banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Security: Added options to validate username/password on logon (#1490500)

Browse Source
pull/299/merge
Aleksander Machniak 9 years ago
parent c1bbf0d0b6
commit a5c03db798
3 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File

1
CHANGELOG
Unescape Escape View File

@ -9,6 +9,7 @@ CHANGELOG Roundcube Webmail
- PGP encryption support via Mailvelope integration - PGP encryption support via Mailvelope integration
- PGP encryption support via Enigma plugin - PGP encryption support via Enigma plugin
- PHP7 compatibility fixes (#1490416) - PHP7 compatibility fixes (#1490416)
- Security: Added options to validate username/password on logon (#1490500)
- Security: Improve randomness of security tokens (#1490529) - Security: Improve randomness of security tokens (#1490529)
- Security: Use random security tokens instead of hashes based on encryption key (#1490404) - Security: Use random security tokens instead of hashes based on encryption key (#1490404)
- Security: Improved encrypt/decrypt methods with option to choose the cipher_method (#1489719) - Security: Improved encrypt/decrypt methods with option to choose the cipher_method (#1489719)

9
config/defaults.inc.php
Unescape Escape View File

@ -306,6 +306,7 @@ $config['ldap_cache'] = 'db';
// Lifetime of LDAP cache. Possible units: s, m, h, d, w // Lifetime of LDAP cache. Possible units: s, m, h, d, w
$config['ldap_cache_ttl'] = '10m'; $config['ldap_cache_ttl'] = '10m';
// ---------------------------------- // ----------------------------------
// SYSTEM // SYSTEM
// ---------------------------------- // ----------------------------------
@ -377,6 +378,14 @@ $config['login_autocomplete'] = 0;
// UPDATE users SET username = LOWER(username); // UPDATE users SET username = LOWER(username);
$config['login_lc'] = 2; $config['login_lc'] = 2;
// Maximum length (in bytes) of logon username and password.
$config['login_username_maxlen'] = 1024;
$config['login_password_maxlen'] = 1024;
// Logon username filter. Regular expression for use with preg_match().
// Example: '/^[a-z0-9_@.-]+$/'
$config['login_username_filter'] = null;
// Includes should be interpreted as PHP files // Includes should be interpreted as PHP files
$config['skin_include_php'] = false; $config['skin_include_php'] = false;

24
program/include/rcmail.php
Unescape Escape View File

@ -493,7 +493,7 @@ class rcmail extends rcube
* *
* @return boolean True on success, False on failure * @return boolean True on success, False on failure
*/ */
function login($username, $pass, $host = null, $cookiecheck = false) function login($username, $password, $host = null, $cookiecheck = false)
{ {
$this->login_error = null; $this->login_error = null;
@ -506,11 +506,23 @@ class rcmail extends rcube
return false; return false;
} }
$username_filter = $this->config->get('login_username_filter');
$username_maxlen = $this->config->get('login_username_maxlen', 1024);
$password_maxlen = $this->config->get('login_password_maxlen', 1024);
$default_host = $this->config->get('default_host'); $default_host = $this->config->get('default_host');
$default_port = $this->config->get('default_port'); $default_port = $this->config->get('default_port');
$username_domain = $this->config->get('username_domain'); $username_domain = $this->config->get('username_domain');
$login_lc = $this->config->get('login_lc', 2); $login_lc = $this->config->get('login_lc', 2);
// check input for security (#1490500)
if (($username_maxlen && strlen($username) > $username_maxlen)
|| ($username_filter && !preg_match($username_filter, $username))
|| ($password_maxlen && strlen($password) > $password_maxlen)
) {
$this->login_error = self::ERROR_INVALID_REQUEST;
return false;
}
// host is validated in rcmail::autoselect_host(), so here // host is validated in rcmail::autoselect_host(), so here
// we'll only handle unset host (if possible) // we'll only handle unset host (if possible)
if (!$host && !empty($default_host)) { if (!$host && !empty($default_host)) {
@ -595,7 +607,7 @@ class rcmail extends rcube
$storage = $this->get_storage(); $storage = $this->get_storage();
// try to log in // try to log in
if (!$storage->connect($host, $username, $pass, $port, $ssl)) { if (!$storage->connect($host, $username, $password, $port, $ssl)) {
// Wait a second to slow down brute-force attacks (#1490549) // Wait a second to slow down brute-force attacks (#1490549)
sleep(1); sleep(1);
return false; return false;
@ -643,7 +655,7 @@ class rcmail extends rcube
$_SESSION['storage_host'] = $host; $_SESSION['storage_host'] = $host;
$_SESSION['storage_port'] = $port; $_SESSION['storage_port'] = $port;
$_SESSION['storage_ssl'] = $ssl; $_SESSION['storage_ssl'] = $ssl;
$_SESSION['password'] = $this->encrypt($pass); $_SESSION['password'] = $this->encrypt($password);
$_SESSION['login_time'] = time(); $_SESSION['login_time'] = time();
if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') { if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') {
@ -1069,6 +1081,12 @@ class rcmail extends rcube
// failed login // failed login
if ($failed_login) { if ($failed_login) {
// don't fill the log with complete input, which could
// have been prepared by a hacker
if (strlen($user) > 256) {
$user = substr($user, 0, 256) . '...';
}
$message = sprintf('Failed login for %s from %s in session %s (error: %d)', $message = sprintf('Failed login for %s from %s in session %s (error: %d)',
$user, rcube_utils::remote_ip(), session_id(), $error_code); $user, rcube_utils::remote_ip(), session_id(), $error_code);
} }

Write Preview
Loading…
Cancel
Save