From d41db75d823de1fc2b69e0685794fa698184865d Mon Sep 17 00:00:00 2001
From: KaloNK <GitHub@TheKNK.Net>
Date: Sun, 27 Nov 2016 15:20:58 +0200
Subject: [PATCH] Do not store passwords on disk - use proc_open instead of
 popen (#5531)

---
 plugins/password/password.php | 45 +++++++++++++++--------------------
 1 file changed, 19 insertions(+), 26 deletions(-)

diff --git a/plugins/password/password.php b/plugins/password/password.php
index 5480a8741..22f28df71 100644
--- a/plugins/password/password.php
+++ b/plugins/password/password.php
@@ -598,38 +598,31 @@ class password extends rcube_plugin
                 $method = 'CRAM-MD5';
             }
 
-            // use common temp dir
-            $tmp_dir = $rcmail->config->get('temp_dir');
-            $tmpfile = tempnam($tmp_dir, 'roundcube-');
-
-            $pipe = popen("$dovecotpw -s '$method' > '$tmpfile'", "w");
-            if (!$pipe) {
-                unlink($tmpfile);
+            $pipe = proc_open("$dovecotpw -s '$method'", array(0 => array('pipe', 'r'), 1 => array('pipe', 'w'), 2 => array('file', '/dev/null', 'a')), $pipes);
+            if (!is_resource($pipe)) return false;
+
+            fwrite($pipes[0], $password . "\n", 1+strlen($password));
+            usleep(1000);
+            fwrite($pipes[0], $password . "\n", 1+strlen($password));
+            fclose($pipes[0]);
+            $crypted = trim(stream_get_contents($pipes[1]), "\n");
+            fclose($pipes[1]);
+            proc_close($pipe);
+
+            if (!preg_match('/^\{' . $method . '\}/', $crypted)) {
                 return false;
             }
-            else {
-                fwrite($pipe, $password . "\n", 1+strlen($password)); usleep(1000);
-                fwrite($pipe, $password . "\n", 1+strlen($password));
-                pclose($pipe);
-
-                $crypted = trim(file_get_contents($tmpfile), "\n");
-                unlink($tmpfile);
-
-                if (!preg_match('/^\{' . $method . '\}/', $crypted)) {
-                    return false;
-                }
 
-                if (!$default) {
-                    $prefixed = (bool) $rcmail->config->get('password_dovecotpw_with_method');
-                }
-
-                if (!$prefixed) {
-                    $crypted = trim(str_replace('{' . $method . '}', '', $crypted));
-                }
+            if (!$default) {
+                $prefixed = (bool) $rcmail->config->get('password_dovecotpw_with_method');
+            }
 
-                $prefixed = false;
+            if (!$prefixed) {
+                $crypted = trim(str_replace('{' . $method . '}', '', $crypted));
             }
 
+            $prefixed = false;
+
             break;
 
         case 'hash': // deprecated