this->ID;
- $sql = "UPDATE ".$this->db->table_name('identities').
- " SET changed = ".$this->db->now().", ".join(', ', $query_cols).
- " WHERE identity_id = ?".
- " AND user_id = ?".
- " AND del <> 1";
+ $sql = "UPDATE ".$this->db->table_name('identities', true).
+ " SET `changed` = ".$this->db->now().", ".join(', ', $query_cols).
+ " WHERE `identity_id` = ?".
+ " AND `user_id` = ?".
+ " AND `del` <> 1";
call_user_func_array(array($this->db, 'query'),
array_merge(array($sql), $query_params));
+ // clear the cache
$this->identities = array();
+ $this->emails = null;
return $this->db->affected_rows();
}
-
/**
* Create a new identity record linked with this user
@@ -308,24 +391,25 @@
$insert_cols = $insert_values = array();
foreach ((array)$data as $col => $value) {
- $insert_cols[] = $this->db->quoteIdentifier($col);
+ $insert_cols[] = $this->db->quote_identifier($col);
$insert_values[] = $value;
}
- $insert_cols[] = 'user_id';
+ $insert_cols[] = $this->db->quote_identifier('user_id');
$insert_values[] = $this->ID;
- $sql = "INSERT INTO ".$this->db->table_name('identities').
- " (changed, ".join(', ', $insert_cols).")".
+ $sql = "INSERT INTO ".$this->db->table_name('identities', true).
+ " (`changed`, ".join(', ', $insert_cols).")".
" VALUES (".$this->db->now().", ".join(', ', array_pad(array(), sizeof($insert_values), '?')).")";
call_user_func_array(array($this->db, 'query'),
array_merge(array($sql), $insert_values));
+ // clear the cache
$this->identities = array();
+ $this->emails = null;
return $this->db->insert_id('identities');
}
-
/**
* Mark the given identity as deleted
@@ -339,8 +423,8 @@
return false;
$sql_result = $this->db->query(
- "SELECT count(*) AS ident_count FROM ".$this->db->table_name('identities').
- " WHERE user_id = ? AND del <> 1",
+ "SELECT count(*) AS ident_count FROM ".$this->db->table_name('identities', true).
+ " WHERE `user_id` = ? AND `del` <> 1",
$this->ID);
$sql_arr = $this->db->fetch_assoc($sql_result);
@@ -350,18 +434,19 @@
return -1;
$this->db->query(
- "UPDATE ".$this->db->table_name('identities').
- " SET del = 1, changed = ".$this->db->now().
- " WHERE user_id = ?".
- " AND identity_id = ?",
+ "UPDATE ".$this->db->table_name('identities', true).
+ " SET `del` = 1, `changed` = ".$this->db->now().
+ " WHERE `user_id` = ?".
+ " AND `identity_id` = ?",
$this->ID,
$iid);
+ // clear the cache
$this->identities = array();
+ $this->emails = null;
return $this->db->affected_rows();
}
-
/**
* Make this identity the default one for this user
@@ -372,18 +457,15 @@
{
if ($this->ID && $iid) {
$this->db->query(
- "UPDATE ".$this->db->table_name('identities').
- " SET ".$this->db->quoteIdentifier('standard')." = '0'".
- " WHERE user_id = ?".
- " AND identity_id <> ?".
- " AND del <> 1",
+ "UPDATE ".$this->db->table_name('identities', true).
+ " SET `standard` = '0'".
+ " WHERE `user_id` = ? AND `identity_id` <> ?",
$this->ID,
$iid);
unset($this->identities[0]);
}
}
-
/**
* Update user's last_login timestamp
@@ -392,23 +474,71 @@
{
if ($this->ID) {
$this->db->query(
- "UPDATE ".$this->db->table_name('users').
- " SET last_login = ".$this->db->now().
- " WHERE user_id = ?",
+ "UPDATE ".$this->db->table_name('users', true).
+ " SET `last_login` = ".$this->db->now().
