From 121ae23a83555b34c28b9967113a0cdf1755387a Mon Sep 17 00:00:00 2001 From: alec Date: Fri, 24 Feb 2012 10:17:19 +0000 Subject: - Fixed drivers namespace issues git-svn-id: https://svn.roundcube.net/trunk@5902 208e9e7b-5314-0410-a742-e7e81cd9613c --- plugins/password/drivers/sql.php | 277 ++++++++++++++++++++------------------- 1 file changed, 139 insertions(+), 138 deletions(-) (limited to 'plugins/password/drivers/sql.php') diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php index 06a6b75ff..e9207300e 100644 --- a/plugins/password/drivers/sql.php +++ b/plugins/password/drivers/sql.php @@ -5,170 +5,171 @@ * * Driver for passwords stored in SQL database * - * @version 1.4 + * @version 2.0 * @author Aleksander 'A.L.E.C' Machniak * */ -function password_save($curpass, $passwd) +class rcube_sql_password { - $rcmail = rcmail::get_instance(); - - if (!($sql = $rcmail->config->get('password_query'))) - $sql = 'SELECT update_passwd(%c, %u)'; - - if ($dsn = $rcmail->config->get('password_db_dsn')) { - // #1486067: enable new_link option - if (is_array($dsn) && empty($dsn['new_link'])) - $dsn['new_link'] = true; - else if (!is_array($dsn) && !preg_match('/\?new_link=true/', $dsn)) - $dsn .= '?new_link=true'; - - $db = new rcube_mdb2($dsn, '', FALSE); - $db->set_debug((bool)$rcmail->config->get('sql_debug')); - $db->db_connect('w'); - } else { - $db = $rcmail->get_dbh(); - } + function save($curpass, $passwd) + { + $rcmail = rcmail::get_instance(); + + if (!($sql = $rcmail->config->get('password_query'))) + $sql = 'SELECT update_passwd(%c, %u)'; + + if ($dsn = $rcmail->config->get('password_db_dsn')) { + // #1486067: enable new_link option + if (is_array($dsn) && empty($dsn['new_link'])) + $dsn['new_link'] = true; + else if (!is_array($dsn) && !preg_match('/\?new_link=true/', $dsn)) + $dsn .= '?new_link=true'; + + $db = new rcube_mdb2($dsn, '', FALSE); + $db->set_debug((bool)$rcmail->config->get('sql_debug')); + $db->db_connect('w'); + } + else { + $db = $rcmail->get_dbh(); + } - if ($err = $db->is_error()) - return PASSWORD_ERROR; + if ($err = $db->is_error()) + return PASSWORD_ERROR; + + // crypted password + if (strpos($sql, '%c') !== FALSE) { + $salt = ''; + if (CRYPT_MD5) { + // Always use eight salt characters for MD5 (#1488136) + $len = 8; + } else if (CRYPT_STD_DES) { + $len = 2; + } else { + return PASSWORD_CRYPT_ERROR; + } - // crypted password - if (strpos($sql, '%c') !== FALSE) { - $salt = ''; - if (CRYPT_MD5) { - // Always use eight salt characters for MD5 (#1488136) - $len = 8; - } else if (CRYPT_STD_DES) { - $len = 2; - } else { - return PASSWORD_CRYPT_ERROR; - } + //Restrict the character set used as salt (#1488136) + $seedchars = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; + for ($i = 0; $i < $len ; $i++) { + $salt .= $seedchars[rand(0, 63)]; + } - //Restrict the character set used as salt (#1488136) - $seedchars = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; - for ($i = 0; $i < $len ; $i++) { - $salt .= $seedchars[rand(0, 63)]; + $sql = str_replace('%c', $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$'.$salt.'$' : $salt)), $sql); } - $sql = str_replace('%c', $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$'.$salt.'$' : $salt)), $sql); - } + // dovecotpw + if (strpos($sql, '%D') !== FALSE) { + if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) + $dovecotpw = 'dovecotpw'; + if (!($method = $rcmail->config->get('password_dovecotpw_method'))) + $method = 'CRAM-MD5'; - // dovecotpw - if (strpos($sql, '%D') !== FALSE) { - if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) - $dovecotpw = 'dovecotpw'; - if (!($method = $rcmail->config->get('password_dovecotpw_method'))) - $method = 'CRAM-MD5'; - - // use common temp dir - $tmp_dir = $rcmail->config->get('temp_dir'); - $tmpfile = tempnam($tmp_dir, 'roundcube-'); - - $pipe = popen("$dovecotpw -s '$method' > '$tmpfile'", "w"); - if (!$pipe) { - unlink($tmpfile); - return PASSWORD_CRYPT_ERROR; - } - else { - fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); usleep(1000); - fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); - pclose($pipe); - $newpass = trim(file_get_contents($tmpfile), "\n"); - if (!preg_match('/^\{' . $method . '\}/', $newpass)) { + // use common temp dir + $tmp_dir = $rcmail->config->get('temp_dir'); + $tmpfile = tempnam($tmp_dir, 'roundcube-'); + + $pipe = popen("$dovecotpw -s '$method' > '$tmpfile'", "w"); + if (!$pipe) { + unlink($tmpfile); return PASSWORD_CRYPT_ERROR; } - if (!$rcmail->config->get('password_dovecotpw_with_method')) - $newpass = trim(str_replace('{' . $method . '}', '', $newpass)); - unlink($tmpfile); + else { + fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); usleep(1000); + fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); + pclose($pipe); + $newpass = trim(file_get_contents($tmpfile), "\n"); + if (!preg_match('/^\{' . $method . '\}/', $newpass)) { + return PASSWORD_CRYPT_ERROR; + } + if (!