From a5c03db798d258e776995ec7c860edc689acd3ee Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 18 Oct 2015 09:37:46 +0200 Subject: [PATCH] Security: Added options to validate username/password on logon (#1490500) --- CHANGELOG | 1 + config/defaults.inc.php | 9 +++++++++ program/include/rcmail.php | 24 +++++++++++++++++++++--- 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 6456fa678..c6ac453ab 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -9,6 +9,7 @@ CHANGELOG Roundcube Webmail - PGP encryption support via Mailvelope integration - PGP encryption support via Enigma plugin - PHP7 compatibility fixes (#1490416) +- Security: Added options to validate username/password on logon (#1490500) - Security: Improve randomness of security tokens (#1490529) - Security: Use random security tokens instead of hashes based on encryption key (#1490404) - Security: Improved encrypt/decrypt methods with option to choose the cipher_method (#1489719) diff --git a/config/defaults.inc.php b/config/defaults.inc.php index d53b70007..eef7de47f 100644 --- a/config/defaults.inc.php +++ b/config/defaults.inc.php @@ -306,6 +306,7 @@ $config['ldap_cache'] = 'db'; // Lifetime of LDAP cache. Possible units: s, m, h, d, w $config['ldap_cache_ttl'] = '10m'; + // ---------------------------------- // SYSTEM // ---------------------------------- @@ -377,6 +378,14 @@ $config['login_autocomplete'] = 0; // UPDATE users SET username = LOWER(username); $config['login_lc'] = 2; +// Maximum length (in bytes) of logon username and password. +$config['login_username_maxlen'] = 1024; +$config['login_password_maxlen'] = 1024; + +// Logon username filter. Regular expression for use with preg_match(). +// Example: '/^[a-z0-9_@.-]+$/' +$config['login_username_filter'] = null; + // Includes should be interpreted as PHP files $config['skin_include_php'] = false; diff --git a/program/include/rcmail.php b/program/include/rcmail.php index 81a1c817c..d74b70534 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -493,7 +493,7 @@ class rcmail extends rcube * * @return boolean True on success, False on failure */ - function login($username, $pass, $host = null, $cookiecheck = false) + function login($username, $password, $host = null, $cookiecheck = false) { $this->login_error = null; @@ -506,11 +506,23 @@ class rcmail extends rcube return false; } + $username_filter = $this->config->get('login_username_filter'); + $username_maxlen = $this->config->get('login_username_maxlen', 1024); + $password_maxlen = $this->config->get('login_password_maxlen', 1024); $default_host = $this->config->get('default_host'); $default_port = $this->config->get('default_port'); $username_domain = $this->config->get('username_domain'); $login_lc = $this->config->get('login_lc', 2); + // check input for security (#1490500) + if (($username_maxlen && strlen($username) > $username_maxlen) + || ($username_filter && !preg_match($username_filter, $username)) + || ($password_maxlen && strlen($password) > $password_maxlen) + ) { + $this->login_error = self::ERROR_INVALID_REQUEST; + return false; + } + // host is validated in rcmail::autoselect_host(), so here // we'll only handle unset host (if possible) if (!$host && !empty($default_host)) { @@ -595,7 +607,7 @@ class rcmail extends rcube $storage = $this->get_storage(); // try to log in - if (!$storage->connect($host, $username, $pass, $port, $ssl)) { + if (!$storage->connect($host, $username, $password, $port, $ssl)) { // Wait a second to slow down brute-force attacks (#1490549) sleep(1); return false; @@ -643,7 +655,7 @@ class rcmail extends rcube $_SESSION['storage_host'] = $host; $_SESSION['storage_port'] = $port; $_SESSION['storage_ssl'] = $ssl; - $_SESSION['password'] = $this->encrypt($pass); + $_SESSION['password'] = $this->encrypt($password); $_SESSION['login_time'] = time(); if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') { @@ -1069,6 +1081,12 @@ class rcmail extends rcube // failed login if ($failed_login) { + // don't fill the log with complete input, which could + // have been prepared by a hacker + if (strlen($user) > 256) { + $user = substr($user, 0, 256) . '...'; + } + $message = sprintf('Failed login for %s from %s in session %s (error: %d)', $user, rcube_utils::remote_ip(), session_id(), $error_code); }