functions.inc.php:

- pacrypt(): no longer escape_string() the result. This fixes https://sourceforge.net/tracker/index.php?func=detail&aid=3094804&group_id=191583&atid=937964 create-mailbox.php, password.php: - escape_string() the pacrypt() result login.php: - simplify code to require one query less (this also removes the need to escape_string() the password) I also checked the other files using pacrypt() - they don't need escaping or already do it. git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1397 a1433add-5e2c-0410-b055-b7f2511e0802
13 years ago · 17911b75d2
parent 57b28f1ae2
commit 17911b75d2
4 changed files with 6 additions and 8 deletions
--- a/create-mailbox.php
+++ b/create-mailbox.php
@ -139,7 +139,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
      $tQuota = $fQuota;
      $tDomain = $fDomain;
   } else {
-      $password = pacrypt ($fPassword);
+      $password = escape_string(pacrypt ($fPassword));

      if($CONF['maildir_name_hook'] != 'NO' && function_exists($CONF['maildir_name_hook'])) {
         $hook_func = $CONF['maildir_name_hook'];
--- a/functions.inc.php
+++ b/functions.inc.php
@ -1184,7 +1184,6 @@ function pacrypt ($pw, $pw_db="") {
        die ('unknown/invalid $CONF["encrypt"] setting: ' . $CONF['encrypt']);
    }

-    $password = escape_string ($password); # TODO: disable escaping - https://sourceforge.net/tracker/?func=detail&aid=3301752&group_id=191583&atid=937964
    return $password;
 }

--- a/login.php
+++ b/login.php
@ -48,14 +48,13 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
        # (language preference cookie is processed even if username and/or password are invalid)
    }

+    # TODO: move to AdminHandler->login
    $result = db_query ("SELECT password FROM $table_admin WHERE username='$fUsername' AND active='1'");
    if ($result['rows'] == 1)
    {
        $row = db_array ($result['result']);
-        $password = pacrypt ($fPassword, $row['password']);
-        $result = db_query ("SELECT * FROM $table_admin WHERE username='$fUsername' AND password='$password' AND active='1'");
-        if ($result['rows'] != 1)
-        {
+        $crypt_password = pacrypt ($fPassword, $row['password']);
+        if ($row['password'] != $crypt_password) {
            $error = 1;
            flash_error($PALANG['pLogin_failed']);
        }
--- a/password.php
+++ b/password.php
@ -56,7 +56,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
    if ($result['rows'] == 1)
    {
        $row = db_array ($result['result']);
-        $checked_password = pacrypt ($fPassword_current, $row['password']);
+        $checked_password = escape_string(pacrypt ($fPassword_current, $row['password']));

        $result = db_query ("SELECT * FROM $table_admin WHERE username='$username' AND password='$checked_password'");
        if ($result['rows'] != 1)
@ -79,7 +79,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")

    if ($error != 1)
    {
-        $password = pacrypt ($fPassword);
+        $password = escape_string(pacrypt ($fPassword));
        $result = db_query ("UPDATE $table_admin SET password='$password',modified=NOW() WHERE username='$username'");
        if ($result['rows'] == 1)
        {