/**
 * SQL Password Driver
 *
 * Driver for passwords stored in SQL database
 *
 * @version 1.2
 * @author Aleksander 'A.L.E.C' Machniak <*****@*****.**>
 *
 */
function password_save($curpass, $passwd)
{
    $rcmail = rcmail::get_instance();
    if (!($sql = $rcmail->config->get('password_query'))) {
        $sql = 'SELECT update_passwd(%c, %u)';
    }
    if ($dsn = $rcmail->config->get('password_db_dsn')) {
        // #1486067: enable new_link option
        if (is_array($dsn) && empty($dsn['new_link'])) {
            $dsn['new_link'] = true;
        } else {
            if (!is_array($dsn) && !preg_match('/\\?new_link=true/', $dsn)) {
                $dsn .= '?new_link=true';
            }
        }
        $db = new rcube_mdb2($dsn, '', FALSE);
        $db->set_debug((bool) $rcmail->config->get('sql_debug'));
        $db->db_connect('w');
    } else {
        $db = $rcmail->get_dbh();
    }
    if ($err = $db->is_error()) {
        return PASSWORD_ERROR;
    }
    // crypted password
    if (strpos($sql, '%c') !== FALSE) {
        $salt = '';
        if (CRYPT_MD5) {
            $len = rand(3, CRYPT_SALT_LENGTH);
        } else {
            if (CRYPT_STD_DES) {
                $len = 2;
            } else {
                return PASSWORD_CRYPT_ERROR;
            }
        }
        for ($i = 0; $i < $len; $i++) {
            $salt .= chr(rand(ord('.'), ord('z')));
        }
        $sql = str_replace('%c', $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$' . $salt . '$' : $salt)), $sql);
    }
    // hashed passwords
    if (preg_match('/%[n|q]/', $sql)) {
        if (!extension_loaded('hash')) {
            raise_error(array('code' => 600, 'type' => 'php', 'file' => __FILE__, 'message' => "Password plugin: 'hash' extension not loaded!"), true, false);
            return PASSWORD_ERROR;
        }
        if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) {
            $hash_algo = 'sha1';
        }
        $hash_passwd = hash($hash_algo, $passwd);
        $hash_curpass = hash($hash_algo, $curpass);
        if ($rcmail->config->get('password_hash_base64')) {
            $hash_passwd = base64_encode(pack('H*', $hash_passwd));
            $hash_curpass = base64_encode(pack('H*', $hash_curpass));
        }
        $sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql);
        $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql);
    }
    $user_info = explode('@', $_SESSION['username']);
    if (count($user_info) >= 2) {
        $sql = str_replace('%l', $db->quote($user_info[0], 'text'), $sql);
        $sql = str_replace('%d', $db->quote($user_info[0], 'text'), $sql);
    }
    $sql = str_replace('%u', $db->quote($_SESSION['username'], 'text'), $sql);
    $sql = str_replace('%h', $db->quote($_SESSION['imap_host'], 'text'), $sql);
    $sql = str_replace('%p', $db->quote($passwd, 'text'), $sql);
    $sql = str_replace('%o', $db->quote($curpass, 'text'), $sql);
    $res = $db->query($sql);
    if (!$db->is_error()) {
        if (strtolower(substr(trim($query), 0, 6)) == 'select') {
            if ($result = $db->fetch_array($res)) {
                return PASSWORD_SUCCESS;
            }
        } else {
            if ($db->affected_rows($res) == 1) {
                return PASSWORD_SUCCESS;
            }
            // This is the good case: 1 row updated
        }
    }
    return PASSWORD_ERROR;
}
Пример #2
0
/**
 * SQL Password Driver
 *
 * Driver for passwords stored in SQL database
 *
 * @version 1.4
 * @author Aleksander 'A.L.E.C' Machniak <*****@*****.**>
 *
 */
function password_save($curpass, $passwd)
{
    $rcmail = rcmail::get_instance();
    if (!($sql = $rcmail->config->get('password_query'))) {
        $sql = 'SELECT update_passwd(%c, %u)';
    }
    if ($dsn = $rcmail->config->get('password_db_dsn')) {
        // #1486067: enable new_link option
        if (is_array($dsn) && empty($dsn['new_link'])) {
            $dsn['new_link'] = true;
        } else {
            if (!is_array($dsn) && !preg_match('/\\?new_link=true/', $dsn)) {
                $dsn .= '?new_link=true';
            }
        }
        $db = new rcube_mdb2($dsn, '', FALSE);
        $db->set_debug((bool) $rcmail->config->get('sql_debug'));
        $db->db_connect('w');
    } else {
        $db = $rcmail->get_dbh();
    }
    if ($err = $db->is_error()) {
        return PASSWORD_ERROR;
    }
    // crypted password
    if (strpos($sql, '%c') !== FALSE) {
        $salt = '';
        if (CRYPT_MD5) {
            // Always use eight salt characters for MD5 (#1488136)
            $len = 8;
        } else {
            if (CRYPT_STD_DES) {
                $len = 2;
            } else {
                return PASSWORD_CRYPT_ERROR;
            }
        }
        //Restrict the character set used as salt (#1488136)
        $seedchars = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
        for ($i = 0; $i < $len; $i++) {
            $salt .= $seedchars[rand(0, 63)];
        }
        $sql = str_replace('%c', $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$' . $salt . '$' : $salt)), $sql);
    }
    // dovecotpw
    if (strpos($sql, '%D') !== FALSE) {
        if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) {
            $dovecotpw = 'dovecotpw';
        }
        if (!($method = $rcmail->config->get('password_dovecotpw_method'))) {
            $method = 'CRAM-MD5';
        }
        // use common temp dir
        $tmp_dir = $rcmail->config->get('temp_dir');
        $tmpfile = tempnam($tmp_dir, 'roundcube-');
        $pipe = popen("{$dovecotpw} -s '{$method}' > '{$tmpfile}'", "w");
        if (!$pipe) {
            unlink($tmpfile);
            return PASSWORD_CRYPT_ERROR;
        } else {
            fwrite($pipe, $passwd . "\n", 1 + strlen($passwd));
            usleep(1000);
            fwrite($pipe, $passwd . "\n", 1 + strlen($passwd));
            pclose($pipe);
            $newpass = trim(file_get_contents($tmpfile), "\n");
            if (!preg_match('/^\\{' . $method . '\\}/', $newpass)) {
                return PASSWORD_CRYPT_ERROR;
            }
            if (!$rcmail->config->get('password_dovecotpw_with_method')) {
                $newpass = trim(str_replace('{' . $method . '}', '', $newpass));
            }
            unlink($tmpfile);
        }
        $sql = str_replace('%D', $db->quote($newpass), $sql);
    }
    // hashed passwords
    if (preg_match('/%[n|q]/', $sql)) {
        if (!extension_loaded('hash')) {
            raise_error(array('code' => 600, 'type' => 'php', 'file' => __FILE__, 'line' => __LINE__, 'message' => "Password plugin: 'hash' extension not loaded!"), true, false);
            return PASSWORD_ERROR;
        }
        if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) {
            $hash_algo = 'sha1';
        }
        $hash_passwd = hash($hash_algo, $passwd);
        $hash_curpass = hash($hash_algo, $curpass);
        if ($rcmail->config->get('password_hash_base64')) {
            $hash_passwd = base64_encode(pack('H*', $hash_passwd));
            $hash_curpass = base64_encode(pack('H*', $hash_curpass));
        }
        $sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql);
        $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql);
    }
    // Handle clear text passwords securely (#1487034)
    $sql_vars = array();
    if (preg_match_all('/%[p|o]/', $sql, $m)) {
        foreach ($m[0] as $var) {
            if ($var == '%p') {
                $sql = preg_replace('/%p/', '?', $sql, 1);
                $sql_vars[] = (string) $passwd;
            } else {
                // %o
                $sql = preg_replace('/%o/', '?', $sql, 1);
                $sql_vars[] = (string) $curpass;
            }
        }
    }
    $local_part = $rcmail->user->get_username('local');