$rcmail->config->get('password_dovecotpw_with_method')) + $newpass = trim(str_replace('{' . $method . '}', '', $newpass)); + unlink($tmpfile); + } + $sql = str_replace('%D', $db->quote($newpass), $sql); } - $sql = str_replace('%D', $db->quote($newpass), $sql); - } - // hashed passwords - if (preg_match('/%[n|q]/', $sql)) { + // hashed passwords + if (preg_match('/%[n|q]/', $sql)) { + if (!extension_loaded('hash')) { + raise_error(array( + 'code' => 600, + 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Password plugin: 'hash' extension not loaded!" + ), true, false); - if (!extension_loaded('hash')) { - raise_error(array( - 'code' => 600, - 'type' => 'php', - 'file' => __FILE__, 'line' => __LINE__, - 'message' => "Password plugin: 'hash' extension not loaded!" - ), true, false); + return PASSWORD_ERROR; + } - return PASSWORD_ERROR; - } + if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) + $hash_algo = 'sha1'; - if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) - $hash_algo = 'sha1'; + $hash_passwd = hash($hash_algo, $passwd); + $hash_curpass = hash($hash_algo, $curpass); - $hash_passwd = hash($hash_algo, $passwd); - $hash_curpass = hash($hash_algo, $curpass); + if ($rcmail->config->get('password_hash_base64')) { + $hash_passwd = base64_encode(pack('H*', $hash_passwd)); + $hash_curpass = base64_encode(pack('H*', $hash_curpass)); + } - if ($rcmail->config->get('password_hash_base64')) { - $hash_passwd = base64_encode(pack('H*', $hash_passwd)); - $hash_curpass = base64_encode(pack('H*', $hash_curpass)); + $sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql); + $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql); } - $sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql); - $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql); - } - - // Handle clear text passwords securely (#1487034) - $sql_vars = array(); - if (preg_match_all('/%[p|o]/', $sql, $m)) { - foreach ($m[0] as $var) { - if ($var == '%p') { - $sql = preg_replace('/%p/', '?', $sql, 1); - $sql_vars[] = (string) $passwd; - } - else { // %o - $sql = preg_replace('/%o/', '?', $sql, 1); - $sql_vars[] = (string) $curpass; + // Handle clear text passwords securely (#1487034) + $sql_vars = array(); + if (preg_match_all('/%[p|o]/', $sql, $m)) { + foreach ($m[0] as $var) { + if ($var == '%p') { + $sql = preg_replace('/%p/', '?', $sql, 1); + $sql_vars[] = (string) $passwd; + } + else { // %o + $sql = preg_replace('/%o/', '?', $sql, 1); + $sql_vars[] = (string) $curpass; + } } } - } - $local_part = $rcmail->user->get_username('local'); - $domain_part = $rcmail->user->get_username('domain'); - $username = $_SESSION['username']; - $host = $_SESSION['imap_host']; + $local_part = $rcmail->user->get_username('local'); + $domain_part = $rcmail->user->get_username('domain'); + $username = $_SESSION['username']; + $host = $_SESSION['imap_host']; - // convert domains to/from punnycode - if ($rcmail->config->get('password_idn_ascii')) { - $domain_part = rcube_idn_to_ascii($domain_part); - $username = rcube_idn_to_ascii($username); - $host = rcube_idn_to_ascii($host); - } - else { - $domain_part = rcube_idn_to_utf8($domain_part); - $username = rcube_idn_to_utf8($username); - $host = rcube_idn_to_utf8($host); - } + // convert domains to/from punnycode + if ($rcmail->config->get('password_idn_ascii')) { + $domain_part = rcube_idn_to_ascii($domain_part); + $username = rcube_idn_to_ascii($username); + $host = rcube_idn_to_ascii($host); + } + else { + $domain_part = rcube_idn_to_utf8($domain_part); + $username = rcube_idn_to_utf8($username); + $host = rcube_idn_to_utf8($host); + } - // at least we should always have the local part - $sql = str_replace('%l', $db->quote($local_part, 'text'), $sql); - $sql = str_replace('%d', $db->quote($domain_part, 'text'), $sql); - $sql = str_replace('%u', $db->quote($username, 'text'), $sql); - $sql = str_replace('%h', $db->quote($host, 'text'), $sql); - - $res = $db->query($sql, $sql_vars); - - if (!$db->is_error()) { - if (strtolower(substr(trim($query),0,6))=='select') { - if ($result = $db->fetch_array($res)) - return PASSWORD_SUCCESS; - } else { - // This is the good case: 1 row updated - if ($db->affected_rows($res) == 1) - return PASSWORD_SUCCESS; - // @TODO: Some queries don't affect any rows - // Should we assume a success if there was no error? - } - } + // at least we should always have the local part + $sql = str_replace('%l', $db->quote($local_part, 'text'), $sql); + $sql = str_replace('%d', $db->quote($domain_part, 'text'), $sql); + $sql = str_replace('%u', $db->quote($username, 'text'), $sql); + $sql = str_replace('%h', $db->quote($host, 'text'), $sql); + + $res = $db->query($sql, $sql_vars); + + if (!$db->is_error()) { + if (strtolower(substr(trim($query),0,6))=='select') { + if ($result = $db->fetch_array($res)) + return PASSWORD_SUCCESS; + } else { + // This is the good case: 1 row updated + if ($db->affected_rows($res) == 1) + return PASSWORD_SUCCESS; + // @TODO: Some queries don't affect any rows + // Should we assume a success if there was no error? + } + } - return PASSWORD_ERROR; + return PASSWORD_ERROR; + } } - -?> -- cgit v1.2.3