+ " WHERE `user_id` = ?",
$this->ID);
}
}
+ /**
+ * Update user's failed_login timestamp and counter
+ */
+ function failed_login()
+ {
+ if ($this->ID && ($rate = (int) $this->rc->config->get('login_rate_limit', 3))) {
+ if (empty($this->data['failed_login'])) {
+ $failed_login = new DateTime('now');
+ $counter = 1;
+ }
+ else {
+ $failed_login = new DateTime($this->data['failed_login']);
+ $threshold = new DateTime('- 60 seconds');
+
+ if ($failed_login < $threshold) {
+ $failed_login = new DateTime('now');
+ $counter = 1;
+ }
+ }
+
+ $this->db->query(
+ "UPDATE " . $this->db->table_name('users', true)
+ . " SET `failed_login` = " . $this->db->fromunixtime($failed_login->format('U'))
+ . ", `failed_login_counter` = " . ($counter ?: "`failed_login_counter` + 1")
+ . " WHERE `user_id` = ?",
+ $this->ID);
+ }
+ }
+
+ /**
+ * Checks if the account is locked, e.g. as a result of brute-force prevention
+ */
+ function is_locked()
+ {
+ if (empty($this->data['failed_login'])) {
+ return false;
+ }
+
+ if ($rate = (int) $this->rc->config->get('login_rate_limit', 3)) {
+ $last_failed = new DateTime($this->data['failed_login']);
+ $threshold = new DateTime('- 60 seconds');
+
+ if ($last_failed > $threshold && $this->data['failed_login_counter'] >= $rate) {
+ return true;
+ }
+ }
+
+ return false;
+ }
/**
* Clear the saved object state
*/
function reset()
{
- $this->ID = null;
+ $this->ID = null;
$this->data = null;
}
-
/**
* Find a user record matching the given name and host
@@ -423,28 +553,28 @@
$config = rcube::get_instance()->config;
// query for matching user name
- $sql_result = $dbh->query("SELECT * FROM " . $dbh->table_name('users')
- ." WHERE mail_host = ? AND username = ?", $host, $user);
+ $sql_result = $dbh->query("SELECT * FROM " . $dbh->table_name('users', true)
+ ." WHERE `mail_host` = ? AND `username` = ?", $host, $user);
$sql_arr = $dbh->fetch_assoc($sql_result);
// username not found, try aliases from identities
if (empty($sql_arr) && $config->get('user_aliases') && strpos($user, '@')) {
$sql_result = $dbh->limitquery("SELECT u.*"
- ." FROM " . $dbh->table_name('users') . " u"
- ." JOIN " . $dbh->table_name('identities') . " i ON (i.user_id = u.user_id)"
- ." WHERE email = ? AND del <> 1", 0, 1, $user);
+ ." FROM " . $dbh->table_name('users', true) . " u"
+ ." JOIN " . $dbh->table_name('identities', true) . " i ON (i.`user_id` = u.`user_id`)"
+ ." WHERE `email` = ? AND `del` <> 1", 0, 1, $user);
$sql_arr = $dbh->fetch_assoc($sql_result);
}
// user already registered -> overwrite username
- if ($sql_arr)
+ if ($sql_arr) {
return new rcube_user($sql_arr['user_id'], $sql_arr);
- else
- return false;
- }
+ }
+ return false;
+ }
/**
* Create a new user record and return a rcube_user instance
@@ -480,12 +610,12 @@
}
$dbh->query(
- "INSERT INTO ".$dbh->table_name('users').
- " (created, last_login, username, mail_host, language)".
+ "INSERT INTO ".$dbh->table_name('users', true).
+ " (`created`, `last_login`, `username`, `mail_host`, `language`)".
