diff options
author | Aleksander Machniak <alec@alec.pl> | 2012-09-18 10:56:37 +0200 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2012-09-18 10:56:37 +0200 |
commit | d9921e4d3f6c24d041838d242d2ae8b474ceae36 (patch) | |
tree | ed6f25baeffd1eb1d442238acd6684d0ce6c59ac | |
parent | 27032fb84f4f8643e954d2764201ae85e5b25554 (diff) |
Don't store user password in database (#1486553)
-rw-r--r-- | plugins/http_authentication/http_authentication.php | 86 | ||||
-rw-r--r-- | plugins/http_authentication/package.xml | 6 |
2 files changed, 54 insertions, 38 deletions
diff --git a/plugins/http_authentication/http_authentication.php b/plugins/http_authentication/http_authentication.php index 6c873713e..a14b5cbcc 100644 --- a/plugins/http_authentication/http_authentication.php +++ b/plugins/http_authentication/http_authentication.php @@ -17,51 +17,67 @@ */ class http_authentication extends rcube_plugin { - public $task = 'login|logout'; - function init() - { - $this->add_hook('startup', array($this, 'startup')); - $this->add_hook('authenticate', array($this, 'authenticate')); - $this->add_hook('logout_after', array($this, 'logout')); - } + function init() + { + $this->add_hook('startup', array($this, 'startup')); + $this->add_hook('authenticate', array($this, 'authenticate')); + $this->add_hook('logout_after', array($this, 'logout')); + } - function startup($args) - { - // change action to login - if (empty($args['action']) && empty($_SESSION['user_id']) - && !empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) - $args['action'] = 'login'; + function startup($args) + { + if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) { + $rcmail = rcmail::get_instance(); + $rcmail->add_shutdown_function(array('http_authentication', 'shutdown')); - return $args; - } + // handle login action + if (empty($args['action']) && empty($_SESSION['user_id'])) { + $args['action'] = 'login'; + } + // Set user password in session (see shutdown() method for more info) + else if (!empty($_SESSION['user_id']) && empty($_SESION['password'])) { + $_SESSION['password'] = $rcmail->encrypt($_SERVER['PHP_AUTH_PW']); + } + } - function authenticate($args) - { - // Allow entering other user data in login form, - // e.g. after log out (#1487953) - if (!empty($args['user'])) { return $args; } - if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) { - $args['user'] = $_SERVER['PHP_AUTH_USER']; - $args['pass'] = $_SERVER['PHP_AUTH_PW']; - } + function authenticate($args) + { + // Allow entering other user data in login form, + // e.g. after log out (#1487953) + if (!empty($args['user'])) { + return $args; + } - $args['cookiecheck'] = false; - $args['valid'] = true; + if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) { + $args['user'] = $_SERVER['PHP_AUTH_USER']; + $args['pass'] = $_SERVER['PHP_AUTH_PW']; + } - return $args; - } - - function logout($args) - { - // redirect to configured URL in order to clear HTTP auth credentials - if (!empty($_SERVER['PHP_AUTH_USER']) && $args['user'] == $_SERVER['PHP_AUTH_USER'] && ($url = rcmail::get_instance()->config->get('logout_url'))) { - header("Location: $url", true, 307); + $args['cookiecheck'] = false; + $args['valid'] = true; + + return $args; } - } + function logout($args) + { + // redirect to configured URL in order to clear HTTP auth credentials + if (!empty($_SERVER['PHP_AUTH_USER']) && $args['user'] == $_SERVER['PHP_AUTH_USER']) { + if ($url = rcmail::get_instance()->config->get('logout_url')) { + header("Location: $url", true, 307); + } + } + } + + function shutdown() + { + // There's no need to store password (even if encrypted) in session + // We'll set it back on startup (#1486553) + rcmail::get_instance()->session->remove('password'); + } } diff --git a/plugins/http_authentication/package.xml b/plugins/http_authentication/package.xml index d8f2036b6..aab3819a8 100644 --- a/plugins/http_authentication/package.xml +++ b/plugins/http_authentication/package.xml @@ -13,10 +13,10 @@ <email>roundcube@gmail.com</email> <active>yes</active> </lead> - <date>2011-11-21</date> + <date>2012-09-18</date> <version> - <release>1.4</release> - <api>1.4</api> + <release>1.5</release> + <api>1.5</api> </version> <stability> <release>stable</release> |