summaryrefslogtreecommitdiff
path: root/plugins/password/drivers/sql.php
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/password/drivers/sql.php')
-rw-r--r--plugins/password/drivers/sql.php19
1 files changed, 16 insertions, 3 deletions
diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php
index 8677f231c..31686c76f 100644
--- a/plugins/password/drivers/sql.php
+++ b/plugins/password/drivers/sql.php
@@ -105,15 +105,28 @@ function password_save($curpass, $passwd)
$sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql);
}
+ // Handle clear text passwords securely (#1487034)
+ $sql_vars = array();
+ if (preg_match_all('/%[p|o]/', $sql, $m)) {
+ foreach ($m[0] as $var) {
+ if ($var == '%p') {
+ $sql = preg_replace('/%p/', '?', $sql, 1);
+ $sql_vars[] = (string) $passwd;
+ }
+ else { // %o
+ $sql = preg_replace('/%o/', '?', $sql, 1);
+ $sql_vars[] = (string) $curpass;
+ }
+ }
+ }
+
// at least we should always have the local part
$sql = str_replace('%l', $db->quote($rcmail->user->get_username('local'), 'text'), $sql);
$sql = str_replace('%d', $db->quote($rcmail->user->get_username('domain'), 'text'), $sql);
$sql = str_replace('%u', $db->quote($_SESSION['username'],'text'), $sql);
$sql = str_replace('%h', $db->quote($_SESSION['imap_host'],'text'), $sql);
- $sql = str_replace('%p', $db->quote($passwd,'text'), $sql);
- $sql = str_replace('%o', $db->quote($curpass,'text'), $sql);
- $res = $db->query($sql);
+ $res = $db->query($sql, $sql_vars);
if (!$db->is_error()) {
if (strtolower(substr(trim($query),0,6))=='select') {
generated by cgit v1.2.3 (git 2.51.0) at 2026-05-16 03:39:58 +0000