From 64608bf2ef7fc5b6cedfb666c5f78a5771c58556 Mon Sep 17 00:00:00 2001
From: alecpl <alec@alec.pl>
Date: Thu, 25 Feb 2010 10:56:01 +0000
Subject: - Password: Make passwords encoding consistent with core, add
 'password_charset' global option (#1486473)

---
 plugins/password/localization/en_US.inc |  7 ++++---
 plugins/password/localization/pl_PL.inc |  1 +
 plugins/password/password.php           | 31 ++++++++++++++++++++++++++-----
 3 files changed, 31 insertions(+), 8 deletions(-)

(limited to 'plugins')

diff --git a/plugins/password/localization/en_US.inc b/plugins/password/localization/en_US.inc
index 75fe8618f..1ae2158b0 100644
--- a/plugins/password/localization/en_US.inc
+++ b/plugins/password/localization/en_US.inc
@@ -11,10 +11,11 @@ $messages['nopassword'] = 'Please input new password.';
 $messages['nocurpassword'] = 'Please input current password.';
 $messages['passwordincorrect'] = 'Current password incorrect.';
 $messages['passwordinconsistency'] = 'Passwords do not match, please try again.';
-$messages['crypterror'] = 'Could not save new password. Encrypt function missing.';
+$messages['crypterror'] = 'Could not save new password. Encryption function missing.';
 $messages['connecterror'] = 'Could not save new password. Connection error.';
 $messages['internalerror'] = 'Could not save new password.';
-$messages['passwordshort'] = 'Your password must be at least $length characters long.';
-$messages['passwordweak'] = 'Your new password must include at least one number and one punctuation character.';
+$messages['passwordshort'] = 'Password must be at least $length characters long.';
+$messages['passwordweak'] = 'Password must include at least one number and one punctuation character.';
+$messages['passwordforbidden'] = 'Password contains forbidden characters.';
 
 ?>
diff --git a/plugins/password/localization/pl_PL.inc b/plugins/password/localization/pl_PL.inc
index 774437a28..687ca9383 100644
--- a/plugins/password/localization/pl_PL.inc
+++ b/plugins/password/localization/pl_PL.inc
@@ -16,5 +16,6 @@ $messages['connecterror'] = 'Nie udało się zapisać nowego hasła. Błąd poł
 $messages['internalerror'] = 'Nie udało się zapisać nowego hasła.';
 $messages['passwordshort'] = 'Hasło musi posiadać co najmniej $length znaków.';
 $messages['passwordweak'] = 'Hasło musi zawierać co najmniej jedną cyfrę i znak interpunkcyjny.';
+$messages['passwordforbidden'] = 'Hasło zawiera niedozwolone znaki.';
 
 ?>
diff --git a/plugins/password/password.php b/plugins/password/password.php
index 4f34e40d2..3121eb6fe 100644
--- a/plugins/password/password.php
+++ b/plugins/password/password.php
@@ -86,11 +86,31 @@ class password extends rcube_plugin
     }
     else {
 
-      $curpwd = get_input_value('_curpasswd', RCUBE_INPUT_POST);
-      $newpwd = get_input_value('_newpasswd', RCUBE_INPUT_POST);
-      $conpwd = get_input_value('_confpasswd', RCUBE_INPUT_POST);
-
-      if ($conpwd != $newpwd) {
+      $charset = strtoupper($rcmail->config->get('password_charset', 'ISO-8859-1'));
+      $rc_charset = strtoupper($rcmail->output->get_charset());
+
+      $curpwd = get_input_value('_curpasswd', RCUBE_INPUT_POST, true, $charset);
+      $newpwd = get_input_value('_newpasswd', RCUBE_INPUT_POST, true);
+      $conpwd = get_input_value('_confpasswd', RCUBE_INPUT_POST, true);
+
+      // check allowed characters according to the configured 'password_charset' option
+      // by converting the password entered by the user to this charset and back to UTF-8
+      $orig_pwd = $newpwd;
+      $chk_pwd = rcube_charset_convert($orig_pwd, $rc_charset, $charset);
+      $chk_pwd = rcube_charset_convert($chk_pwd, $charset, $rc_charset);
+
+      // WARNING: Default password_charset is ISO-8859-1, so conversion will
+      // change national characters. This may disable possibility of using
+      // the same password in other MUA's.
+      // We're doing this for consistence with Roundcube core
+      $newpwd = rcube_charset_convert($newpwd, $rc_charset, $charset);
+      $conpwd = rcube_charset_convert($conpwd, $rc_charset, $charset);
+
+      if ($chk_pwd != $orig_pwd) {
+        $rcmail->output->command('display_message', $this->gettext('passwordforbidden'), 'error');
+      }
+      // other passwords validity checks
+      else if ($conpwd != $newpwd) {
         $rcmail->output->command('display_message', $this->gettext('passwordinconsistency'), 'error');
       }
       else if ($confirm && $rcmail->decrypt($_SESSION['password']) != $curpwd) {
@@ -103,6 +123,7 @@ class password extends rcube_plugin
       else if ($check_strength && (!preg_match("/[0-9]/", $newpwd) || !preg_match("/[^A-Za-z0-9]/", $newpwd))) {
         $rcmail->output->command('display_message', $this->gettext('passwordweak'), 'error');
       }
+      // try to save the password
       else if (!($res = $this->_save($curpwd,$newpwd))) {
         $rcmail->output->command('display_message', $this->gettext('successfullysaved'), 'confirmation');
         $_SESSION['password'] = $rcmail->encrypt($newpwd);
-- 
cgit v1.2.3