From feb968189cd74903e653e9e0a657bebcf22e3991 Mon Sep 17 00:00:00 2001
From: alec <alec@208e9e7b-5314-0410-a742-e7e81cd9613c>
Date: Fri, 10 Sep 2010 08:09:10 +0000
Subject: - Security improvements for chpasswd driver (#1486987)

git-svn-id: https://svn.roundcube.net/trunk@3955 208e9e7b-5314-0410-a742-e7e81cd9613c
---
 plugins/password/README               |  3 +++
 plugins/password/drivers/chpasswd.php | 15 +++++++--------
 plugins/password/package.xml          |  8 ++++++--
 3 files changed, 16 insertions(+), 10 deletions(-)

(limited to 'plugins')

diff --git a/plugins/password/README b/plugins/password/README
index 2e3a59509..8cb568db1 100644
--- a/plugins/password/README
+++ b/plugins/password/README
@@ -223,6 +223,9 @@
  Driver that adds functionality to change the systems user password via 
  the 'chpasswd' command. See config.inc.php file.
 
+ Attached wrapper script (chpass-wrapper.py) restricts password changes
+ to uids >= 1000 and can deny requests based on a blacklist.
+
 
  2.12.  LDAP - no PEAR (ldap_simple)
  -----------------------------------
diff --git a/plugins/password/drivers/chpasswd.php b/plugins/password/drivers/chpasswd.php
index ed15a054e..5c6bde2d2 100644
--- a/plugins/password/drivers/chpasswd.php
+++ b/plugins/password/drivers/chpasswd.php
@@ -11,15 +11,16 @@
  * @version 1.0
  * @author Alex Cartwright <acartwright@mutinydesign.co.uk)
  */
- 
+
 function password_save($currpass, $newpass)
 {
-    $cmd = sprintf('echo \'%1$s:%2$s\' | %3$s; echo $?',
-                addcslashes($_SESSION['username'], "'"),
-                addcslashes($newpass, "'"),
-                rcmail::get_instance()->config->get('password_chpasswd_cmd'));
+    $cmd = rcmail::get_instance()->config->get('password_chpasswd_cmd');
+    $username = $_SESSION['username'];
+
+    $handle = popen($cmd, "w");
+    fwrite($handle, "$username:$newpass");
 
-    if (exec($cmd) == 0) {
+    if (pclose($handle) == 0) {
         return PASSWORD_SUCCESS;
     }
     else {
@@ -33,5 +34,3 @@ function password_save($currpass, $newpass)
 
     return PASSWORD_ERROR;
 }
-
-?>
diff --git a/plugins/password/package.xml b/plugins/password/package.xml
index a106c8917..433280980 100644
--- a/plugins/password/package.xml
+++ b/plugins/password/package.xml
@@ -15,8 +15,8 @@
 		<email>alec@alec.pl</email>
 		<active>yes</active>
 	</lead>
-	<date></date>
-	<time></time>
+	<date>2010-09-10</date>
+	<time>09:00:00</time>
 	<version>
 		<release>1.7</release>
 		<api>1.5</api>
@@ -28,6 +28,8 @@
 	<license uri="http://www.gnu.org/licenses/gpl-2.0.html">GNU GPLv2</license>
 	<notes>
 - Added XMail driver
+- Improve security of chpasswd driver using popen instead of exec+echo (#1486987)
+- Added chpass-wrapper.py script to improve security (#1486987)
     </notes>
 	<contents>
 		<dir baseinstalldir="/" name="/">
@@ -81,6 +83,8 @@
             <file name="drivers/sasl.php" role="php"></file>
             <file name="drivers/virtualmin.php" role="php"></file>
             <file name="drivers/ximss.php" role="php"></file>
+            <file name="drivers/xmail.php" role="php"></file>
+            <file name="drivers/chpass-wrapper.py" role="data"></file>
 
             <file name="config.inc.php.disc" role="data"></file>
 		</dir>
-- 
cgit v1.2.3