From f6336f7f7ec7e65290b6fde23b8fd64627fe15b8 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Thu, 05 Feb 2015 05:29:23 -0500 Subject: [PATCH] Fix security issue in DBMail driver of password plugin (#1490261) --- plugins/password/drivers/dbmail.php | 17 +++++++++++++++-- 1 files changed, 15 insertions(+), 2 deletions(-) diff --git a/plugins/password/drivers/dbmail.php b/plugins/password/drivers/dbmail.php index 5cfe92c..d02cd1c 100644 --- a/plugins/password/drivers/dbmail.php +++ b/plugins/password/drivers/dbmail.php @@ -20,10 +20,23 @@ function save($currpass, $newpass) { $curdir = RCUBE_PLUGINS_DIR . 'password/helpers'; - $username = escapeshellcmd($_SESSION['username']); + $username = escapeshellarg($_SESSION['username']); + $password = escapeshellarg($newpass); $args = rcmail::get_instance()->config->get('password_dbmail_args', ''); + $command = "$curdir/chgdbmailusers -c $username -w $password $args"; - exec("$curdir/chgdbmailusers -c $username -w $newpass $args", $output, $returnvalue); + if (strlen($command) > 1024) { + rcube::raise_error(array( + 'code' => 600, + 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Password plugin: The command is too long." + ), true, false); + + return PASSWORD_ERROR; + } + + exec($command, $output, $returnvalue); if ($returnvalue == 0) { return PASSWORD_SUCCESS; -- Gitblit v1.9.1