summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2015-02-05 11:27:34 +0100
committerAleksander Machniak <alec@alec.pl>2015-02-05 11:27:34 +0100
commit7c96646de0efda16cded8491138bfefe31aca940 (patch)
treeb5846cde645901d5c6dd33a1f08aaae78d074b82
parent09d52dbb6716373ded6c116547cc5fcdc84f5487 (diff)
Fix security issue in DBMail driver of password plugin (#1490261)
-rw-r--r--CHANGELOG1
-rw-r--r--plugins/password/drivers/dbmail.php17
-rw-r--r--plugins/password/helpers/chgdbmailusers.c2
3 files changed, 17 insertions, 3 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 2b04ac290..74cd27db1 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -18,6 +18,7 @@ CHANGELOG Roundcube Webmail
- Fix keyboard navigation and css in datepicker widget across many Firefox versions
- Fix false warning when opening attached text/plain files (#1490241)
- Fix bug where signature could have been inserted twice after plain-to-html switch (#1490239)
+- Fix security issue in DBMail driver of password plugin (#1490261)
RELEASE 1.1-rc
--------------
diff --git a/plugins/password/drivers/dbmail.php b/plugins/password/drivers/dbmail.php
index d76486021..120728395 100644
--- a/plugins/password/drivers/dbmail.php
+++ b/plugins/password/drivers/dbmail.php
@@ -35,10 +35,23 @@ class rcube_dbmail_password
function save($currpass, $newpass)
{
$curdir = RCUBE_PLUGINS_DIR . 'password/helpers';
- $username = escapeshellcmd($_SESSION['username']);
+ $username = escapeshellarg($_SESSION['username']);
+ $password = escapeshellarg($newpass);
$args = rcmail::get_instance()->config->get('password_dbmail_args', '');
+ $command = "$curdir/chgdbmailusers -c $username -w $password $args";
- exec("$curdir/chgdbmailusers -c $username -w $newpass $args", $output, $returnvalue);
+ if (strlen($command) > 1024) {
+ rcube::raise_error(array(
+ 'code' => 600,
+ 'type' => 'php',
+ 'file' => __FILE__, 'line' => __LINE__,
+ 'message' => "Password plugin: The command is too long."
+ ), true, false);
+
+ return PASSWORD_ERROR;
+ }
+
+ exec($command, $output, $returnvalue);
if ($returnvalue == 0) {
return PASSWORD_SUCCESS;
diff --git a/plugins/password/helpers/chgdbmailusers.c b/plugins/password/helpers/chgdbmailusers.c
index 22793857d..be237556e 100644
--- a/plugins/password/helpers/chgdbmailusers.c
+++ b/plugins/password/helpers/chgdbmailusers.c
@@ -16,7 +16,7 @@
main(int argc, char *argv[])
{
int cnt,rc,cc;
- char cmnd[255];
+ char cmnd[1024];
strcpy(cmnd, CMD);