Commit Graph

239 Commits (ddb94e24ee23c5671919de1c1438c3f5c56640ce)

Author SHA1 Message Date
er1cs 7b8626ca81
Update functions.inc.php
I found that Mysql 8 don't like table names without `` in requests. So i make changes in function table_by_key in functions.inc.php and in upgrade.php . Now it works.  FreeBSD 11.1 Apache/2.4.29 (FreeBSD) PHP/7.1.11 Mysql 8
7 years ago
Lee Clemens ebbd9025e4 Add support for MySQL connections over SSL 7 years ago
Sylvain Tissot ffb84283c2
Harden password reset process
The improvements are:

- Die with an explicit message when a user is trying to reset his lost password and the option is disabled in config
- Redirect user to main page after password change using relative URL
- Don't leak info whether user exists or has recovery info defined
- Throttle password reset requests to prevent brute force attacks
- Show phone/alt email fields in mailbox/admin edit form only when the password reset option is enabled
- Make database upgrade code compatible with other databases types
- Use the existing password generator to generate OTP. It is now stored in database, unique to each user, valid only for 1 hour and can only by used once.
7 years ago
David Goodwin 4b999b3f6b improve mysqli connection settings - see https://github.com/postfixadmin/postfixadmin/issues/73 7 years ago
Sylvain Tissot 9c9ba64a7f Allows a user or admin to reset his/her forgotten password with a code sent by email/SMS #18 7 years ago
Christian Boltz be5fafa9fb
changelog update etc. for 3.1 release 8 years ago
Christian Boltz 64f1593818
revert "support unicode domain names - see #47"
Unicode support is a much bigger can of worms (see the discussion in #47),
and having just a little part of unicode support in is a bad idea.

You can of course use the xn--whatever notation for unicode domains ;-)
8 years ago
David Goodwin a09a3fa3b0 support unicode domain names - see #47 8 years ago
Christian Boltz 88bd9bfd19
drop $db_conn parameter from escape_string()
Connection caching is now done in db_connect() which is a much better
place.

This reverts most of c253ef7dbd
8 years ago
Christian Schrötter 846dcb756c
Remove unnecessary code 8 years ago
Christian Schrötter e28f3f5959
Fix for mysqli_connect() 8 years ago
Christian Schrötter 2dea9fadd4
Remove whitespace 8 years ago
David Goodwin c253ef7dbd allow escape_string() to take a db connection as a parameter; should improve performance when there are a large number of things to escape 8 years ago
Christian Boltz 28703935b3 3.0.2 release
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1894 a1433add-5e2c-0410-b055-b7f2511e0802
8 years ago
Christian Boltz 16e1407621 db_where_clause(): allow NULL and NOTNULL searchmodes
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1878 a1433add-5e2c-0410-b055-b7f2511e0802
8 years ago
Christian Boltz bbec3e9f0e pacrypt(): allow switching between dovecot:* password schemes
Dovecot password hashes include a {SCHEME} prefix, so it's possible to
switch the scheme while still accepting passwords hashed using the
previous dovecot:* scheme.

This patch adds the code needed to find out the used hashing scheme
from the hash and ensures it gets used to validate the password.

Patch by Aaron Lindsay <aaron AT aclindsay com> (sent to the ML)



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1875 a1433add-5e2c-0410-b055-b7f2511e0802
8 years ago
Christian Boltz 6eda18fcde prepare PostfixAdmin 3.0 release
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1861 a1433add-5e2c-0410-b055-b7f2511e0802
8 years ago
Christian Boltz 2a6247a6d9 db_connect(): drop unused variable $succes(s)
One of the variable names had a typo [1], and since those variables are
unused, the best way is to drop them.

