From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 plugins/password/config.inc.php.dist |   16 +++++++++++++++-
 1 files changed, 15 insertions(+), 1 deletions(-)

diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
index 37c7931..e960bbe 100644
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -25,6 +25,12 @@
 // will be not available (no Password tab in Settings)
 $rcmail_config['password_login_exceptions'] = null;
 
+// Array of hosts that support password changing. Default is NULL.
+// Listed hosts will feature a Password option in Settings; others will not.
+// Example:
+//$rcmail_config['password_hosts'] = array('mail.example.com', 'mail2.example.org');
+$rcmail_config['password_hosts'] = null;
+
 
 // SQL Driver options
 // ------------------
@@ -36,7 +42,8 @@
 // The query can contain the following macros that will be expanded as follows:
 //      %p is replaced with the plaintext new password
 //      %c is replaced with the crypt version of the new password, MD5 if available
-//         otherwise DES.
+//         otherwise DES. More hash function can be enabled using the password_crypt_hash 
+//         configuration parameter.
 //      %D is replaced with the dovecotpw-crypted version of the new password
 //      %o is replaced with the password before the change
 //      %n is replaced with the hashed version of the new password
@@ -51,6 +58,13 @@
 // Default: "SELECT update_passwd(%c, %u)"
 $rcmail_config['password_query'] = 'SELECT update_passwd(%c, %u)';
 
+// By default the crypt() function which is used to create the '%c' 
+// parameter uses the md5 algorithm. To use different algorithms 
+// you can choose between: des, md5, blowfish, sha256, sha512.
+// Before using other hash functions than des or md5 please make sure
+// your operating system supports the other hash functions.
+$rcmail_config['password_crypt_hash'] = 'md5';
+
 // By default domains in variables are using unicode.
 // Enable this option to use punycoded names
 $rcmail_config['password_idn_ascii'] = false;

--
Gitblit v1.9.1