From d9921e4d3f6c24d041838d242d2ae8b474ceae36 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Tue, 18 Sep 2012 10:56:37 +0200 Subject: Don't store user password in database (#1486553) --- .../http_authentication/http_authentication.php | 86 +++++++++++++--------- plugins/http_authentication/package.xml | 6 +- 2 files changed, 54 insertions(+), 38 deletions(-) diff --git a/plugins/http_authentication/http_authentication.php b/plugins/http_authentication/http_authentication.php index 6c873713e..a14b5cbcc 100644 --- a/plugins/http_authentication/http_authentication.php +++ b/plugins/http_authentication/http_authentication.php @@ -17,51 +17,67 @@ */ class http_authentication extends rcube_plugin { - public $task = 'login|logout'; - function init() - { - $this->add_hook('startup', array($this, 'startup')); - $this->add_hook('authenticate', array($this, 'authenticate')); - $this->add_hook('logout_after', array($this, 'logout')); - } + function init() + { + $this->add_hook('startup', array($this, 'startup')); + $this->add_hook('authenticate', array($this, 'authenticate')); + $this->add_hook('logout_after', array($this, 'logout')); + } - function startup($args) - { - // change action to login - if (empty($args['action']) && empty($_SESSION['user_id']) - && !empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) - $args['action'] = 'login'; + function startup($args) + { + if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) { + $rcmail = rcmail::get_instance(); + $rcmail->add_shutdown_function(array('http_authentication', 'shutdown')); - return $args; - } + // handle login action + if (empty($args['action']) && empty($_SESSION['user_id'])) { + $args['action'] = 'login'; + } + // Set user password in session (see shutdown() method for more info) + else if (!empty($_SESSION['user_id']) && empty($_SESION['password'])) { + $_SESSION['password'] = $rcmail->encrypt($_SERVER['PHP_AUTH_PW']); + } + } - function authenticate($args) - { - // Allow entering other user data in login form, - // e.g. after log out (#1487953) - if (!empty($args['user'])) { return $args; } - if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) { - $args['user'] = $_SERVER['PHP_AUTH_USER']; - $args['pass'] = $_SERVER['PHP_AUTH_PW']; - } + function authenticate($args) + { + // Allow entering other user data in login form, + // e.g. after log out (#1487953) + if (!empty($args['user'])) { + return $args; + } - $args['cookiecheck'] = false; - $args['valid'] = true; + if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) { + $args['user'] = $_SERVER['PHP_AUTH_USER']; + $args['pass'] = $_SERVER['PHP_AUTH_PW']; + } - return $args; - } - - function logout($args) - { - // redirect to configured URL in order to clear HTTP auth credentials - if (!empty($_SERVER['PHP_AUTH_USER']) && $args['user'] == $_SERVER['PHP_AUTH_USER'] && ($url = rcmail::get_instance()->config->get('logout_url'))) { - header("Location: $url", true, 307); + $args['cookiecheck'] = false; + $args['valid'] = true; + + return $args; } - } + function logout($args) + { + // redirect to configured URL in order to clear HTTP auth credentials + if (!empty($_SERVER['PHP_AUTH_USER']) && $args['user'] == $_SERVER['PHP_AUTH_USER']) { + if ($url = rcmail::get_instance()->config->get('logout_url')) { + header("Location: $url", true, 307); + } + } + } + + function shutdown() + { + // There's no need to store password (even if encrypted) in session + // We'll set it back on startup (#1486553) + rcmail::get_instance()->session->remove('password'); + } } diff --git a/plugins/http_authentication/package.xml b/plugins/http_authentication/package.xml index d8f2036b6..aab3819a8 100644 --- a/plugins/http_authentication/package.xml +++ b/plugins/http_authentication/package.xml @@ -13,10 +13,10 @@ roundcube@gmail.com yes - 2011-11-21 + 2012-09-18 - 1.4 - 1.4 + 1.5 + 1.5 stable -- cgit v1.2.3