I found that Mysql 8 don't like table names without `` in requests. So i make changes in function table_by_key in functions.inc.php and in upgrade.php . Now it works. FreeBSD 11.1 Apache/2.4.29 (FreeBSD) PHP/7.1.11 Mysql 8
The improvements are:
- Die with an explicit message when a user is trying to reset his lost password and the option is disabled in config
- Redirect user to main page after password change using relative URL
- Don't leak info whether user exists or has recovery info defined
- Throttle password reset requests to prevent brute force attacks
- Show phone/alt email fields in mailbox/admin edit form only when the password reset option is enabled
- Make database upgrade code compatible with other databases types
- Use the existing password generator to generate OTP. It is now stored in database, unique to each user, valid only for 1 hour and can only by used once.
Unicode support is a much bigger can of worms (see the discussion in #47),
and having just a little part of unicode support in is a bad idea.
You can of course use the xn--whatever notation for unicode domains ;-)
Dovecot password hashes include a {SCHEME} prefix, so it's possible to
switch the scheme while still accepting passwords hashed using the
previous dovecot:* scheme.
This patch adds the code needed to find out the used hashing scheme
from the hash and ensures it gets used to validate the password.
Patch by Aaron Lindsay <aaron AT aclindsay com> (sent to the ML)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1875 a1433add-5e2c-0410-b055-b7f2511e0802
- add check_db_version() to functions.inc.php
- add $min_db_version (needs to be updated at least before the release)
- call check_db_version in login.php, users/login.php and CLI - they'll
error out if the database layout is outdated
- change setup.php to use check_db_version()
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1853 a1433add-5e2c-0410-b055-b7f2511e0802
- gen_show_status(): escape mail addresses in query.
Fixes https://sourceforge.net/p/postfixadmin/bugs/356/
(mostly - the edit/delete/... links in list-virtual are double-escaped)
In theory this could allow SQL injection, in practise the mail address
regex limits this issue to a DOS (creating a mail address with ' caused
an invalid query that broke list-virtual)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1809 a1433add-5e2c-0410-b055-b7f2511e0802
Measure time needed for the nameserver queries, and error_log a warning
if the queries need more than 2 seconds in total.
Inspired by a question from t-ask on IRC, who suffered from a slow
nameserver and had some "fun" to debug it ;-)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1790 a1433add-5e2c-0410-b055-b7f2511e0802
- initStruct(): replace (wrong) 'editable' with '_can_edit' and '_can_delete'
- read_from_db_postprocess(): disable _can_edit and _can_delete for
default aliases if special_alias_control is off and not superadmin
list.tpl:
- use $item._can_edit instead of $check_alias_owner
list-virtual.php:
- drop $check_alias_owner variable and check_alias_owner() call
(replaced by the code added in AliasHandler)
- drop unused $sql_domain
functions.inc.php:
- delete no longer used check_alias_owner() function
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1774 a1433add-5e2c-0410-b055-b7f2511e0802
- build_select_query(): add support for $search['_'] (searching if one
of the $this->searchfields contains the search text)
- getList(): make sure '_' is kept in the search parameters
functions.inc.php:
- db_where_clause(): slightly relax checks - if $condition is empty,
only error out if $additional_raw_where is also empty
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1772 a1433add-5e2c-0410-b055-b7f2511e0802
- better formatting in db_quota_text() and db_quota_percent() results
(for example, infinity sign instead of / 0 for unlimited)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1744 a1433add-5e2c-0410-b055-b7f2511e0802
- read_from_db(), getList():
- add $searchmode parameter (_before_ $limit and $offset!) to be able to
use query different query modes, not only "="
- add a warning that $condition will be changed to array only in the future
- getList(): filter $condition for fields that are available to the user
to avoid information leaks by using search parameters
(filter is only applied if $condition is an array!)
functions.inc.php:
- db_where_clause():
- add $additional_raw_where parameter for additional query parameters
- add $searchmode parameter to be able to use query different
query modes, not only "=" (see $allowed_operators)
- check for allowed operators in $searchmode
- split query into WHERE and HAVING (if a parameter has
$struct[select] set, HAVING is used)
list-virtual.php:
- adopt getList() call to the new syntax
AliasHandler:
- adopt getList() definition and call to the new syntax
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1731 a1433add-5e2c-0410-b055-b7f2511e0802
- pacol():
- add $linkto parameter (if list mode should link to something)
- replace $not_in_db with $multiopt - the remaining parameters can
now be specified as associated array (backwards-compatible)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1719 a1433add-5e2c-0410-b055-b7f2511e0802
- add functions db_quota_text() and db_quota_percent() to generate
queries for used quota ("x/y" and percentage)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1712 a1433add-5e2c-0410-b055-b7f2511e0802
- db_query(): do not print out the failed query, error_log() it instead
to avoid information leaks.
