From f444de402bab137f9622584b9a3be9e3ddca7001 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Mon, 7 Oct 2013 18:42:59 +0000 Subject: [PATCH] functions.inc.php: - pacrypt(), dovecot:* method: - allow "." in dovecot method (to allow a suffix like ".b64") - blacklist SCRAM-SHA-1 (needs -u) - check against list of non-salted methods to be backward compatible with dovecot < 2.1 again Thanks to Szilagyi Jozsef for providing the list of non-salted methods etc. functions.inc.php, scripts/postfixadmin-cli.php: - drop unused global variables $table_admin and $table_alias_domain git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1529 a1433add-5e2c-0410-b055-b7f2511e0802 --- functions.inc.php | 17 +++++++++++------ scripts/postfixadmin-cli.php | 4 ++-- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/functions.inc.php b/functions.inc.php index b9399a32..66d2b386 100644 --- a/functions.inc.php +++ b/functions.inc.php @@ -910,12 +910,14 @@ function pacrypt ($pw, $pw_db="") { elseif (preg_match("/^dovecot:/", $CONF['encrypt'])) { $split_method = preg_split ('/:/', $CONF['encrypt']); $method = strtoupper($split_method[1]); - if (! preg_match("/^[A-Z0-9-]+$/", $method)) { die("invalid dovecot encryption method"); } # TODO: check against a fixed list? + if (! preg_match("/^[A-Z0-9.-]+$/", $method)) { die("invalid dovecot encryption method"); } # TODO: check against a fixed list? # if (strtolower($method) == 'md5-crypt') die("\$CONF['encrypt'] = 'dovecot:md5-crypt' will not work because dovecotpw generates a random salt each time. Please use \$CONF['encrypt'] = 'md5crypt' instead."); # $crypt_method = preg_match ("/.*-CRYPT$/", $method); - # digest-md5 hashes include the username - until someone implements it, let's declare it as unsupported + # digest-md5 and SCRAM-SHA-1 hashes include the username - until someone implements it, let's declare it as unsupported if (strtolower($method) == 'digest-md5') die("Sorry, \$CONF['encrypt'] = 'dovecot:digest-md5' is not supported by PostfixAdmin."); + if (strtoupper($method) == 'SCRAM-SHA-1') die("Sorry, \$CONF['encrypt'] = 'dovecot:scram-sha-1' is not supported by PostfixAdmin."); + # TODO: add -u option for those hashes, or for everything that is salted (-u was available before dovecot 2.1 -> no problem with backward compability) $dovecotpw = "doveadm pw"; if (!empty($CONF['dovecotpw'])) $dovecotpw = $CONF['dovecotpw']; @@ -927,9 +929,12 @@ function pacrypt ($pw, $pw_db="") { 2 => array("pipe", "w"), // stderr ); + $nonsaltedtypes = "SHA|SHA1|SHA256|SHA512|CLEAR|CLEARTEXT|PLAIN|PLAIN-TRUNC|CRAM-MD5|HMAC-MD5|PLAIN-MD4|PLAIN-MD5|LDAP-MD5|LANMAN|NTLM|RPA"; + $salted = ! preg_match("/^($nonsaltedtypes)(\.B64|\.BASE64|\.HEX)?$/", strtoupper($method) ); + $dovepasstest = ''; - if (!empty($pw_db)) { - # TODO: only use -t for salted passwords to be backward compatible with dovecot < 2.1 again + if ( $salted && (!empty($pw_db)) ) { + # only use -t for salted passwords to be backward compatible with dovecot < 2.1 $dovepasstest = " -t " . escapeshellarg($pw_db); } $pipe = proc_open("$dovecotpw '-s' $method$dovepasstest", $spec, $pipes); @@ -1850,9 +1855,9 @@ function boolconf($setting) { return Config::bool($setting); } -$table_admin = table_by_key ('admin'); +#$table_admin = table_by_key ('admin'); $table_alias = table_by_key ('alias'); -$table_alias_domain = table_by_key ('alias_domain'); +#$table_alias_domain = table_by_key ('alias_domain'); $table_domain = table_by_key ('domain'); $table_domain_admins = table_by_key ('domain_admins'); $table_log = table_by_key ('log'); diff --git a/scripts/postfixadmin-cli.php b/scripts/postfixadmin-cli.php index 58294ec2..acf167e8 100644 --- a/scripts/postfixadmin-cli.php +++ b/scripts/postfixadmin-cli.php @@ -550,9 +550,9 @@ $CONF = Config::read('all'); //bugfix shitty globals and OOP..... -$table_admin = table_by_key ('admin'); +#$table_admin = table_by_key ('admin'); $table_alias = table_by_key ('alias'); -$table_alias_domain = table_by_key ('alias_domain'); +#$table_alias_domain = table_by_key ('alias_domain'); $table_domain = table_by_key ('domain'); $table_domain_admins = table_by_key ('domain_admins'); $table_log = table_by_key ('log');