Fix security issue in DBMail driver of password plugin (#1490261)

Conflicts:

	CHANGELOG

CHANGELOG

@@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail
 ===========================
 
 - Make SMTP error log more verbose - include server response and error code
+- Fix security issue in DBMail driver of password plugin (#1490261)
 
 RELEASE 1.0.5
 -------------

plugins/password/drivers/dbmail.php

@@ -20,10 +20,23 @@ class rcube_dbmail_password
     function save($currpass, $newpass)
     {
         $curdir   = RCUBE_PLUGINS_DIR . 'password/helpers';
-        $username = escapeshellcmd($_SESSION['username']);
+        $username = escapeshellarg($_SESSION['username']);
+        $password = escapeshellarg($newpass);
         $args     = rcmail::get_instance()->config->get('password_dbmail_args', '');
+        $command  = "$curdir/chgdbmailusers -c $username -w $password $args";
 
-        exec("$curdir/chgdbmailusers -c $username -w $newpass $args", $output, $returnvalue);
+        if (strlen($command) > 1024) {
+            rcube::raise_error(array(
+                'code' => 600,
+                'type' => 'php',
+                'file' => __FILE__, 'line' => __LINE__,
+                'message' => "Password plugin: The command is too long."
+                ), true, false);
+
+            return PASSWORD_ERROR;
+        }
+
+        exec($command, $output, $returnvalue);
 
         if ($returnvalue == 0) {
             return PASSWORD_SUCCESS;

plugins/password/helpers/chgdbmailusers.c

@@ -16,7 +16,7 @@
 main(int argc, char *argv[])
 {
   int cnt,rc,cc;
-  char cmnd[255];
+  char cmnd[1024];
 
   strcpy(cmnd, CMD);