- update SF forum URL
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1592 a1433add-5e2c-0410-b055-b7f2511e0802
- new function db_pgsql() to replace lots of
"if ($CONF[database_type] == 'pgsql')) checks
- delete unused function boolconf()
several files:
- use db_pgsql() instead of checking $CONF[database_type]
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1582 a1433add-5e2c-0410-b055-b7f2511e0802
- move mailbox_postdeletion() to MailboxHandler
- move domain_postcreation() and domain_postdeletion() to
DomainHandler
- adopt those functions for usage inside the *Handler (replace
print with $this->errormsg etc.)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1579 a1433add-5e2c-0410-b055-b7f2511e0802
found out that the 'Config' class is too static - it shares its static
data with the 'Lang' child class.
This caused a conflict because we have $CONF[transport] and
$PALANG[transport], and Config::read('transport') returned the $PALANG
text.
To fix this, all texts are now stored as $CONF[__LANG].
I also dropped the 'Lang' class.
model/Config.php:
- mark the 'Config' class as final to ensure we don't trap into the
"too static" problem again.
- bool(): display and log an error message if a $CONF option does not
contain YES or NO (that would have uncovered this bug much earlier)
- add lang() and lang_f() wrapper functions to get $PALANG texts
- remove unused $__cache and $__objects
model/Lang.php:
- deleted
common.php:
- store $PALANG as $CONF[__LANG]
lots of files:
- replace Lang::read() and Lang::read_f() calls with Config::lang()
and Config::lang_f()
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1536 a1433add-5e2c-0410-b055-b7f2511e0802
- getList: change return value to be always true (even if the database
result is an empty array), and die() if the database result is not an
array.
This avoids some if blocks in various files to implement a fallback
to array() on empty results.
functions.inc.php:
- list_admins(): simplify after the *Handler->getList() change
- get_domain_properties(): change a forgotten $handler->return to
$handler->result() (follow-up for r1534)
list-domain, list-virtual.php:
- simplify after the *Handler->getList() change
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1535 a1433add-5e2c-0410-b055-b7f2511e0802
- pacrypt(), dovecot:* method:
- allow "." in dovecot method (to allow a suffix like ".b64")
- blacklist SCRAM-SHA-1 (needs -u)
- check against list of non-salted methods to be backward compatible
with dovecot < 2.1 again
Thanks to Szilagyi Jozsef <szjozsef AT yahoo DOT com> for providing
the list of non-salted methods etc.
functions.inc.php, scripts/postfixadmin-cli.php:
- drop unused global variables $table_admin and $table_alias_domain
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1529 a1433add-5e2c-0410-b055-b7f2511e0802
- pacrypt: digest-md5 hashes include the username - until someone
implements it, let's declare it as unsupported and error out
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1525 a1433add-5e2c-0410-b055-b7f2511e0802
- pacrypt(): some small changes after Szilagyi Jozsef's patch:
- comment out unused $crypt_method
- change $dovecotpw default to "doveadm pw" (unrelated to the patch)
- set $dovepasstest to "-t $pw_db" instead of having two similar
command lines, and also shellescapearg() $pw_db
- use "if (empty($dovepasstest))" instead of "if (empty($pw_db))"
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1524 a1433add-5e2c-0410-b055-b7f2511e0802
doveadmin pw now has an option "-t $hash" which allows to verify
salted passwords (added in dovecot 2.1 AFAIK)
Also, the {METHOD} part is no longer removed.
Patch by Szilagyi Jozsef <szjozsef [at] yahoo.com> - thanks!
