From 8c033f53fa775c4711f6ce23f78c691ed3abb486 Mon Sep 17 00:00:00 2001 From: the-djmaze <> Date: Sun, 17 Mar 2024 14:50:32 +0100 Subject: [PATCH] ChangePassword extensions use \SnappyMail\SensitiveString --- plugins/change-password-froxlor/driver.php | 12 ++++++----- plugins/change-password-froxlor/index.php | 8 ++++---- plugins/change-password-hestia/driver.php | 8 +++++--- plugins/change-password-hestia/index.php | 8 ++++---- .../change-password-hmailserver/driver.php | 5 +++-- plugins/change-password-hmailserver/index.php | 8 ++++---- plugins/change-password-ispconfig/driver.php | 12 ++++++----- plugins/change-password-ispconfig/index.php | 8 ++++---- plugins/change-password-poppassd/driver.php | 7 ++++--- plugins/change-password-poppassd/index.php | 8 ++++---- plugins/change-password/drivers/ldap.php | 14 +++++++------ plugins/change-password/drivers/pdo.php | 8 +++++--- plugins/change-password/index.php | 20 ++++++++++--------- 13 files changed, 70 insertions(+), 56 deletions(-) diff --git a/plugins/change-password-froxlor/driver.php b/plugins/change-password-froxlor/driver.php index 0e26d32c3..f7194edd8 100644 --- a/plugins/change-password-froxlor/driver.php +++ b/plugins/change-password-froxlor/driver.php @@ -1,5 +1,7 @@ Email(), $this->oConfig->Get('plugin', 'froxlor_allowed_emails', ''))) { return false; @@ -72,12 +74,12 @@ class ChangePasswordFroxlorDriver if (!empty($aFetchResult['id'])) { $sDbPassword = $aFetchResult['password_enc']; $sDbSalt = \substr($sDbPassword, 0, \strrpos($sDbPassword, '$')); - if (\crypt($sPrevPassword, $sDbSalt) === $sDbPassword) { + if (\crypt($oPrevPassword, $sDbSalt) === $sDbPassword) { $oStmt = $oPdo->prepare('UPDATE mail_users SET password_enc = ? WHERE id = ?'); return !!$oStmt->execute(array( - $this->cryptPassword($sNewPassword), + $this->cryptPassword($oNewPassword), $aFetchResult['id'] )); } @@ -93,7 +95,7 @@ class ChangePasswordFroxlorDriver return false; } - private function cryptPassword(string $sPassword) : string + private function cryptPassword(SensitiveString $oPassword) : string { if (\defined('CRYPT_SHA512') && CRYPT_SHA512) { $sSalt = '$6$rounds=5000$' . \bin2hex(\random_bytes(8)) . '$'; @@ -102,6 +104,6 @@ class ChangePasswordFroxlorDriver } else { $sSalt = '$1$' . \bin2hex(\random_bytes(6)) . '$'; } - return \crypt($sPassword, $sSalt); + return \crypt($oPassword, $sSalt); } } diff --git a/plugins/change-password-froxlor/index.php b/plugins/change-password-froxlor/index.php index 58ace2d53..d937595f9 100644 --- a/plugins/change-password-froxlor/index.php +++ b/plugins/change-password-froxlor/index.php @@ -1,15 +1,15 @@ Email(), $this->oConfig->Get('plugin', 'hestia_allowed_emails', ''))) { return false; @@ -53,8 +55,8 @@ class ChangePasswordHestiaDriver $HTTP = \SnappyMail\HTTP\Request::factory(); $postvars = array( 'email' => $oAccount->Email(), - 'password' => $sPrevPassword, - 'new' => $sNewPassword, + 'password' => (string) $oPrevPassword, + 'new' => (string) $oNewPassword, ); $response = $HTTP->doRequest('POST', 'https://'.$sHost.':'.$sPort.'/reset/mail/', \http_build_query($postvars)); if (!