[1] reported by tfarina, https://github.com/postfixadmin/postfixadmin/issues/15


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1858 a1433add-5e2c-0410-b055-b7f2511e0802
8 years ago
Christian Boltz 13cdd50d0a Add checks to login.php and cli to ensure database layout is up to date
- add check_db_version() to functions.inc.php
- add $min_db_version (needs to be updated at least before the release)
- call check_db_version in login.php, users/login.php and CLI - they'll
  error out if the database layout is outdated
- change setup.php to use check_db_version()



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1853 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz a00e8a811d functions.inc.php:
- check_domain(): someone had the great idea to allow punicode
  even in TLDs, so we better allow it.
  https://sourceforge.net/p/postfixadmin/feature-requests/93/


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1839 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz a0151bd5a1 functions.inc.php:
- pacrypt(): don't stripslashes($pw) because this breaks passwords with
  backslashes. This stripslashes() existed since forever, but probably
  became harmful with all the rewrites in the last years.
  https://sourceforge.net/p/postfixadmin/bugs/349/


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1838 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz 9335232024 functions.inc.php:
- fix db_quota_text() for postgresql (concat() vs. ||)
  https://sourceforge.net/p/postfixadmin/bugs/370/


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1834 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
David Goodwin d3ca74af0d merge github pull request into svn manually - 3e62d3975a - adding configurable smtp helo (CONF["smtp_client"])
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1832 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz b261db86c7 Merge pull request #9 from phyrog/master
Add sqlite backend option (thank you @phyrog for doing this)

(imported from github)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1824 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz 129a65b8c5 functions.inc.php:
- gen_show_status(): escape mail addresses in query.
  Fixes https://sourceforge.net/p/postfixadmin/bugs/356/
  (mostly - the edit/delete/... links in list-virtual are double-escaped)
  In theory this could allow SQL injection, in practise the mail address
  regex limits this issue to a DOS (creating a mail address with ' caused
  an invalid query that broke list-virtual)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1809 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz 9636fe9de3 3.0 beta3 (= 2.93) release - update $version and changelog
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1799 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz 5307cfe48a functions.inc.php check_domain():
Measure time needed for the nameserver queries, and error_log a warning
if the queries need more than 2 seconds in total.

Inspired by a question from t-ask on IRC, who suffered from a slow
nameserver and had some "fun" to debug it ;-)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1790 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 3a72203de4 AliasHandler:
- initStruct(): replace (wrong) 'editable' with '_can_edit' and '_can_delete'
- read_from_db_postprocess(): disable _can_edit and _can_delete for
  default aliases if special_alias_control is off and not superadmin

list.tpl:
- use $item._can_edit instead of $check_alias_owner

list-virtual.php:
- drop $check_alias_owner variable and check_alias_owner() call
  (replaced by the code added in AliasHandler)
- drop unused $sql_domain

functions.inc.php:
- delete no longer used check_alias_owner() function



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1774 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz cc598d0f3f PFAHandler:
- build_select_query(): add support for $search['_'] (searching if one
  of the $this->searchfields contains the search text)
- getList(): make sure '_' is kept in the search parameters

functions.inc.php:
- db_where_clause(): slightly relax checks - if $condition is empty,
  only error out if $additional_raw_where is also empty


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1772 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 5605561ca8 functions.inc.php:
- better formatting in db_quota_text() and db_quota_percent() results
  (for example, infinity sign instead of / 0 for unlimited)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1744 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 13f1a28b6e PFAHandler:
- read_from_db(), getList(): 
  - add $searchmode parameter (_before_ $limit and $offset!) to be able to 
    use query different query modes, not only "="
  - add a warning that $condition will be changed to array only in the future
- getList(): filter $condition for fields that are available to the user
  to avoid information leaks by using search parameters
  (filter is only applied if $condition is an array!)

functions.inc.php: 
- db_where_clause():
  - add $additional_raw_where parameter for additional query parameters
  - add $searchmode parameter to be able to use query different
    query modes, not only "=" (see $allowed_operators)
  - check for allowed operators in $searchmode
  - split query into WHERE and HAVING (if a parameter has
    $struct[select] set, HAVING is used)

list-virtual.php:
- adopt getList() call to the new syntax

AliasHandler:
- adopt getList() definition and call to the new syntax

 