    $domain_part = $rcmail->user->get_username('domain');
    $username = $_SESSION['username'];
    $host = $_SESSION['imap_host'];
    // convert domains to/from punnycode
    if ($rcmail->config->get('password_idn_ascii')) {
        $domain_part = rcube_idn_to_ascii($domain_part);
        $username = rcube_idn_to_ascii($username);
        $host = rcube_idn_to_ascii($host);
    } else {
        $domain_part = rcube_idn_to_utf8($domain_part);
        $username = rcube_idn_to_utf8($username);
        $host = rcube_idn_to_utf8($host);
    }
    // at least we should always have the local part
    $sql = str_replace('%l', $db->quote($local_part, 'text'), $sql);
    $sql = str_replace('%d', $db->quote($domain_part, 'text'), $sql);
    $sql = str_replace('%u', $db->quote($username, 'text'), $sql);
    $sql = str_replace('%h', $db->quote($host, 'text'), $sql);
    $res = $db->query($sql, $sql_vars);
    if (!$db->is_error()) {
        if (strtolower(substr(trim($query), 0, 6)) == 'select') {
            if ($result = $db->fetch_array($res)) {
                return PASSWORD_SUCCESS;
            }
        } else {
            // This is the good case: 1 row updated
            if ($db->affected_rows($res) == 1) {
                return PASSWORD_SUCCESS;
            }
            // @TODO: Some queries don't affect any rows
            // Should we assume a success if there was no error?
        }
    }
    return PASSWORD_ERROR;
}
Пример #3
0
/**
 * SQL Password Driver
 *
 * Driver for passwords stored in SQL database
 *
 * @version 1.3
 * @author Aleksander 'A.L.E.C' Machniak <*****@*****.**>
 *
 */
function password_save($curpass, $passwd)
{
    $rcmail = rcmail::get_instance();
    if (!($sql = $rcmail->config->get('password_query'))) {
        $sql = 'SELECT update_passwd(%c, %u)';
    }
    if ($dsn = $rcmail->config->get('password_db_dsn')) {
        // #1486067: enable new_link option
        if (is_array($dsn) && empty($dsn['new_link'])) {
            $dsn['new_link'] = true;
        } else {
            if (!is_array($dsn) && !preg_match('/\\?new_link=true/', $dsn)) {
                $dsn .= '?new_link=true';
            }
        }
        $db = new rcube_mdb2($dsn, '', FALSE);
        $db->set_debug((bool) $rcmail->config->get('sql_debug'));
        $db->db_connect('w');
    } else {
        $db = $rcmail->get_dbh();
    }
    if ($err = $db->is_error()) {
        return PASSWORD_ERROR;
    }
    // crypted password
    if (strpos($sql, '%c') !== FALSE) {
        $salt = '';
        if (CRYPT_MD5) {
            $len = rand(3, CRYPT_SALT_LENGTH);
        } else {
            if (CRYPT_STD_DES) {
                $len = 2;
            } else {
                return PASSWORD_CRYPT_ERROR;
            }
        }
        for ($i = 0; $i < $len; $i++) {
            $salt .= chr(rand(ord('.'), ord('z')));
        }
        $sql = str_replace('%c', $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$' . $salt . '$' : $salt)), $sql);
    }
    // dovecotpw
    if (strpos($sql, '%D') !== FALSE) {
        if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) {
            $dovecotpw = 'dovecotpw';
        }
        if (!($method = $rcmail->config->get('password_dovecotpw_method'))) {
            $method = 'CRAM-MD5';
        }
        // use common temp dir
        $tmp_dir = $rcmail->config->get('temp_dir');
        $tmpfile = tempnam($tmp_dir, 'roundcube-');
        $pipe = popen("'{$dovecotpw}' -s '{$method}' > '{$tmpfile}'", "w");
        if (!$pipe) {
            unlink($tmpfile);
            return PASSWORD_CRYPT_ERROR;
        } else {
            fwrite($pipe, $passwd . "\n", 1 + strlen($passwd));
            usleep(1000);
            fwrite($pipe, $passwd . "\n", 1 + strlen($passwd));
            pclose($pipe);
            $newpass = trim(file_get_contents($tmpfile), "\n");
            if (!preg_match('/^\\{' . $method . '\\}/', $newpass)) {
