summaryrefslogtreecommitdiff
path: root/plugins/password
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2015-02-05 11:27:34 +0100
committerAleksander Machniak <alec@alec.pl>2015-02-05 11:27:34 +0100
commit7c96646de0efda16cded8491138bfefe31aca940 (patch)
treeb5846cde645901d5c6dd33a1f08aaae78d074b82 /plugins/password
parent09d52dbb6716373ded6c116547cc5fcdc84f5487 (diff)
Fix security issue in DBMail driver of password plugin (#1490261)
Diffstat (limited to 'plugins/password')
-rw-r--r--plugins/password/drivers/dbmail.php17
-rw-r--r--plugins/password/helpers/chgdbmailusers.c2
2 files changed, 16 insertions, 3 deletions
diff --git a/plugins/password/drivers/dbmail.php b/plugins/password/drivers/dbmail.php
index d76486021..120728395 100644
--- a/plugins/password/drivers/dbmail.php
+++ b/plugins/password/drivers/dbmail.php
@@ -35,10 +35,23 @@ class rcube_dbmail_password
function save($currpass, $newpass)
{
$curdir = RCUBE_PLUGINS_DIR . 'password/helpers';
- $username = escapeshellcmd($_SESSION['username']);
+ $username = escapeshellarg($_SESSION['username']);
+ $password = escapeshellarg($newpass);
$args = rcmail::get_instance()->config->get('password_dbmail_args', '');
+ $command = "$curdir/chgdbmailusers -c $username -w $password $args";
- exec("$curdir/chgdbmailusers -c $username -w $newpass $args", $output, $returnvalue);
+ if (strlen($command) > 1024) {
+ rcube::raise_error(array(
+ 'code' => 600,
+ 'type' => 'php',
+ 'file' => __FILE__, 'line' => __LINE__,
+ 'message' => "Password plugin: The command is too long."
+ ), true, false);
+
+ return PASSWORD_ERROR;
+ }
+
+ exec($command, $output, $returnvalue);
if ($returnvalue == 0) {
return PASSWORD_SUCCESS;
diff --git a/plugins/password/helpers/chgdbmailusers.c b/plugins/password/helpers/chgdbmailusers.c
index 22793857d..be237556e 100644
--- a/plugins/password/helpers/chgdbmailusers.c
+++ b/plugins/password/helpers/chgdbmailusers.c
@@ -16,7 +16,7 @@
main(int argc, char *argv[])
{
int cnt,rc,cc;
- char cmnd[255];
+ char cmnd[1024];
strcpy(cmnd, CMD);