$response) { diff --git a/plugins/change-password-hestia/index.php b/plugins/change-password-hestia/index.php index d19d30667..25754d6ea 100644 --- a/plugins/change-password-hestia/index.php +++ b/plugins/change-password-hestia/index.php @@ -1,15 +1,15 @@ Email(), $this->oConfig->Get('plugin', 'hmailserver_emails', ''))) { return false; @@ -62,7 +63,7 @@ class ChangePasswordHMailServerDriver if ($oHmailDomain) { $oHmailAccount = $oHmailDomain->Accounts->ItemByAddress($sEmail); if ($oHmailAccount) { - $oHmailAccount->Password = $sNewPassword; + $oHmailAccount->Password = (string) $oNewPassword; $oHmailAccount->Save(); $bResult = true; } else { diff --git a/plugins/change-password-hmailserver/index.php b/plugins/change-password-hmailserver/index.php index 12b28f06c..351fc5652 100644 --- a/plugins/change-password-hmailserver/index.php +++ b/plugins/change-password-hmailserver/index.php @@ -1,14 +1,14 @@ Email(), $this->oConfig->Get('plugin', 'ispconfig_allowed_emails', ''))) { return false; @@ -71,10 +73,10 @@ class ChangePasswordISPConfigDriver if (!empty($aFetchResult['mailuser_id'])) { $sDbPassword = $aFetchResult['password']; $sDbSalt = \substr($sDbPassword, 0, \strrpos($sDbPassword, '$')); - if (\crypt($sPrevPassword, $sDbSalt) === $sDbPassword) { + if (\crypt($oPrevPassword, $sDbSalt) === $sDbPassword) { $oStmt = $oPdo->prepare('UPDATE mail_user SET password = ? WHERE mailuser_id = ?'); return !!$oStmt->execute(array( - $this->cryptPassword($sNewPassword), + $this->cryptPassword($oNewPassword), $aFetchResult['mailuser_id'] )); } @@ -90,7 +92,7 @@ class ChangePasswordISPConfigDriver return false; } - private function cryptPassword(string $sPassword) : string + private function cryptPassword(SensitiveString $oPassword) : string { if (\defined('CRYPT_SHA512') && CRYPT_SHA512) { $sSalt = '$6$rounds=5000$' . \bin2hex(\random_bytes(8)) . '$'; @@ -99,6 +101,6 @@ class ChangePasswordISPConfigDriver } else { $sSalt = '$1$' . \bin2hex(\random_bytes(6)) . '$'; } - return \crypt($sPassword, $sSalt); + return \crypt($oPassword, $sSalt); } } diff --git a/plugins/change-password-ispconfig/index.php b/plugins/change-password-ispconfig/index.php index ade0ecb09..51c1fb378 100644 --- a/plugins/change-password-ispconfig/index.php +++ b/plugins/change-password-ispconfig/index.php @@ -1,14 +1,14 @@ Email(), $this->oConfig->Get('plugin', 'poppassd_allowed_emails', ''))) { return false; @@ -55,7 +56,7 @@ class ChangePasswordPoppassdDriver extends \MailSo\Net\NetClient try { $this->sendRequestWithCheck('user', $oAccount->IncLogin(), true); - $this->sendRequestWithCheck('pass', $sPrevPassword, true); + $this->sendRequestWithCheck('pass', $oPrevPassword, true); } catch (\Throwable $oException) { @@ -65,7 +66,7 @@ class ChangePasswordPoppassdDriver extends \MailSo\Net\NetClient $this->bIsLoggined = true; if ($this->bIsLoggined) { - $this->sendRequestWithCheck('newpass', $sNewPassword); + $this->sendRequestWithCheck('newpass', $oNewPassword); } else { $this->writeLogException( new \RuntimeException('Required login'), diff --git a/plugins/change-password-poppassd/index.php b/plugins/change-password-poppassd/index.php index 19f0c0502..be511d6d0 100644 --- a/plugins/change-password-poppassd/index.php +++ b/plugins/change-password-poppassd/index.php @@ -1,14 +1,14 @@ Email()); $sUserDn = \strtr($this->sUserDnFormat, array( @@ -89,25 +91,25 @@ class ChangePasswordDriverLDAP throw new \Exception('ldap_start_tls error '.\ldap_errno($oCon).': '.\ldap_error($oCon)); } - if (!\ldap_bind($oCon, $sUserDn, $sPrevPassword)) { + if (!\ldap_bind($oCon, $sUserDn, $oPrevPassword)) { throw new \Exception('ldap_bind error '.\ldap_errno($oCon).': '.\ldap_error($oCon)); } $sSshaSalt = ''; $sPrefix = '{'.\strtoupper($this->sPasswordEncType).'}'; - $sEncodedNewPassword = $sNewPassword; + $sEncodedNewPassword = $oNewPassword; switch ($sPrefix) { case '{SSHA}': $sSshaSalt = $this->getSalt(4); case '{SHA}': - $sEncodedNewPassword = $sPrefix.\base64_encode(\hash('sha1', $sNewPassword.$sSshaSalt, true).$sSshaSalt); + $sEncodedNewPassword = $sPrefix.