                return PASSWORD_CRYPT_ERROR;
            }
            if (!$rcmail->config->get('password_dovecotpw_with_method')) {
                $newpass = trim(str_replace('{' . $method . '}', '', $newpass));
            }
            unlink($tmpfile);
        }
        $sql = str_replace('%D', $db->quote($newpass), $sql);
    }
    // hashed passwords
    if (preg_match('/%[n|q]/', $sql)) {
        if (!extension_loaded('hash')) {
            raise_error(array('code' => 600, 'type' => 'php', 'file' => __FILE__, 'line' => __LINE__, 'message' => "Password plugin: 'hash' extension not loaded!"), true, false);
            return PASSWORD_ERROR;
        }
        if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) {
            $hash_algo = 'sha1';
        }
        $hash_passwd = hash($hash_algo, $passwd);
        $hash_curpass = hash($hash_algo, $curpass);
        if ($rcmail->config->get('password_hash_base64')) {
            $hash_passwd = base64_encode(pack('H*', $hash_passwd));
            $hash_curpass = base64_encode(pack('H*', $hash_curpass));
        }
        $sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql);
        $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql);
    }
    // Handle clear text passwords securely (#1487034)
    $sql_vars = array();
    if (preg_match_all('/%[p|o]/', $sql, $m)) {
        foreach ($m[0] as $var) {
            if ($var == '%p') {
                $sql = preg_replace('/%p/', '?', $sql, 1);
                $sql_vars[] = (string) $passwd;
            } else {
                // %o
                $sql = preg_replace('/%o/', '?', $sql, 1);
                $sql_vars[] = (string) $curpass;
            }
        }
    }
    // at least we should always have the local part
    $sql = str_replace('%l', $db->quote($rcmail->user->get_username('local'), 'text'), $sql);
    $sql = str_replace('%d', $db->quote($rcmail->user->get_username('domain'), 'text'), $sql);
    $sql = str_replace('%u', $db->quote($_SESSION['username'], 'text'), $sql);
    $sql = str_replace('%h', $db->quote($_SESSION['imap_host'], 'text'), $sql);
    $res = $db->query($sql, $sql_vars);
    if (!$db->is_error()) {
        if (strtolower(substr(trim($query), 0, 6)) == 'select') {
            if ($result = $db->fetch_array($res)) {
                return PASSWORD_SUCCESS;
            }
        } else {
            if ($db->affected_rows($res) == 1) {
                return PASSWORD_SUCCESS;
            }
            // This is the good case: 1 row updated
        }
    }
    return PASSWORD_ERROR;
}
Пример #4
0
 private function read_squirrel_prefs($uname)
 {
     $rcmail = rcmail::get_instance();
     /**** File based backend ****/
     if ($rcmail->config->get('squirrelmail_driver') == 'file' && ($srcdir = $rcmail->config->get('squirrelmail_data_dir'))) {
         if (($hash_level = $rcmail->config->get('squirrelmail_data_dir_hash_level')) > 0) {
             $srcdir = slashify($srcdir) . chunk_split(substr(base_convert(crc32($uname), 10, 16), 0, $hash_level), 1, '/');
         }
         $prefsfile = slashify($srcdir) . $uname . '.pref';
         $abookfile = slashify($srcdir) . $uname . '.abook';
         $sigfile = slashify($srcdir) . $uname . '.sig';
         $sigbase = slashify($srcdir) . $uname . '.si';
         if (is_readable($prefsfile)) {
             $this->prefs = array();
             foreach (file($prefsfile) as $line) {
                 list($key, $value) = explode('=', $line);
                 $this->prefs[$key] = utf8_encode(rtrim($value));
             }
             // also read signature file if exists
             if (is_readable($sigfile)) {
                 $this->prefs['___signature___'] = utf8_encode(file_get_contents($sigfile));
             }
             if (isset($this->prefs['identities']) && $this->prefs['identities'] > 1) {
                 for ($i = 1; $i < $this->prefs['identities']; $i++) {
