From f6336f7f7ec7e65290b6fde23b8fd64627fe15b8 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 05 Feb 2015 05:29:23 -0500
Subject: [PATCH] Fix security issue in DBMail driver of password plugin (#1490261)

---
 plugins/password/drivers/dbmail.php |   17 +++++++++++++++--
 1 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/plugins/password/drivers/dbmail.php b/plugins/password/drivers/dbmail.php
index 5cfe92c..d02cd1c 100644
--- a/plugins/password/drivers/dbmail.php
+++ b/plugins/password/drivers/dbmail.php
@@ -20,10 +20,23 @@
     function save($currpass, $newpass)
     {
         $curdir   = RCUBE_PLUGINS_DIR . 'password/helpers';
-        $username = escapeshellcmd($_SESSION['username']);
+        $username = escapeshellarg($_SESSION['username']);
+        $password = escapeshellarg($newpass);
         $args     = rcmail::get_instance()->config->get('password_dbmail_args', '');
+        $command  = "$curdir/chgdbmailusers -c $username -w $password $args";
 
-        exec("$curdir/chgdbmailusers -c $username -w $newpass $args", $output, $returnvalue);
+        if (strlen($command) > 1024) {
+            rcube::raise_error(array(
+                'code' => 600,
+                'type' => 'php',
+                'file' => __FILE__, 'line' => __LINE__,
+                'message' => "Password plugin: The command is too long."
+                ), true, false);
+
+            return PASSWORD_ERROR;
+        }
+
+        exec($command, $output, $returnvalue);
 
         if ($returnvalue == 0) {
             return PASSWORD_SUCCESS;

--
Gitblit v1.9.1