(The schemes which requires also the username -u option is still not supported)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1523 a1433add-5e2c-0410-b055-b7f2511e0802
- check_quota ()
- allowed_quota()
- mailbox_postcreation()
- mailbox_postedit()
- create_mailbox_subfolders()
The code was moved without any changes, except
- added leading whitespace
- removed "TODO: move to MailboxHandler" ;-)
MailboxHandler:
- change function calls for moved functions
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1515 a1433add-5e2c-0410-b055-b7f2511e0802
check_quota()
mailbox_postcreation()
mailbox_postedit()
create_mailbox_subfolders()
- use Config::read() / Config::bool() instead of $CONF
- update comment header
- some minor changes to make the code better readable
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1514 a1433add-5e2c-0410-b055-b7f2511e0802
- move boolconf() to Config::bool()
boolconf() will stay for backwards compability, but new code
should use Config::bool()
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1467 a1433add-5e2c-0410-b055-b7f2511e0802
- check_domain(), check_email():
use Lang::read and Config::read instead of global variables
(global variables, at least $PALANG, don't seem to work with CLI)
- boolconf():
- use Config::read instead of global $CONF
- drop isset() check - doesn't make sense when using Config::read
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1452 a1433add-5e2c-0410-b055-b7f2511e0802
- check_domain(), check_email(): instead of calling flash_error(),
return string with error message - or empty string if everything is ok
model/AdminHandler.php, model/AliasHandler.php,
model/DomainHandler.php, model/MailboxHandler.php,
sendmail.php, users/edit-alias.php:
- adopt to changed check_domain() and check_email() return value
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1451 a1433add-5e2c-0410-b055-b7f2511e0802
- allowed_quota: if $CONF[quota] == NO, just return 0 (unlimited)
list-virtual.php:
- only eval_size($limit['maxquota']) if $CONF[quota] == YES
($limit['maxquota'] is not set if $CONF[quota] == NO)
Both issues (which caused PHP warnings) were found by TigerP on IRC
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1445 a1433add-5e2c-0410-b055-b7f2511e0802
configs/menu.conf:
- change url_create_mailbox to edit.php?table=mailbox
templates/list-virtual.tpl:
- replace hardcoded create-mailbox.php with {#url_create_mailbox#}
functions.inc.php:
- delete functions that are now part of MailboxHandler:
- check_mailbox()
- multiply_quota()
- add some TODO notes
config.inc.php:
- rewrite a comment that referenced create-mailbox.php
create-mailbox.php:
- delete - no longer needed
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1433 a1433add-5e2c-0410-b055-b7f2511e0802
- create_page_browser(): revert r1387 and...
- db_query(): ...replace it with the correct fix ;-) (avoid mysqli
reconnects)
The problem was that db_query() used is_resource() to check if we
already have a database connection, but a mysqli connection is an
object, not a resource.
This resulted in a new database connection for each query. Therefore
mysqli "forgot" the value of SET @row before executing the following
SELECT query (which used a new mysqli connection).
The fix is to also check with is_object() to avoid mysqli reconnects.
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1388 a1433add-5e2c-0410-b055-b7f2511e0802
- create_page_browser(): include MOD(idx.row, $page_size) in outer SELECT.
This is needed on some MySQL setups which otherwise return an empty set.
Thanks to f-dens_ on IRC for helping to debug it.
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1387 a1433add-5e2c-0410-b055-b7f2511e0802
- change list_admins() to use AdminHandler (code from list-admin.php)
Note: this changes the return value format to include all details,
not only the usernames. Use array_keys(list_admins()) if you need
the previous return format.
list-admin.php:
- replace code with a list_admins() call
list-domain.php:
- adopt to new list_admins() return value
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1386 a1433add-5e2c-0410-b055-b7f2511e0802
- _flash_string(): also accept an array of messages, not only a string
- comment updates for _flash_info() and flash_error() to reflect this change
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1378 a1433add-5e2c-0410-b055-b7f2511e0802
- PHP around 5.3.8 includes hex2bin as native function - http://php.net/hex2bin
therefore we have to wrap our function (which fortunately gives the same
results) with function_exists().
Reported by MadOtis on #postfixadmin
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1328 a1433add-5e2c-0410-b055-b7f2511e0802