summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG1
-rw-r--r--config/main.inc.php.dist5
-rw-r--r--index.php12
-rw-r--r--plugins/password/localization/en_US.inc7
-rw-r--r--plugins/password/localization/pl_PL.inc1
-rw-r--r--plugins/password/password.php31
6 files changed, 45 insertions, 12 deletions
diff --git a/CHANGELOG b/CHANGELOG
index fbc97ce60..ececfd769 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
CHANGELOG RoundCube Webmail
===========================
+- Password: Make passwords encoding consistent with core, add 'password_charset' global option (#1486473)
- Fix adding contacts SQL error on mysql (#1486459)
- Squirrelmail_usercopy: support reply-to field (#1486506)
- Fix IE spellcheck suggestion popup issue (#1486471)
diff --git a/config/main.inc.php.dist b/config/main.inc.php.dist
index f88226514..c35d4e1fc 100644
--- a/config/main.inc.php.dist
+++ b/config/main.inc.php.dist
@@ -123,6 +123,11 @@ $rcmail_config['smtp_auth_type'] = '';
// localhost if that isn't defined.
$rcmail_config['smtp_helo_host'] = '';
+// Password charset.
+// Use it if your authentication backend doesn't support UTF-8.
+// Defaults to ISO-8859-1 for backward compatibility
+$rcmail_config['password_charset'] = 'ISO-8859-1';
+
// Log sent messages
$rcmail_config['smtp_log'] = TRUE;
diff --git a/index.php b/index.php
index 87eb57696..8d3e10acd 100644
--- a/index.php
+++ b/index.php
@@ -82,15 +82,19 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
'host' => $RCMAIL->autoselect_host(),
'user' => trim(get_input_value('_user', RCUBE_INPUT_POST)),
'cookiecheck' => true,
- )) + array('pass' => get_input_value('_pass', RCUBE_INPUT_POST, true, 'ISO-8859-1'));
+ ));
+
+ if (!isset($auth['pass']))
+ $auth['pass'] = get_input_value('_pass', RCUBE_INPUT_POST, true,
+ $RCMAIL->config->get('password_charset', 'ISO-8859-1'));
// check if client supports cookies
if ($auth['cookiecheck'] && empty($_COOKIE)) {
$OUTPUT->show_message("cookiesdisabled", 'warning');
}
- else if ($_SESSION['temp'] && !$auth['abort'] && !empty($auth['host']) &&
- !empty($auth['user']) && isset($auth['pass']) &&
- $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) {
+ else if ($_SESSION['temp'] && !$auth['abort'] &&
+ !empty($auth['host']) && !empty($auth['user']) &&
+ $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) {
// create new session ID
rcube_sess_unset('temp');
rcube_sess_regenerate_id();
diff --git a/plugins/password/localization/en_US.inc b/plugins/password/localization/en_US.inc
index 75fe8618f..1ae2158b0 100644
--- a/plugins/password/localization/en_US.inc
+++ b/plugins/password/localization/en_US.inc
@@ -11,10 +11,11 @@ $messages['nopassword'] = 'Please input new password.';
$messages['nocurpassword'] = 'Please input current password.';
$messages['passwordincorrect'] = 'Current password incorrect.';
$messages['passwordinconsistency'] = 'Passwords do not match, please try again.';
-$messages['crypterror'] = 'Could not save new password. Encrypt function missing.';
+$messages['crypterror'] = 'Could not save new password. Encryption function missing.';
$messages['connecterror'] = 'Could not save new password. Connection error.';
$messages['internalerror'] = 'Could not save new password.';
-$messages['passwordshort'] = 'Your password must be at least $length characters long.';
-$messages['passwordweak'] = 'Your new password must include at least one number and one punctuation character.';
+$messages['passwordshort'] = 'Password must be at least $length characters long.';
+$messages['passwordweak'] = 'Password must include at least one number and one punctuation character.';
+$messages['passwordforbidden'] = 'Password contains forbidden characters.';
?>
diff --git a/plugins/password/localization/pl_PL.inc b/plugins/password/localization/pl_PL.inc
index 774437a28..687ca9383 100644
--- a/plugins/password/localization/pl_PL.inc
+++ b/plugins/password/localization/pl_PL.inc
@@ -16,5 +16,6 @@ $messages['connecterror'] = 'Nie udało się zapisać nowego hasła. Błąd poł
$messages['internalerror'] = 'Nie udało się zapisać nowego hasła.';
$messages['passwordshort'] = 'Hasło musi posiadać co najmniej $length znaków.';
$messages['passwordweak'] = 'Hasło musi zawierać co najmniej jedną cyfrę i znak interpunkcyjny.';
+$messages['passwordforbidden'] = 'Hasło zawiera niedozwolone znaki.';
?>
diff --git a/plugins/password/password.php b/plugins/password/password.php
index 4f34e40d2..3121eb6fe 100644
--- a/plugins/password/password.php
+++ b/plugins/password/password.php
@@ -86,11 +86,31 @@ class password extends rcube_plugin
}
else {
- $curpwd = get_input_value('_curpasswd', RCUBE_INPUT_POST);
- $newpwd = get_input_value('_newpasswd', RCUBE_INPUT_POST);
- $conpwd = get_input_value('_confpasswd', RCUBE_INPUT_POST);
-
- if ($conpwd != $newpwd) {
+ $charset = strtoupper($rcmail->config->get('password_charset', 'ISO-8859-1'));
+ $rc_charset = strtoupper($rcmail->output->get_charset());
+
+ $curpwd = get_input_value('_curpasswd', RCUBE_INPUT_POST, true, $charset);
+ $newpwd = get_input_value('_newpasswd', RCUBE_INPUT_POST, true);
+ $conpwd = get_input_value('_confpasswd', RCUBE_INPUT_POST, true);
+
+ // check allowed characters according to the configured 'password_charset' option
+ // by converting the password entered by the user to this charset and back to UTF-8
+ $orig_pwd = $newpwd;
+ $chk_pwd = rcube_charset_convert($orig_pwd, $rc_charset, $charset);
+ $chk_pwd = rcube_charset_convert($chk_pwd, $charset, $rc_charset);
+
+ // WARNING: Default password_charset is ISO-8859-1, so conversion will
+ // change national characters. This may disable possibility of using
+ // the same password in other MUA's.
+ // We're doing this for consistence with Roundcube core
+ $newpwd = rcube_charset_convert($newpwd, $rc_charset, $charset);
+ $conpwd = rcube_charset_convert($conpwd, $rc_charset, $charset);
+
+ if ($chk_pwd != $orig_pwd) {
+ $rcmail->output->command('display_message', $this->gettext('passwordforbidden'), 'error');
+ }
+ // other passwords validity checks
+ else if ($conpwd != $newpwd) {
$rcmail->output->command('display_message', $this->gettext('passwordinconsistency'), 'error');
}
else if ($confirm && $rcmail->decrypt($_SESSION['password']) != $curpwd) {
@@ -103,6 +123,7 @@ class password extends rcube_plugin
else if ($check_strength && (!preg_match("/[0-9]/", $newpwd) || !preg_match("/[^A-Za-z0-9]/", $newpwd))) {
$rcmail->output->command('display_message', $this->gettext('passwordweak'), 'error');
}
+ // try to save the password
else if (!($res = $this->_save($curpwd,$newpwd))) {
$rcmail->output->command('display_message', $this->gettext('successfullysaved'), 'confirmation');
$_SESSION['password'] = $rcmail->encrypt($newpwd);