From f6336f7f7ec7e65290b6fde23b8fd64627fe15b8 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 05 Feb 2015 05:29:23 -0500
Subject: [PATCH] Fix security issue in DBMail driver of password plugin (#1490261)

---
 CHANGELOG                                 |    1 +
 plugins/password/drivers/dbmail.php       |   17 +++++++++++++++--
 plugins/password/helpers/chgdbmailusers.c |    2 +-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index dfa047d..1933a07 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@
 ===========================
 
 - Make SMTP error log more verbose - include server response and error code
+- Fix security issue in DBMail driver of password plugin (#1490261)
 
 RELEASE 1.0.5
 -------------
diff --git a/plugins/password/drivers/dbmail.php b/plugins/password/drivers/dbmail.php
index 5cfe92c..d02cd1c 100644
--- a/plugins/password/drivers/dbmail.php
+++ b/plugins/password/drivers/dbmail.php
@@ -20,10 +20,23 @@
     function save($currpass, $newpass)
     {
         $curdir   = RCUBE_PLUGINS_DIR . 'password/helpers';
-        $username = escapeshellcmd($_SESSION['username']);
+        $username = escapeshellarg($_SESSION['username']);
+        $password = escapeshellarg($newpass);
         $args     = rcmail::get_instance()->config->get('password_dbmail_args', '');
+        $command  = "$curdir/chgdbmailusers -c $username -w $password $args";
 
-        exec("$curdir/chgdbmailusers -c $username -w $newpass $args", $output, $returnvalue);
+        if (strlen($command) > 1024) {
+            rcube::raise_error(array(
+                'code' => 600,
+                'type' => 'php',
+                'file' => __FILE__, 'line' => __LINE__,
+                'message' => "Password plugin: The command is too long."
+                ), true, false);
+
+            return PASSWORD_ERROR;
+        }
+
+        exec($command, $output, $returnvalue);
 
         if ($returnvalue == 0) {
             return PASSWORD_SUCCESS;
diff --git a/plugins/password/helpers/chgdbmailusers.c b/plugins/password/helpers/chgdbmailusers.c
index 2279385..be23755 100644
--- a/plugins/password/helpers/chgdbmailusers.c
+++ b/plugins/password/helpers/chgdbmailusers.c
@@ -16,7 +16,7 @@
 main(int argc, char *argv[])
 {
   int cnt,rc,cc;
-  char cmnd[255];
+  char cmnd[1024];
 
   strcpy(cmnd, CMD);
 

--
Gitblit v1.9.1