| Current File : //var/webuzo-data/roundcube/public_html/plugins/webuzo/soft_password/drivers/webuzo.php |
<?php
class rcube_webuzo_password
{
private $plugin;
private $webuzo_user;
public $rc;
public function __construct($plugin){
$this->plugin = $plugin;
}
function save($curpass, $passwd){
global $globals;
$this->rc = rcmail::get_instance();
$this->webuzo_user = $this->rc->config->get('webuzo_user');
if(empty($this->webuzo_user)){
return PASSWORD_ERROR;
}
if (!($sql = $this->rc->config->get('password_query'))) {
$sql = 'SELECT update_passwd(%P, %u)';
}
if ($dsn = $this->rc->config->get('password_db_dsn')) {
$db = rcube_db::factory(self::parse_dsn($dsn), '', false);
$db->set_debug((bool)$this->rc->config->get('sql_debug'));
}
else {
$db = $this->rc->get_dbh();
}
if ($db->is_error()) {
return PASSWORD_ERROR;
}
// new password - default hash method
if (strpos($sql, '%P') !== false) {
$password = sha1($passwd);
if ($password === false) {
return PASSWORD_CRYPT_ERROR;
}
$sql = str_replace('%P', $db->quote($password), $sql);
}
// old password - default hash method
if (strpos($sql, '%O') !== false) {
$password = sha1($curpass);
if ($password === false) {
return PASSWORD_CRYPT_ERROR;
}
$sql = str_replace('%O', $db->quote($password), $sql);
}
// Handle clear text passwords securely (#1487034)
$sql_vars = [];
if (preg_match_all('/%[p|o]/', $sql, $m)) {
foreach ($m[0] as $var) {
if ($var == '%p') {
$sql = preg_replace('/%p/', '?', $sql, 1);
$sql_vars[] = (string) $passwd;
}
else { // %o
$sql = preg_replace('/%o/', '?', $sql, 1);
$sql_vars[] = (string) $curpass;
}
}
}
$local_part = $this->rc->user->get_username('local');
$domain_part = $this->rc->user->get_username('domain');
$username = $_SESSION['username'];
$host = $_SESSION['imap_host'];
// convert domains to/from punycode
if ($this->rc->config->get('password_idn_ascii')) {
$domain_part = rcube_utils::idn_to_ascii($domain_part);
$username = rcube_utils::idn_to_ascii($username);
$host = rcube_utils::idn_to_ascii($host);
}
else {
$domain_part = rcube_utils::idn_to_utf8($domain_part);
$username = rcube_utils::idn_to_utf8($username);
$host = rcube_utils::idn_to_utf8($host);
}
// at least we should always have the local part
$sql = str_replace('%l', $db->quote($local_part, 'text'), $sql);
$sql = str_replace('%d', $db->quote($domain_part, 'text'), $sql);
$sql = str_replace('%u', $db->quote($username, 'text'), $sql);
$sql = str_replace('%h', $db->quote($host, 'text'), $sql);
$res = $db->query($sql, $sql_vars);
if (!$db->is_error()) {
if (strtolower(substr(trim($sql),0,6)) == 'select') {
if ($db->fetch_array($res)) {
// Update password in webuzo emails file
$this->update_pass($username, $passwd);
return PASSWORD_SUCCESS;
}
}
else {
// Note: Don't be tempted to check affected_rows = 1. For some queries
// (e.g. INSERT ... ON DUPLICATE KEY UPDATE) the result can be 2.
if ($db->affected_rows($res) > 0) {
// Update password in webuzo emails file
$this->update_pass($username, $passwd);
return PASSWORD_SUCCESS;
}
}
}
return PASSWORD_ERROR;
}
/**
* Parse DSN string and replace host variables
*
* @param string $dsn DSN string
*
* @return string DSN string
*/
protected static function parse_dsn($dsn)
{
if (strpos($dsn, '%')) {
// parse DSN and replace variables in hostname
$parsed = rcube_db::parse_dsn($dsn);
$host = rcube_utils::parse_host($parsed['hostspec']);
// build back the DSN string
if ($host != $parsed['hostspec']) {
$dsn = str_replace('@' . $parsed['hostspec'], '@' . $host, $dsn);
}
}
return $dsn;
}
private function update_pass($email, $passwd){
global $globals;
if(empty($email) || empty($passwd)){
return;
}
$email_path = '/var/webuzo/users/'.$this->webuzo_user.'/emails';
@chown($email_path, $globals['panel_user']);
$emails = $this->plugin->loaddata($email_path);
if(isset($emails[$email]['password'])){
$emails[$email]['password'] = sha1($passwd);
}
// Save the DATA
$this->plugin->writedata($email_path, $emails);
}
}