                     // read signature file if exists
                     if (is_readable($sigbase . $i)) {
                         $this->prefs['___sig' . $i . '___'] = utf8_encode(file_get_contents($sigbase . $i));
                     }
                 }
             }
             // parse addres book file
             if (filesize($abookfile)) {
                 foreach (file($abookfile) as $line) {
                     list($rec['name'], $rec['firstname'], $rec['surname'], $rec['email']) = explode('|', utf8_encode(rtrim($line)));
                     if ($rec['name'] && $rec['email']) {
                         $this->abook[] = $rec;
                     }
                 }
             }
         }
     } else {
         if ($rcmail->config->get('squirrelmail_driver') == 'sql') {
             $this->prefs = array();
             /* connect to squirrelmail database */
             $db = new rcube_mdb2($rcmail->config->get('squirrelmail_dsn'));
             $db->db_connect('r');
             // connect in read mode
             // $db->set_debug(true);
             /* retrieve prefs */
             $userprefs_table = $rcmail->config->get('squirrelmail_userprefs_table');
             $address_table = $rcmail->config->get('squirrelmail_address_table');
             $db_charset = $rcmail->config->get('squirrelmail_db_charset');
             if ($db_charset) {
                 $db->query('SET NAMES ' . $db_charset);
             }
             $sql_result = $db->query('SELECT * FROM ' . $userprefs_table . ' WHERE user=?', $uname);
             // ? is replaced with emailaddress
             while ($sql_array = $db->fetch_assoc($sql_result)) {
                 // fetch one row from result
                 $this->prefs[$sql_array['prefkey']] = rcube_charset_convert(rtrim($sql_array['prefval']), $db_charset);
             }
             /* retrieve address table data */
             $sql_result = $db->query('SELECT * FROM ' . $address_table . ' WHERE owner=?', $uname);
             // ? is replaced with emailaddress
             // parse addres book
             while ($sql_array = $db->fetch_assoc($sql_result)) {
                 // fetch one row from result
                 $rec['name'] = rcube_charset_convert(rtrim($sql_array['nickname']), $db_charset);
                 $rec['firstname'] = rcube_charset_convert(rtrim($sql_array['firstname']), $db_charset);
                 $rec['surname'] = rcube_charset_convert(rtrim($sql_array['lastname']), $db_charset);
                 $rec['email'] = rcube_charset_convert(rtrim($sql_array['email']), $db_charset);
                 $rec['note'] = rcube_charset_convert(rtrim($sql_array['label']), $db_charset);
                 if ($rec['name'] && $rec['email']) {
                     $this->abook[] = $rec;
                 }
             }
         }
     }
     // end if 'sql'-driver
 }
Пример #5
0
    }
    if (!$pass) {
        echo '<p class="hint">Use <tt>chmod</tt> or <tt>chown</tt> to grant write privileges to the webserver</p>';
    }
} else {
    $RCI->fail('Config', 'Could not read config files');
}
?>

<h3>Check configured database settings</h3>
<?php 
$db_working = false;
if ($RCI->configured) {
    if (!empty($RCI->config['db_dsnw'])) {
        $DB = new rcube_mdb2($RCI->config['db_dsnw'], '', false);
        $DB->db_connect('w');
        if (!($db_error_msg = $DB->is_error())) {
            $RCI->pass('DSN (write)');
            echo '<br />';
            $db_working = true;
        } else {
            $RCI->fail('DSN (write)', $db_error_msg);
            echo '<p class="hint">Make sure that the configured database exists and that the user has write privileges<br />';
            echo 'DSN: ' . $RCI->config['db_dsnw'] . '</p>';
        }
    } else {
        $RCI->fail('DSN (write)', 'not set');
    }
} else {
    $RCI->fail('Config', 'Could not read config files');
}