mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-13 03:27:39 +03:00
Merge pull request #1791 from rolfen/sql-password-plugin-fix
Custom SQL password plugin - SQL injection vulnerability fix
This commit is contained in:
commit
495fb486e1
2 changed files with 45 additions and 8 deletions
|
|
@ -146,7 +146,7 @@ class ChangePasswordCustomSqlDriver implements \RainLoop\Providers\ChangePasswor
|
||||||
|
|
||||||
$dsn = 'mysql:host='.$this->mHost.';dbname='.$this->mDatabase.';charset=utf8';
|
$dsn = 'mysql:host='.$this->mHost.';dbname='.$this->mDatabase.';charset=utf8';
|
||||||
$options = array(
|
$options = array(
|
||||||
PDO::ATTR_EMULATE_PREPARES => false,
|
PDO::ATTR_EMULATE_PREPARES => true,
|
||||||
PDO::ATTR_PERSISTENT => true,
|
PDO::ATTR_PERSISTENT => true,
|
||||||
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
|
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
|
||||||
);
|
);
|
||||||
|
|
@ -160,15 +160,52 @@ class ChangePasswordCustomSqlDriver implements \RainLoop\Providers\ChangePasswor
|
||||||
$sEmailUser = \MailSo\Base\Utils::GetAccountNameFromEmail($sEmail);
|
$sEmailUser = \MailSo\Base\Utils::GetAccountNameFromEmail($sEmail);
|
||||||
$sEmailDomain = \MailSo\Base\Utils::GetDomainFromEmail($sEmail);
|
$sEmailDomain = \MailSo\Base\Utils::GetDomainFromEmail($sEmail);
|
||||||
|
|
||||||
//simple check
|
// some variables cannot be prepared
|
||||||
|
$this->mSql = str_replace(array(
|
||||||
|
':table'
|
||||||
|
), array(
|
||||||
|
$this->mTable
|
||||||
|
), $this->mSql);
|
||||||
|
|
||||||
$old = array(':email', ':oldpass', ':newpass', ':domain', ':username', ':table' );
|
$placeholders = array(
|
||||||
$new = array($sEmail, $sPrevPassword, $sNewPassword, $sEmailDomain, $sEmailUser, $this->mTable);
|
':email' => $sEmail,
|
||||||
|
':oldpass' => $sPrevPassword,
|
||||||
|
':newpass' => $sNewPassword,
|
||||||
|
':domain' => $sEmailDomain,
|
||||||
|
':username' => $sEmailUser
|
||||||
|
);
|
||||||
|
|
||||||
$this->mSql = str_replace($old, $new, $this->mSql);
|
// we have to check that all placehoders are used in the query, passing any unused placeholders will generate an error
|
||||||
|
$used_placeholders = array();
|
||||||
|
|
||||||
|
foreach($placeholders as $placeholder => $value) {
|
||||||
|
if(preg_match_all('/'.$placeholder . '(?![a-zA-Z0-9\-])'.'/', $this->mSql) === 1) {
|
||||||
|
// backwards-compabitibility: remove single and double quotes around placeholders
|
||||||
|
$this->mSql = str_replace('`'.$placeholder.'`', $placeholder, $this->mSql);
|
||||||
|
$this->mSql = str_replace("'".$placeholder."'", $placeholder, $this->mSql);
|
||||||
|
$this->mSql = str_replace('"'.$placeholder.'"', $placeholder, $this->mSql);
|
||||||
|
$used_placeholders[$placeholder] = $value;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$statement = $conn->prepare($this->mSql);
|
||||||
|
|
||||||
|
// everything is ready (hopefully), bind the values
|
||||||
|
foreach($used_placeholders as $placeholder => $value) {
|
||||||
|
$statement->bindValue($placeholder, $value);
|
||||||
|
}
|
||||||
|
|
||||||
|
// and execute
|
||||||
|
$mSqlReturn = $statement->execute();
|
||||||
|
|
||||||
|
/* can be used for debugging
|
||||||
|
ob_start();
|
||||||
|
$statement->debugDumpParams();
|
||||||
|
$r = ob_get_contents();
|
||||||
|
ob_end_clean();
|
||||||
|
$this->oLogger->Write($r);
|
||||||
|
*/
|
||||||
|
|
||||||
$update = $conn->prepare($this->mSql);
|
|
||||||
$mSqlReturn = $update->execute(array());
|
|
||||||
if ($mSqlReturn == true)
|
if ($mSqlReturn == true)
|
||||||
{
|
{
|
||||||
$bResult = true;
|
$bResult = true;
|
||||||
|
|
|
||||||
|
|
@ -46,7 +46,7 @@ class ChangePasswordCustomSqlPlugin extends \RainLoop\Plugins\AbstractPlugin
|
||||||
\RainLoop\Plugins\Property::NewInstance('mTable')->SetLabel('MySQL Table'),
|
\RainLoop\Plugins\Property::NewInstance('mTable')->SetLabel('MySQL Table'),
|
||||||
\RainLoop\Plugins\Property::NewInstance('mSql')->SetLabel('SQL statement')
|
\RainLoop\Plugins\Property::NewInstance('mSql')->SetLabel('SQL statement')
|
||||||
->SetType(\RainLoop\Enumerations\PluginPropertyType::STRING_TEXT)
|
->SetType(\RainLoop\Enumerations\PluginPropertyType::STRING_TEXT)
|
||||||
->SetDescription('SQL statement (allowed wildcards :table, :email, :oldpass, :newpass, :domain, :username). When using MD5 OR SHA1 at tables, write it directly here as SQL functions. Fro non-SQL encryptions use another plugin or wait for new version.')
|
->SetDescription('SQL statement (allowed wildcards :table, :email, :oldpass, :newpass, :domain, :username). Use SQL functions for encryption.')
|
||||||
->SetDefaultValue('UPDATE :table SET password = md5(:newpass) WHERE domain = :domain AND username = :username and oldpass = md5(:oldpass)')
|
->SetDefaultValue('UPDATE :table SET password = md5(:newpass) WHERE domain = :domain AND username = :username and oldpass = md5(:oldpass)')
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue