banananetwork
/
postfixadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

functions.inc.php pacrypt():

Browse Source 
- for 'system' encryption, use full hashed password as salt 
  https://sourceforge.net/p/postfixadmin/bugs/2/


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1595 a1433add-5e2c-0410-b055-b7f2511e0802
pull/2/head
Christian Boltz 11 years ago
parent bafd2f1f58
commit 57f4ad0b75
4 changed files with 123 additions and 27 deletions
Show Stats Download Patch File Download Diff File

62
CHANGELOG.TXT
Unescape Escape View File

@ -13,14 +13,11 @@
Version ***svn*** - 2009/12/26 - SVN r***
-----------------------------------
*** TODO: changelog for r1157 and r1163
*** TODO: copy changelog from the 2.3 branch after 2.3.3 release to trunk
- NOTE: changes from the 2.3 branch also apply to this version
- use smarty for templates
- new command-line interface for PostfixAdmin (scripts/postfixadmin-cli)
(still incomplete)
- add ability to choose activation and end date for vacation message
- add ability to choose activation date, end date and reply interval for vacation message
*** reply interval needs rework, https://sourceforge.net/tracker/?func=detail&aid=3508083&group_id=191583&atid=937966
- add support for total quota per domain - $CONF[domain_quota]
- redesign login page, list and edit pages (goodbye, green!) and made them wider
- new config option $CONF['theme_custom_css'] - allows to add some custom CSS
@ -36,33 +33,67 @@ Version ***svn*** - 2009/12/26 - SVN r***
domains - or all in one page as in 2.3
- extreme speedup of page browser in list-virtual if a large number of
mailboxes or aliases exist
*** TODO: totally broken for PostgreSQL :-( - see create_page_browser() in functions.inc.php ***
- display alias domains less confusing (using From/To)
*** TODO: make "all" the default? ***
- merge search.php functionality into list-virtual.php (which brings various
bug fixes for free)
- don't mark mailboxes with vacation active as undeliverable
*** TODO: backport candidate? r1068 ***
- fix: undeliverable targets were not flagged if another target pointed to a
domain in $CONF[show_undeliverable_exceptions]
*** TODO: backport candidate? r1069 ***
- move lots of code into classes (model/*) which is then used by the
webinterface and the commandline interface (still incomplete)
- move lots of code into classes (model/*Handler) which is then used by the
webinterface and the commandline interface
- supress warnings about PHP's date.timezone not set at various places
*** TODO: do it always for Smarty? ***
- table_by_key function now always prepends $CONF['database_prefix'] even if
$CONF['database_tables'][$table] is not set. If you have/had an incomplete
database_tables array and use a database_prefix, you might need to rename/
add the database_prefix to the affected tables manually.
*** TODO: add a check/warning in setup.php? ***
- cleanup of $PALANG - marked lots of duplicated texts as obsolete
- cleanup of $PALANG - removed lots of duplicated texts
(which means less texts to translate)
- removed <span> and <br> tags from $PALANG texts (formatting is now done in
the templates)
- removed HTML tags from $PALANG texts
- several translation updates
- merged templates for "edit" and "create" forms and for user and admin mode
- lots of code cleanup, removal of duplicated code etc.
Version 2.3.6 - 2013/01/02 - SVN r1417 (postfixadmin-2.3 branch)
----------------------------------------------------------------
- display domain and mailbox description with correct encoding
- fix footer link
- focus username input field in login form
- fix double inclusion of config.inc.php in setup.php
- fix bool and date handling in fetchmail
Version 2.3.5 - 2012/01/16 - SVN r1335 (postfixadmin-2.3 branch)
----------------------------------------------------------------
- fix SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt')
- fix SQL injection in backup.php - the dump was not mysql_escape()d,
therefore users could inject SQL (for example in the vacation message)
which will be executed when restoring the database dump.
WARNING: database dumps created with backup.php from 2.3.4 or older might
contain malicious SQL. Double-check before using them!
- fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
- fix XSS in some create-domain input fields
- fix XSS in create-alias and edit-alias error message
- fix XSS (by values stored in the database) in fetchmail list view,
list-domain and list-virtual
- create-domain: fix SQL injection (only exploitable by superadmins)
- add missing $LANG['pAdminDelete_admin_error']
- don't mark mailbox targets with recipient delimiter as "forward only"
- wrap hex2bin with function_exists() - PHP 5.3.8 has it as native function
Version 2.3.4 - 2011/09/16 - SVN r1180 (postfixadmin-2.3 branch)
----------------------------------------------------------------
- generate more secure random passwords
- squirrelmail plugin: fix typo in variable name
- list-domain: fix SELECT query to work with PgSQL even when using custom fields
- create-domain: force domain name to lowercase to avoid problems with PgSQL
foreign keys
- fix vacation.pl to log to "mail" syslog facility
- error_log() dovecotpw error messages
Version 2.3.3 - 2011/03/14 - SVN r1010 (postfixadmin-2.3 branch)
----------------------------------------------------------------
@ -567,3 +598,6 @@ Version 1.3.8 -- 2003/03/25
Version 1.3.7 -- 2002/12/24
----------------------------
- Initial public release of Postfix Admin.
# vim: set expandtab softtabstop=2 tabstop=2 shiftwidth=2:

3
DOCUMENTS/DOVECOT.txt
Unescape Escape View File

@ -143,3 +143,6 @@ Note: The above text describes the configuration for dovecot 1.0 & 1.1 quota tab
If you use dovecot 1.2 or newer,
- use the 'quota2' table (also created by setup.php)
- set $CONF['new_quota_table'] = 'YES'
*** TODO: Update based on chatlog 2012-05-02 ***

12
functions.inc.php
Unescape Escape View File

@ -861,17 +861,11 @@ function pacrypt ($pw, $pw_db="") {
}
elseif ($CONF['encrypt'] == 'system') {
if (preg_match("/\\$1\\$/", $pw_db)) {
$split_salt = preg_split ('/\$/', $pw_db);
$salt = "\$1\$${split_salt[2]}\$";
if ($pw_db) {
$password = crypt($pw, $pw_db);
} else {
if (strlen($pw_db) == 0) {
$salt = substr (md5 (mt_rand ()), 0, 2);
} else {
$salt = substr ($pw_db, 0, 2);
}
$password = crypt($pw);
}
$password = crypt ($pw, $salt);
}
elseif ($CONF['encrypt'] == 'cleartext') {

73
model/VacationHandler.php
Unescape Escape View File

@ -1,7 +1,74 @@
<?php
# $Id$
class VacationHandler {
class VacationHandler extends PFAHandler {
protected $db_table = 'vacation';
protected $id_field = 'email';
protected $domain_field = 'domain';
# init $this->struct, $this->db_table and $this->id_field
protected function initStruct() {
$this->struct=array(
# field name allow display in... type $PALANG label $PALANG description default / options / ...
# editing? form list
'email' => pacol( $this->new, 1, 1, 'text', 'pLogin_username' , '' , '' ),
'domain' => pacol( 1, 0, 0, 'text', '' , '' , '' ),
'subject' => pacol( 1, 1, 0, 'text', 'pUsersVacation_subject' , '' , '' ),
'body' => pacol( 1, 1, 0, 'text', 'pUsersVacation_body' , '' , '' ),
'activefrom' => pacol( 1, 1, 1, 'text', 'pUsersVacation_activefrom' , '' , '' ),
'activeuntil' => pacol( 1, 1, 1, 'text', 'pUsersVacation_activeuntil' , '' , '' ),
# 'cache' => pacol( 0, 0, 0, 'text', '' , '' , '' ), # leftover from 2.2
'active' => pacol( 1, 1, 1, 'bool', 'active' , '' , 1 ),
'created' => pacol( 0, 0, 1, 'ts', 'created' , '' ),
'modified' => pacol( 0, 0, 1, 'ts', 'last_modified' , '' ),
# TODO: add virtual 'notified' column and allow to display who received a vacation response?
);
}
protected function initMsg() {
$this->msg['error_already_exists'] = 'pCreate_mailbox_username_text_error1'; # TODO: better error message
$this->msg['error_does_not_exist'] = 'pCreate_mailbox_username_text_error1'; # TODO: better error message
if ($this->new) {
$this->msg['logname'] = 'edit_vacation';
$this->msg['store_error'] = 'pVacation_result_error';
$this->msg['successmessage'] = 'pVacation_result_removed'; # TODO: or pVacation_result_added - depends on 'active'... -> we probably need a new message
} else {
$this->msg['logname'] = 'edit_vacation';
$this->msg['store_error'] = 'pVacation_result_error';
$this->msg['successmessage'] = 'pVacation_result_removed'; # TODO: or pVacation_result_added - depends on 'active'... -> we probably need a new message
}
}
public function webformConfig() {
return array(
# $PALANG labels
'formtitle_create' => 'pUsersVacation_welcome',
'formtitle_edit' => 'pUsersVacation_welcome',
'create_button' => 'save',
# various settings
'required_role' => 'admin',
'listview' => 'list-virtual.php',
'early_init' => 1, # 0 for create-domain
);
}
protected function validate_new_id() {
# vacation can only be enabled if a mailbox with this name exists
$handler = new MailboxHandler();
return $handler->init($address);
}
public function delete() {
$this->errormsg[] = '*** deletion not implemented yet ***';
return false; # XXX function aborts here! XXX
}
protected $username = null;
function __construct($username) {
$this->username = $username;
@ -29,11 +96,9 @@ class VacationHandler {
/**
* @return boolean true indicates this server supports vacation messages, and users are able to change their own.
* @global array $CONF
*/
function vacation_supported() {
global $CONF;
return $CONF['vacation'] == 'YES' && $CONF['vacation_control'] == 'YES';
return Config::bool('vacation') && Config::bool('vacation_control');
}
/**

Write Preview
Loading…
Cancel
Save