\base64_encode(\hash('sha1', $oNewPassword.$sSshaSalt, true).$sSshaSalt); break; case '{MD5}': - $sEncodedNewPassword = $sPrefix.\base64_encode(\md5($sNewPassword, true)); + $sEncodedNewPassword = $sPrefix.\base64_encode(\md5($oNewPassword, true)); break; case '{CRYPT}': - $sEncodedNewPassword = $sPrefix.\crypt($sNewPassword, $this->getSalt(2)); + $sEncodedNewPassword = $sPrefix.\crypt($oNewPassword, $this->getSalt(2)); break; } diff --git a/plugins/change-password/drivers/pdo.php b/plugins/change-password/drivers/pdo.php index 4c744a505..2051ed2ce 100644 --- a/plugins/change-password/drivers/pdo.php +++ b/plugins/change-password/drivers/pdo.php @@ -1,5 +1,7 @@ $sEmail, - ':oldpass' => $encrypt_prefix . \ChangePasswordPlugin::encrypt($encrypt, $sPrevPassword), - ':newpass' => $encrypt_prefix . \ChangePasswordPlugin::encrypt($encrypt, $sNewPassword), + ':oldpass' => $encrypt_prefix . \ChangePasswordPlugin::encrypt($encrypt, $oPrevPassword), + ':newpass' => $encrypt_prefix . \ChangePasswordPlugin::encrypt($encrypt, $oNewPassword), ':domain' => \MailSo\Base\Utils::getEmailAddressDomain($sEmail), ':username' => \MailSo\Base\Utils::getEmailAddressLocalPart($sEmail), ':login_name' => $oAccount->IncLogin() diff --git a/plugins/change-password/index.php b/plugins/change-password/index.php index f33ce4dfe..30d79cf79 100644 --- a/plugins/change-password/index.php +++ b/plugins/change-password/index.php @@ -1,14 +1,15 @@ IncPassword()) { throw new ClientException(static::CurrentPasswordIncorrect, null, $oActions->StaticI18N('NOTIFICATIONS/CURRENT_PASSWORD_INCORRECT')); } + $oPrevPassword = new \SnappyMail\SensitiveString($sPrevPassword); $sNewPassword = $this->jsonParam('NewPassword'); if ($this->Config()->Get('plugin', 'pass_min_length', 10) > \strlen($sNewPassword)) { throw new ClientException(static::NewPasswordShort, null, $oActions->StaticI18N('NOTIFICATIONS/NEW_PASSWORD_SHORT')); } - if ($this->Config()->Get('plugin', 'pass_min_strength', 70) > static::PasswordStrength($sNewPassword)) { throw new ClientException(static::NewPasswordWeak, null, $oActions->StaticI18N('NOTIFICATIONS/NEW_PASSWORD_WEAK')); } + $oNewPassword = new \SnappyMail\SensitiveString($sNewPassword); $bResult = false; $oConfig = $this->Config(); @@ -171,7 +173,7 @@ class ChangePasswordPlugin extends \RainLoop\Plugins\AbstractPlugin $oConfig, $oLogger ); - if (!$oDriver->ChangePassword($oAccount, $sPrevPassword, $sNewPassword)) { + if (!$oDriver->ChangePassword($oAccount, $oPrevPassword, $oNewPassword)) { throw new ClientException(static::CouldNotSaveNewPassword); } $bResult = true; @@ -196,7 +198,7 @@ class ChangePasswordPlugin extends \RainLoop\Plugins\AbstractPlugin throw new ClientException(static::CouldNotSaveNewPassword); } - $oAccount->SetPassword($sNewPassword); + $oAccount->SetPassword($oNewPassword); if ($oAccount instanceof \RainLoop\Model\MainAccount) { $oActions->SetAuthToken($oAccount); } @@ -204,7 +206,7 @@ class ChangePasswordPlugin extends \RainLoop\Plugins\AbstractPlugin return $this->jsonResponse(__FUNCTION__, $oActions->AppData(false)); } - public static function encrypt(string $algo, string $password) + public static function encrypt(string $algo, SensitiveString $password) { switch (\strtolower($algo)) { @@ -233,7 +235,7 @@ class ChangePasswordPlugin extends \RainLoop\Plugins\AbstractPlugin private static function PasswordStrength(string $sPassword) : int { $i = \strlen($sPassword); - $max = min(100, $i * 8); + $max = \min(100, $i * 8); $s = 0; while (--$i) { $s += ($sPassword[$i] != $sPassword[$i-1] ? 1 : -0.5);