diff options
| author | Aleksander Machniak <alec@alec.pl> | 2015-02-05 11:27:34 +0100 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2015-02-05 11:27:34 +0100 |
| commit | 7c96646de0efda16cded8491138bfefe31aca940 (patch) | |
| tree | b5846cde645901d5c6dd33a1f08aaae78d074b82 /plugins/password | |
| parent | 09d52dbb6716373ded6c116547cc5fcdc84f5487 (diff) | |
Fix security issue in DBMail driver of password plugin (#1490261)
Diffstat (limited to 'plugins/password')
| -rw-r--r-- | plugins/password/drivers/dbmail.php | 17 | ||||
| -rw-r--r-- | plugins/password/helpers/chgdbmailusers.c | 2 |
2 files changed, 16 insertions, 3 deletions
diff --git a/plugins/password/drivers/dbmail.php b/plugins/password/drivers/dbmail.php index d76486021..120728395 100644 --- a/plugins/password/drivers/dbmail.php +++ b/plugins/password/drivers/dbmail.php @@ -35,10 +35,23 @@ class rcube_dbmail_password function save($currpass, $newpass) { $curdir = RCUBE_PLUGINS_DIR . 'password/helpers'; - $username = escapeshellcmd($_SESSION['username']); + $username = escapeshellarg($_SESSION['username']); + $password = escapeshellarg($newpass); $args = rcmail::get_instance()->config->get('password_dbmail_args', ''); + $command = "$curdir/chgdbmailusers -c $username -w $password $args"; - exec("$curdir/chgdbmailusers -c $username -w $newpass $args", $output, $returnvalue); + if (strlen($command) > 1024) { + rcube::raise_error(array( + 'code' => 600, + 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Password plugin: The command is too long." + ), true, false); + + return PASSWORD_ERROR; + } + + exec($command, $output, $returnvalue); if ($returnvalue == 0) { return PASSWORD_SUCCESS; diff --git a/plugins/password/helpers/chgdbmailusers.c b/plugins/password/helpers/chgdbmailusers.c index 22793857d..be237556e 100644 --- a/plugins/password/helpers/chgdbmailusers.c +++ b/plugins/password/helpers/chgdbmailusers.c @@ -16,7 +16,7 @@ main(int argc, char *argv[]) { int cnt,rc,cc; - char cmnd[255]; + char cmnd[1024]; strcpy(cmnd, CMD); |