From 0344b168276f80189e2254c75a762aff5b517b6b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sun, 22 May 2016 06:32:57 -0400
Subject: [PATCH] Fix priority icon(s) position
---
program/include/rcmail.php | 95 +++++++++++++++++++++++++++++------------------
1 files changed, 59 insertions(+), 36 deletions(-)
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index faf7af8..f97e659 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -60,6 +60,7 @@
const ERROR_INVALID_REQUEST = 1;
const ERROR_INVALID_HOST = 2;
const ERROR_COOKIES_DISABLED = 3;
+ const ERROR_RATE_LIMIT = 4;
/**
@@ -178,9 +179,11 @@
// set localization
setlocale(LC_ALL, $lang . '.utf8', $lang . '.UTF-8', 'en_US.utf8', 'en_US.UTF-8');
- // workaround for http://bugs.php.net/bug.php?id=18556
- if (PHP_VERSION_ID < 50500 && in_array($lang, array('tr_TR', 'ku', 'az_AZ'))) {
- setlocale(LC_CTYPE, 'en_US.utf8', 'en_US.UTF-8');
+ // Workaround for http://bugs.php.net/bug.php?id=18556
+ // Also strtoupper/strtolower and other methods are locale-aware
+ // for these locales it is problematic (#1490519)
+ if (in_array($lang, array('tr_TR', 'ku', 'az_AZ'))) {
+ setlocale(LC_CTYPE, 'en_US.utf8', 'en_US.UTF-8', 'C');
}
}
@@ -491,7 +494,7 @@
*
* @return boolean True on success, False on failure
*/
- function login($username, $pass, $host = null, $cookiecheck = false)
+ function login($username, $password, $host = null, $cookiecheck = false)
{
$this->login_error = null;
@@ -504,10 +507,22 @@
return false;
}
+ $username_filter = $this->config->get('login_username_filter');
+ $username_maxlen = $this->config->get('login_username_maxlen', 1024);
+ $password_maxlen = $this->config->get('login_password_maxlen', 1024);
$default_host = $this->config->get('default_host');
$default_port = $this->config->get('default_port');
$username_domain = $this->config->get('username_domain');
$login_lc = $this->config->get('login_lc', 2);
+
+ // check input for security (#1490500)
+ if (($username_maxlen && strlen($username) > $username_maxlen)
+ || ($username_filter && !preg_match($username_filter, $username))
+ || ($password_maxlen && strlen($password) > $password_maxlen)
+ ) {
+ $this->login_error = self::ERROR_INVALID_REQUEST;
+ return false;
+ }
// host is validated in rcmail::autoselect_host(), so here
// we'll only handle unset host (if possible)
@@ -588,12 +603,24 @@
// user already registered -> overwrite username
if ($user = rcube_user::query($username, $host)) {
$username = $user->data['username'];
+
+ // Brute-force prevention
+ if ($user->is_locked()) {
+ $this->login_error = self::ERROR_RATE_LIMIT;
+ return false;
+ }
}
$storage = $this->get_storage();
// try to log in
- if (!$storage->connect($host, $username, $pass, $port, $ssl)) {
+ if (!$storage->connect($host, $username, $password, $port, $ssl)) {
+ if ($user) {
+ $user->failed_login();
+ }
+
+ // Wait a second to slow down brute-force attacks (#1490549)
+ sleep(1);
return false;
}
@@ -639,7 +666,7 @@
$_SESSION['storage_host'] = $host;
$_SESSION['storage_port'] = $port;
$_SESSION['storage_ssl'] = $ssl;
- $_SESSION['password'] = $this->encrypt($pass);
+ $_SESSION['password'] = $this->encrypt($password);
$_SESSION['login_time'] = time();
if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') {
@@ -808,11 +835,13 @@
// remove old token from the path
$base_path = rtrim($base_path, '/');
- $base_path = preg_replace('/\/[a-f0-9]{' . strlen($token) . '}$/', '', $base_path);
+ $base_path = preg_replace('/\/[a-zA-Z0-9]{' . strlen($token) . '}$/', '', $base_path);
// this need to be full url to make redirects work
$absolute = true;
}
+ else if ($secure && ($token = $this->get_request_token()))
+ $url .= $delm . '_token=' . urlencode($token);
if ($absolute || $full) {
// add base path to this Roundcube installation
@@ -1065,6 +1094,12 @@
// failed login
if ($failed_login) {
+ // don't fill the log with complete input, which could
+ // have been prepared by a hacker
+ if (strlen($user) > 256) {
+ $user = substr($user, 0, 256) . '...';
+ }
+
$message = sprintf('Failed login for %s from %s in session %s (error: %d)',
$user, rcube_utils::remote_ip(), session_id(), $error_code);
}
@@ -1862,6 +1897,8 @@
$spelldict = intval($this->config->get('spellcheck_dictionary'));
$disabled_plugins = array();
$disabled_buttons = array();
+ $extra_plugins = array();
+ $extra_buttons = array();
if (!$spellcheck) {
$disabled_plugins[] = 'spellchecker';
@@ -1871,6 +1908,8 @@
'mode' => $mode,
'disabled_plugins' => $disabled_plugins,
'disabled_buttons' => $disabled_buttons,
+ 'extra_plugins' => $extra_plugins,
+ 'extra_buttons' => $extra_buttons,
));
if ($hook['abort']) {
@@ -1902,6 +1941,8 @@
'spelldict' => $spelldict,
'disabled_plugins' => $hook['disabled_plugins'],
'disabled_buttons' => $hook['disabled_buttons'],
+ 'extra_plugins' => $hook['extra_plugins'],
+ 'extra_buttons' => $hook['extra_buttons'],
);
$this->output->add_label('selectimage', 'addimage', 'selectmedia', 'addmedia');
@@ -2130,7 +2171,7 @@
/**
* Returns supported font-family specifications
*
- * @param string $font Font name
+ * @param string $font Font name
*
* @param string|array Font-family specification array or string (if $font is used)
*/
@@ -2162,8 +2203,8 @@
/**
* Create a human readable string for a number of bytes
*
- * @param int Number of bytes
- * @param string Size unit
+ * @param int $bytes Number of bytes
+ * @param string &$unit Size unit
*
* @return string Byte string
*/
@@ -2194,7 +2235,7 @@
/**
* Returns real size (calculated) of the message part
*
- * @param rcube_message_part Message part
+ * @param rcube_message_part $part Message part
*
* @return string Part size (and unit)
*/
@@ -2204,12 +2245,12 @@
$size = $this->show_bytes((int)$part->d_parameters['size']);
}
else {
- $size = $part->size;
- if ($part->encoding == 'base64') {
- $size = $size / 1.33;
- }
+ $size = $part->size;
+ if ($part->encoding == 'base64') {
+ $size = $size / 1.33;
+ }
- $size = '~' . $this->show_bytes($size);
+ $size = '~' . $this->show_bytes($size);
}
return $size;
@@ -2278,6 +2319,8 @@
* Get resource file content (with assets_dir support)
*
* @param string $name File name
+ *
+ * @return string File content
*/
public function get_resource_content($name)
{
@@ -2328,26 +2371,6 @@
}
return $options['body'];
- }
-
-
- /************************************************************************
- ********* Deprecated methods (to be removed) *********
- ***********************************************************************/
-
- public static function setcookie($name, $value, $exp = 0)
- {
- rcube_utils::setcookie($name, $value, $exp);
- }
-
- public function imap_connect()
- {
- return $this->storage_connect();
- }
-
- public function imap_init()
- {
- return $this->storage_init();
}
/**
--
Gitblit v1.9.1