/** * SQL Password Driver * * Driver for passwords stored in SQL database * * @version 1.2 * @author Aleksander 'A.L.E.C' Machniak <*****@*****.**> * */ function password_save($curpass, $passwd) { $rcmail = rcmail::get_instance(); if (!($sql = $rcmail->config->get('password_query'))) { $sql = 'SELECT update_passwd(%c, %u)'; } if ($dsn = $rcmail->config->get('password_db_dsn')) { // #1486067: enable new_link option if (is_array($dsn) && empty($dsn['new_link'])) { $dsn['new_link'] = true; } else { if (!is_array($dsn) && !preg_match('/\\?new_link=true/', $dsn)) { $dsn .= '?new_link=true'; } } $db = new rcube_mdb2($dsn, '', FALSE); $db->set_debug((bool) $rcmail->config->get('sql_debug')); $db->db_connect('w'); } else { $db = $rcmail->get_dbh(); } if ($err = $db->is_error()) { return PASSWORD_ERROR; } // crypted password if (strpos($sql, '%c') !== FALSE) { $salt = ''; if (CRYPT_MD5) { $len = rand(3, CRYPT_SALT_LENGTH); } else { if (CRYPT_STD_DES) { $len = 2; } else { return PASSWORD_CRYPT_ERROR; } } for ($i = 0; $i < $len; $i++) { $salt .= chr(rand(ord('.'), ord('z'))); } $sql = str_replace('%c', $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$' . $salt . '$' : $salt)), $sql); } // hashed passwords if (preg_match('/%[n|q]/', $sql)) { if (!extension_loaded('hash')) { raise_error(array('code' => 600, 'type' => 'php', 'file' => __FILE__, 'message' => "Password plugin: 'hash' extension not loaded!"), true, false); return PASSWORD_ERROR; } if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) { $hash_algo = 'sha1'; } $hash_passwd = hash($hash_algo, $passwd); $hash_curpass = hash($hash_algo, $curpass); if ($rcmail->config->get('password_hash_base64')) { $hash_passwd = base64_encode(pack('H*', $hash_passwd)); $hash_curpass = base64_encode(pack('H*', $hash_curpass)); } $sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql); $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql); } $user_info = explode('@', $_SESSION['username']); if (count($user_info) >= 2) { $sql = str_replace('%l', $db->quote($user_info[0], 'text'), $sql); $sql = str_replace('%d', $db->quote($user_info[0], 'text'), $sql); } $sql = str_replace('%u', $db->quote($_SESSION['username'], 'text'), $sql); $sql = str_replace('%h', $db->quote($_SESSION['imap_host'], 'text'), $sql); $sql = str_replace('%p', $db->quote($passwd, 'text'), $sql); $sql = str_replace('%o', $db->quote($curpass, 'text'), $sql); $res = $db->query($sql); if (!$db->is_error()) { if (strtolower(substr(trim($query), 0, 6)) == 'select') { if ($result = $db->fetch_array($res)) { return PASSWORD_SUCCESS; } } else { if ($db->affected_rows($res) == 1) { return PASSWORD_SUCCESS; } // This is the good case: 1 row updated } } return PASSWORD_ERROR; }
/** * SQL Password Driver * * Driver for passwords stored in SQL database * * @version 1.4 * @author Aleksander 'A.L.E.C' Machniak <*****@*****.**> * */ function password_save($curpass, $passwd) { $rcmail = rcmail::get_instance(); if (!($sql = $rcmail->config->get('password_query'))) { $sql = 'SELECT update_passwd(%c, %u)'; } if ($dsn = $rcmail->config->get('password_db_dsn')) { // #1486067: enable new_link option if (is_array($dsn) && empty($dsn['new_link'])) { $dsn['new_link'] = true; } else { if (!is_array($dsn) && !preg_match('/\\?new_link=true/', $dsn)) { $dsn .= '?new_link=true'; } } $db = new rcube_mdb2($dsn, '', FALSE); $db->set_debug((bool) $rcmail->config->get('sql_debug')); $db->db_connect('w'); } else { $db = $rcmail->get_dbh(); } if ($err = $db->is_error()) { return PASSWORD_ERROR; } // crypted password if (strpos($sql, '%c') !== FALSE) { $salt = ''; if (CRYPT_MD5) { // Always use eight salt characters for MD5 (#1488136) $len = 8; } else { if (CRYPT_STD_DES) { $len = 2; } else { return PASSWORD_CRYPT_ERROR; } } //Restrict the character set used as salt (#1488136) $seedchars = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; for ($i = 0; $i < $len; $i++) { $salt .