From 64901dd0cc0c06458477653387bc8be8727abb7e Mon Sep 17 00:00:00 2001 From: alecpl Date: Wed, 2 Sep 2009 09:35:19 +0000 Subject: - Password plugin: support hashed passwords and username parts in sql driver queries --- plugins/password/config.inc.php.dist | 18 ++++++++++++++++- plugins/password/drivers/sql.php | 39 ++++++++++++++++++++++++++++++++++-- 2 files changed, 54 insertions(+), 3 deletions(-) diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist index 163fddaec..076cfd6a1 100644 --- a/plugins/password/config.inc.php.dist +++ b/plugins/password/config.inc.php.dist @@ -21,13 +21,29 @@ $rcmail_config['password_db_dsn'] = ''; // %p is replaced with the plaintext new password // %c is replaced with the crypt version of the new password, MD5 if available // otherwise DES. -// %u is replaced with the username (from the session info) // %o is replaced with the password before the change +// %n is replaced with the hashed version of the new password +// %q is replaced with the hashed password before the change // %h is replaced with the imap host (from the session info) +// %u is replaced with the username (from the session info) +// %l is replaced with the local part of the username +// (in case the username is an email address) +// %d is replaced with the domain part of the username +// (in case the username is an email address) // Escaping of macros is handled by this module. // Default: "SELECT update_passwd(%c, %u)" $rcmail_config['password_query'] = 'SELECT update_passwd(%c, %u)'; +// Using a password hash for %n and %q variables. +// Determine which hashing algorithm should be used to generate +// the hashed new and current password for using them within the +// SQL query. Requires PHP's 'hash' extension. +$rcmail_config['password_hash_algorithm'] = 'sha1'; + +// You can also decide whether the hash should be provided +// as hex string or in base64 encoded format. +$rcmail_config['password_hash_base64'] = false; + // Poppassd Driver options // ----------------------- diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php index 98e878a7d..9afaa65d8 100644 --- a/plugins/password/drivers/sql.php +++ b/plugins/password/drivers/sql.php @@ -5,7 +5,7 @@ * * Driver for passwords stored in SQL database * - * @version 1.1 + * @version 1.2 * @author Aleksander 'A.L.E.C' Machniak * */ @@ -34,6 +34,7 @@ function password_save($curpass, $passwd) if ($err = $db->is_error()) return PASSWORD_ERROR; + // crypted password if (strpos($sql, '%c') !== FALSE) { $salt = ''; if (CRYPT_MD5) { @@ -48,11 +49,45 @@ function password_save($curpass, $passwd) } $sql = str_replace('%c', $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$'.$salt.'$' : $salt)), $sql); } + + // hashed passwords + if (preg_match('/%[n|q]/', $sql)) { + + if (!extension_loaded('hash')) { + raise_error(array( + 'code' => 600, + 'type' => 'php', + 'file' => __FILE__, + 'message' => "Password plugin: 'hash' extension not loaded!" + ), true, false); + return PASSWORD_ERROR; + } + + if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) + $hash_algo = 'sha1'; + + $hash_passwd = hash($hash_algo, $passwd); + $hash_curpass = hash($hash_algo, $curpass); + + if ($rcmail->config->get('password_hash_base64')) { + $hash_passwd = base64_encode(pack('H*', $hash_passwd)); + $hash_curpass = base64_encode(pack('H*', $hash_curpass)); + } + + $sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql); + $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql); + } + $user_info = explode('@', $_SESSION['username']); + if (count($user_info) >= 2) { + $sql = str_replace('%l', $db->quote($user_info[0], 'text'), $sql); + $sql = str_replace('%d', $db->quote($user_info[0], 'text'), $sql); + } + $sql = str_replace('%u', $db->quote($_SESSION['username'],'text'), $sql); + $sql = str_replace('%h', $db->quote($_SESSION['imap_host'],'text'), $sql); $sql = str_replace('%p', $db->quote($passwd,'text'), $sql); $sql = str_replace('%o', $db->quote($curpass,'text'), $sql); - $sql = str_replace('%h', $db->quote($_SESSION['imap_host'],'text'), $sql); $res = $db->query($sql); -- cgit v1.2.3