" VALUES (".$dbh->now().", ".$dbh->now().", ?, ?, ?)",
- strip_newlines($data['user']),
- strip_newlines($data['host']),
- strip_newlines($data['language']));
+ $data['user'],
+ $data['host'],
+ $data['language']);
if ($user_id = $dbh->insert_id('users')) {
// create rcube_user instance to make plugin hooks work
@@ -505,7 +635,7 @@
if (empty($user_email)) {
$user_email = strpos($data['user'], '@') ? $user : sprintf('%s@%s', $data['user'], $mail_domain);
}
- $email_list[] = strip_newlines($user_email);
+ $email_list[] = $user_email;
}
// identities_level check
else if (count($email_list) > 1 && $rcube->config->get('identities_level', 0) > 1) {
@@ -535,7 +665,6 @@
$record['name'] = $user_name != $record['email'] ? $user_name : '';
}
- $record['name'] = strip_newlines($record['name']);
$record['user_id'] = $user_id;
$record['standard'] = $standard;
@@ -560,7 +689,6 @@
return $user_id ? $user_instance : false;
}
-
/**
* Resolve username using a virtuser plugins
*
@@ -575,7 +703,6 @@
return $plugin['user'];
}
-
/**
* Resolve e-mail address from virtuser plugins
@@ -595,7 +722,6 @@
return empty($plugin['email']) ? NULL : $plugin['email'];
}
-
/**
* Return a list of saved searches linked with this user
*
@@ -614,11 +740,10 @@
$result = array();
$sql_result = $this->db->query(
- "SELECT search_id AS id, ".$this->db->quoteIdentifier('name')
- ." FROM ".$this->db->table_name('searches')
- ." WHERE user_id = ?"
- ." AND ".$this->db->quoteIdentifier('type')." = ?"
- ." ORDER BY ".$this->db->quoteIdentifier('name'),
+ "SELECT `search_id` AS id, `name`"
+ ." FROM ".$this->db->table_name('searches', true)
+ ." WHERE `user_id` = ? AND `type` = ?"
+ ." ORDER BY `name`",
(int) $this->ID, (int) $type);
while ($sql_arr = $this->db->fetch_assoc($sql_result)) {
@@ -628,7 +753,6 @@
return $result;
}
-
/**
* Return saved search data.
@@ -646,12 +770,10 @@
}
$sql_result = $this->db->query(
- "SELECT ".$this->db->quoteIdentifier('name')
- .", ".$this->db->quoteIdentifier('data')
- .", ".$this->db->quoteIdentifier('type')
- ." FROM ".$this->db->table_name('searches')
- ." WHERE user_id = ?"
- ." AND search_id = ?",
+ "SELECT `name`, `data`, `type`"
+ . " FROM ".$this->db->table_name('searches', true)
+ . " WHERE `user_id` = ?"
+ ." AND `search_id` = ?",
(int) $this->ID, (int) $id);
while ($sql_arr = $this->db->fetch_assoc($sql_result)) {
@@ -666,7 +788,6 @@
return null;
}
-
/**
* Deletes given saved search record
*
@@ -680,14 +801,13 @@
return false;
$this->db->query(
- "DELETE FROM ".$this->db->table_name('searches')
- ." WHERE user_id = ?"
- ." AND search_id = ?",
+ "DELETE FROM ".$this->db->table_name('searches', true)
+ ." WHERE `user_id` = ?"
+ ." AND `search_id` = ?",
(int) $this->ID, $sid);
return $this->db->affected_rows();
}
-
/**
* Create a new saved search record linked with this user
@@ -703,14 +823,14 @@
$insert_cols[] = 'user_id';
$insert_values[] = (int) $this->ID;
- $insert_cols[] = $this->db->quoteIdentifier('type');
+ $insert_cols[] = $this->db->quote_identifier('type');
$insert_values[] = (int) $data['type'];
- $insert_cols[] = $this->db->quoteIdentifier('name');
+ $insert_cols[] = $this->db->quote_identifier('name');
$insert_values[] = $data['name'];
- $insert_cols[] = $this->db->quoteIdentifier('data');
+ $insert_cols[] = $this->db->quote_identifier('data');
$insert_values[] = serialize($data['data']);
- $sql = "INSERT INTO ".$this->db->table_name('searches')
+ $sql = "INSERT INTO ".$this->db->table_name('searches', true)
." (".join(', ', $insert_cols).")"
." VALUES (".join(', ', array_pad(array(), sizeof($insert_values), '?')).")";
@@ -719,5 +839,4 @@
return $this->db->insert_id('searches');
}
-
}
--
Gitblit v1.9.1