Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#1490643)

Unify the C program code with the one used by other drivers.
pull/322/head
Aleksander Machniak 9 years ago
parent c9e2ab488e
commit 8ef598b883

@ -16,6 +16,7 @@ CHANGELOG Roundcube Webmail
- Fix PHP7 warning "session_start(): Session callback expects true/false return value" (#1490624) - Fix PHP7 warning "session_start(): Session callback expects true/false return value" (#1490624)
- Fix XSS issue in SVG images handling (#1490625) - Fix XSS issue in SVG images handling (#1490625)
- Fix missing language name in "Add to Dictionary" request in HTML mode (#1490634) - Fix missing language name in "Add to Dictionary" request in HTML mode (#1490634)
- Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#1490643)
RELEASE 1.2-beta RELEASE 1.2-beta
---------------- ----------------

@ -40,20 +40,9 @@ class rcube_dbmail_password
$args = rcmail::get_instance()->config->get('password_dbmail_args', ''); $args = rcmail::get_instance()->config->get('password_dbmail_args', '');
$command = "$curdir/chgdbmailusers -c $username -w $password $args"; $command = "$curdir/chgdbmailusers -c $username -w $password $args";
if (strlen($command) > 1024) { exec($command, $output, $return_value);
rcube::raise_error(array(
'code' => 600,
'type' => 'php',
'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: The command is too long."
), true, false);
return PASSWORD_ERROR;
}
exec($command, $output, $returnvalue);
if ($returnvalue == 0) { if ($return_value == 0) {
return PASSWORD_SUCCESS; return PASSWORD_SUCCESS;
} }
else { else {

@ -1,5 +1,4 @@
#include <stdio.h> #include <stdio.h>
#include <string.h>
#include <unistd.h> #include <unistd.h>
// set the UID this script will run as (root user) // set the UID this script will run as (root user)
@ -15,27 +14,10 @@
main(int argc, char *argv[]) main(int argc, char *argv[])
{ {
int cnt,rc,cc; int rc, cc;
char cmnd[1024];
strcpy(cmnd, CMD);
if (argc > 1)
{
for (cnt = 1; cnt < argc; cnt++)
{
strcat(cmnd, " ");
strcat(cmnd, argv[cnt]);
}
}
else
{
fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc);
return 255;
}
cc = setuid(UID); cc = setuid(UID);
rc = system(cmnd); rc = execvp(CMD, argv);
if ((rc != 0) || (cc != 0)) if ((rc != 0) || (cc != 0))
{ {

Loading…
Cancel
Save