= $seedchars[rand(0, 63)]; } $sql = str_replace('%c', $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$' . $salt . '$' : $salt)), $sql); } // dovecotpw if (strpos($sql, '%D') !== FALSE) { if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) { $dovecotpw = 'dovecotpw'; } if (!($method = $rcmail->config->get('password_dovecotpw_method'))) { $method = 'CRAM-MD5'; } // use common temp dir $tmp_dir = $rcmail->config->get('temp_dir'); $tmpfile = tempnam($tmp_dir, 'roundcube-'); $pipe = popen("{$dovecotpw} -s '{$method}' > '{$tmpfile}'", "w"); if (!$pipe) { unlink($tmpfile); return PASSWORD_CRYPT_ERROR; } else { fwrite($pipe, $passwd . "\n", 1 + strlen($passwd)); usleep(1000); fwrite($pipe, $passwd . "\n", 1 + strlen($passwd)); pclose($pipe); $newpass = trim(file_get_contents($tmpfile), "\n"); if (!preg_match('/^\\{' . $method . '\\}/', $newpass)) { return PASSWORD_CRYPT_ERROR; } if (!$rcmail->config->get('password_dovecotpw_with_method')) { $newpass = trim(str_replace('{' . $method . '}', '', $newpass)); } unlink($tmpfile); } $sql = str_replace('%D', $db->quote($newpass), $sql); } // hashed passwords if (preg_match('/%[n|q]/', $sql)) { if (!extension_loaded('hash')) { raise_error(array('code' => 600, 'type' => 'php', 'file' => __FILE__, 'line' => __LINE__, 'message' => "Password plugin: 'hash' extension not loaded!"), true, false); return PASSWORD_ERROR; } if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) { $hash_algo = 'sha1'; } $hash_passwd = hash($hash_algo, $passwd); $hash_curpass = hash($hash_algo, $curpass); if ($rcmail->config->get('password_hash_base64')) { $hash_passwd = base64_encode(pack('H*', $hash_passwd)); $hash_curpass = base64_encode(pack('H*', $hash_curpass)); } $sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql); $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql); } // Handle clear text passwords securely (#1487034) $sql_vars = array(); if (preg_match_all('/%[p|o]/', $sql, $m)) { foreach ($m[0] as $var) { if ($var == '%p') { $sql = preg_replace('/%p/', '?', $sql, 1); $sql_vars[] = (string) $passwd; } else { // %o $sql = preg_replace('/%o/', '?', $sql, 1); $sql_vars[] = (string) $curpass; } } } $local_part = $rcmail->user->get_username('local'); $domain_part = $rcmail->user->get_username('domain'); $username = $_SESSION['username']; $host = $_SESSION['imap_host']; // convert domains to/from punnycode if ($rcmail->config->get('password_idn_ascii')) { $domain_part = rcube_idn_to_ascii($domain_part); $username = rcube_idn_to_ascii($username); $host = rcube_idn_to_ascii($host); } else { $domain_part = rcube_idn_to_utf8($domain_part); $username = rcube_idn_to_utf8($username); $host = rcube_idn_to_utf8($host); } // at least we should always have the local part $sql = str_replace('%l', $db->quote($local_part, 'text'), $sql); $sql = str_replace('%d', $db->quote($domain_part, 'text'), $sql); $sql = str_replace('%u', $db->quote($username, 'text'), $sql); $sql = str_replace('%h', $db->quote($host, 'text'), $sql); $res = $db->query($sql, $sql_vars); if (!$db->is_error()) { if (strtolower(substr(trim($query), 0, 6)) == 'select') { if ($result = $db->fetch_array($res)) { return PASSWORD_SUCCESS; } } else { // This is the good case: 1 row updated if ($db->affected_rows($res) == 1) { return PASSWORD_SUCCESS; } // @TODO: Some queries don't affect any rows // Should we assume a success if there was no error? } } return PASSWORD_ERROR; }
/** * SQL Password Driver * * Driver for passwords stored in SQL database * * @version 1.3 * @author Aleksander 'A.L.E.C' Machniak <*****@*****.**> * */ function password_save($curpass, $passwd) { $rcmail = rcmail::get_instance(); if (!($sql = $rcmail->config->get('password_query'))) { $sql = 'SELECT update_passwd(%c, %u)'; } if ($dsn = $rcmail->config->get('password_db_dsn')) { // #1486067: enable new_link option if (is_array($dsn) && empty($dsn['new_link'])) { $dsn['new_link'] = true; } else { if (!is_array($dsn) && !preg_match('/\\?new_link=true/', $dsn)) { $dsn .= '?new_link=true'; } } $db = new rcube_mdb2($dsn, '', FALSE); $db->set_debug((bool) $rcmail->config->get('sql_debug')); $db->db_connect('w'); } else { $db = $rcmail->get_dbh(); } if ($err = $db->is_error()) { return PASSWORD_ERROR; } // crypted password if (strpos($sql, '%c') !== FALSE) { $salt = ''; if (CRYPT_MD5) { $len = rand(3, CRYPT_SALT_LENGTH); } else { if (CRYPT_STD_DES) { $len = 2; } else { return PASSWORD_CRYPT_ERROR; } } for ($i = 0; $i < $len; $i++) { $salt .= chr(rand(ord('.'), ord('z'))); } $sql = str_replace('%c', $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$' . $salt . '$' : $salt)), $sql); } // dovecotpw if (strpos($sql, '%D') !== FALSE) { if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) { $dovecotpw = 'dovecotpw'; } if (!($method = $rcmail->config->get('password_dovecotpw_method'))) { $method = 'CRAM-MD5'; } // use common temp dir $tmp_dir = $rcmail->config->get('temp_dir'); $tmpfile = tempnam($tmp_dir, 'roundcube-'); $pipe = popen("'{$dovecotpw}' -s '{$method}' > '{$tmpfile}'", "w"); if (!$pipe) { unlink($tmpfile); return PASSWORD_CRYPT_ERROR; } else { fwrite($pipe, $passwd . "\n", 1 + strlen($passwd)); usleep(1000); fwrite($pipe, $passwd . "\n", 1 + strlen($passwd)); pclose($pipe); $newpass = trim(file_get_contents($tmpfile), "\n"); if (!preg_match('/^\\{' . $method . '\\}/', $newpass)) { return PASSWORD_CRYPT_ERROR; } if (!$rcmail->config->get('password_dovecotpw_with_method')) { $newpass = trim(str_replace('{' . $method . '}', '', $newpass)); } unlink($tmpfile); } $sql = str_replace('%D', $db->quote($newpass), $sql); } // hashed passwords if (preg_match('/%[n|q]/', $sql)) { if (!extension_loaded('hash')) { raise_error(array('code' => 600, 'type' => 'php', 'file' => __FILE__, 'line' => __LINE__, 'message' => "Password plugin: 'hash' extension not loaded!"), true, false); return PASSWORD_ERROR; } if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) { $hash_algo = 'sha1'; } $hash_passwd = hash($hash_algo, $passwd); $hash_curpass = hash($hash_algo, $curpass); if ($rcmail->config->get('password_hash_base64')) { $hash_passwd = base64_encode(pack('H*', $hash_passwd)); $hash_curpass = base64_encode(pack('H*', $hash_curpass)); } $sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql); $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql); } // Handle clear text passwords securely (#1487034) $sql_vars = array(); if (preg_match_all('/%[p|o]/', $sql, $m)) { foreach ($m[0] as $var) { if ($var == '%p') { $sql = preg_replace('/%p/', '?', $sql, 1); $sql_vars[] = (string) $passwd; } else { // %o $sql = preg_replace('/%o/', '?', $sql, 1); $sql_vars[] = (string) $curpass; } } } // at least we should always have the local part $sql = str_replace('%l', $db->quote($rcmail->user->get_username('local'), 'text'), $sql); $sql = str_replace('%d', $db->quote($rcmail->user->get_username('domain'), 'text'), $sql); $sql = str_replace('%u', $db->quote($_SESSION['username'], 'text'), $sql); $sql = str_replace('%h', $db->quote($_SESSION['imap_host'], 'text'), $sql); $res = $db->query($sql, $sql_vars); if (!$db->is_error()) { if (strtolower(substr(trim($query), 0, 6)) == 'select') { if ($result = $db->fetch_array($res)) { return PASSWORD_SUCCESS; } } else { if ($db->affected_rows($res) == 1) { return PASSWORD_SUCCESS; } // This is the good case: 1 row updated } } return PASSWORD_ERROR; }
private function read_squirrel_prefs($uname) { $rcmail = rcmail::get_instance(); /**** File based backend ****/ if ($rcmail->config->get('squirrelmail_driver') == 'file' && ($srcdir = $rcmail->config->get('squirrelmail_data_dir'))) { if (($hash_level = $rcmail->config->get('squirrelmail_data_dir_hash_level')) > 0) { $srcdir = slashify($srcdir) . chunk_split(substr(base_convert(crc32($uname), 10, 16), 0, $hash_level), 1, '/'); } $prefsfile = slashify($srcdir) . $uname . '.pref'; $abookfile = slashify($srcdir) . $uname . '.abook'; $sigfile = slashify($srcdir) . $uname . '.sig'; $sigbase = slashify($srcdir) . $uname . '.si'; if (is_readable($prefsfile)) { $this->prefs = array(); foreach (file($prefsfile) as $line) { list($key, $value) = explode('=', $line); $this->prefs[$key] = utf8_encode(rtrim($value)); } // also read signature file if exists if (is_readable($sigfile)) { $this->prefs['___signature___'] = utf8_encode(file_get_contents($sigfile)); } if (isset($this->prefs['identities']) && $this->prefs['identities'] > 1) { for ($i = 1; $i < $this->prefs['identities']; $i++) { // read signature file if exists if (is_readable($sigbase . $i)) { $this->prefs['___sig' . $i . '___'] = utf8_encode(file_get_contents($sigbase . $i)); } } } // parse addres book file if (filesize($abookfile)) { foreach (file($abookfile) as $line) { list($rec['name'], $rec['firstname'], $rec['surname'], $rec['email']) = explode('|', utf8_encode(rtrim($line))); if ($rec['name'] && $rec['email']) { $this->abook[] = $rec; } } } } } else { if ($rcmail->config->get('squirrelmail_driver') == 'sql') { $this->prefs = array(); /* connect to squirrelmail database */ $db = new rcube_mdb2($rcmail->config->get('squirrelmail_dsn')); $db->db_connect('r'); // connect in read mode // $db->set_debug(true); /* retrieve prefs */ $userprefs_table = $rcmail->config->get('squirrelmail_userprefs_table'); $address_table = $rcmail->config->get('squirrelmail_address_table'); $db_charset = $rcmail->config->get('squirrelmail_db_charset'); if ($db_charset) { $db->query('SET NAMES ' . $db_charset); } $sql_result = $db->query('SELECT * FROM ' . $userprefs_table . ' WHERE user=?', $uname); // ? is replaced with emailaddress while ($sql_array = $db->fetch_assoc($sql_result)) { // fetch one row from result $this->prefs[$sql_array['prefkey']] = rcube_charset_convert(rtrim($sql_array['prefval']), $db_charset); } /* retrieve address table data */ $sql_result = $db->query('SELECT * FROM ' . $address_table . ' WHERE owner=?', $uname); // ? is replaced with emailaddress // parse addres book while ($sql_array = $db->fetch_assoc($sql_result)) { // fetch one row from result $rec['name'] = rcube_charset_convert(rtrim($sql_array['nickname']), $db_charset); $rec['firstname'] = rcube_charset_convert(rtrim($sql_array['firstname']), $db_charset); $rec['surname'] = rcube_charset_convert(rtrim($sql_array['lastname']), $db_charset); $rec['email'] = rcube_charset_convert(rtrim($sql_array['email']), $db_charset); $rec['note'] = rcube_charset_convert(rtrim($sql_array['label']), $db_charset); if ($rec['name'] && $rec['email']) { $this->abook[] = $rec; } } } } // end if 'sql'-driver }
} if (!$pass) { echo '<p class="hint">Use <tt>chmod</tt> or <tt>chown</tt> to grant write privileges to the webserver</p>'; } } else { $RCI->fail('Config', 'Could not read config files'); } ?> <h3>Check configured database settings</h3> <?php $db_working = false; if ($RCI->configured) { if (!empty($RCI->config['db_dsnw'])) { $DB = new rcube_mdb2($RCI->config['db_dsnw'], '', false); $DB->db_connect('w'); if (!($db_error_msg = $DB->is_error())) { $RCI->pass('DSN (write)'); echo '<br />'; $db_working = true; } else { $RCI->fail('DSN (write)', $db_error_msg); echo '<p class="hint">Make sure that the configured database exists and that the user has write privileges<br />'; echo 'DSN: ' . $RCI->config['db_dsnw'] . '</p>'; } } else { $RCI->fail('DSN (write)', 'not set'); } } else { $RCI->fail('Config', 'Could not read config files'); }