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1731 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 786a7d665e functions.inc.php:
- pacol():
  - add $linkto parameter (if list mode should link to something)
  - replace $not_in_db with $multiopt - the remaining parameters can
    now be specified as associated array (backwards-compatible)



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1719 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 9093a946b4 functions.inc.php:
- add functions db_quota_text() and db_quota_percent() to generate
  queries for used quota ("x/y" and percentage)



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1712 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz e8b0198512 2.92 (aka 3.0 beta2) release
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1706 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz d3964f600e functions.inc.php
- db_get_boolean: error_log invalid values


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1672 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz 0b116c1605 version 2.91 aka 3.0 beta1
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1670 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz 8e04104b20 functions.inc.php:
- db_log():
  - replace $action_list with $LANG["pViewlog_action_$action"]
  - drop unused $table_log variable


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1658 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
David Goodwin b3074644ff alias can contain a ' - as in email.o'connor - need to therefore escape this...
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1639 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz e7fe6e16ef functions.inc.php:
- check_domains(): raise TLD limit to 13 chars - even if I seriously
  doubt someone wants to use such a long TLD ;-)
  ( https://sourceforge.net/p/postfixadmin/bugs/310/ again)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1637 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz 9bcc57cd88 functions.inc.php
- check_domain(): update regex for new, longer TLDs like .photography
  https://sourceforge.net/p/postfixadmin/bugs/310/
 


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1635 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz 252ae047d5 various files:
- get rid of global $table_* variables, use table_by_key() instead



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1601 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz 57f4ad0b75 functions.inc.php pacrypt():
- for 'system' encryption, use full hashed password as salt 
  https://sourceforge.net/p/postfixadmin/bugs/2/


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1595 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz 1a35cccf5e list-virtual.php:
- remember domain and page browser offset in $_SESSION
  (fixes 50% of http://sourceforge.net/p/postfixadmin/bugs/298/ )
- various cleanups

functions.inc.php:
- add safesession() (like safeget(), but for $_SESSION)



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1593 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz c349420210 functions.inc.php
- db_query(): do not print out the failed query, error_log() it instead
  to avoid information leaks.
- update SF forum URL


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1592 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz 20d1ffcafc functions.inc.php:
- new function db_pgsql() to replace lots of
  "if ($CONF[database_type] == 'pgsql')) checks
- delete unused function boolconf()

several files:
- use db_pgsql() instead of checking $CONF[database_type]



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1582 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz 2bf5df92ea functions.inc.php, DomainHandler, MailboxHandler:
- move mailbox_postdeletion() to MailboxHandler
- move domain_postcreation() and domain_postdeletion() to
  DomainHandler
- adopt those functions for usage inside the *Handler (replace
  print with $this->errormsg etc.)



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1579 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz 6e2e132bac remove "postfixadmin.com" in comments in lots of files
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1558 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz d900835997 functions.inc.php:
- pacrypt(): fix dovecot:* to work with "old" passwords that don't have 
  the {method} prefix


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1554 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz b137e774f6 functions.inc.php:
- check_language(): remove things like ";q=0.8" before checking if 
  a language exists


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1547 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago
Christian Boltz 4d9a338eb2 After hunting an "undefined index transport" error in list-domain, I
found out that the 'Config' class is too static - it shares its static
data with the 'Lang' child class. 

This caused a conflict because we have $CONF[transport] and 
$PALANG[transport], and Config::read('transport') returned the $PALANG 
text.

To fix this, all texts are now stored as $CONF[__LANG].
I also dropped the 'Lang' class.


model/Config.php:
- mark the 'Config' class as final to ensure we don't trap into the 
  "too static" problem again.
- bool(): display and log an error message if a $CONF option does not
  contain YES or NO (that would have uncovered this bug much earlier)
- add lang() and lang_f() wrapper functions to get $PALANG texts
- remove unused $__cache and $__objects

model/Lang.php:
- deleted

common.php:
- store $PALANG as $CONF[__LANG]

lots of files:
- replace Lang::read() and Lang::read_f() calls with Config::lang()
  and Config::lang_f()




git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1536 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago