Index: .htaccess
===================================================================
--- .htaccess (revision a8b87f6410adce13ebba4fe70f98adaf9353747f)
+++ .htaccess (revision bac7d1742d45f256ded98656482ec9995e1c330a)
@@ -1,4 +1,6 @@
# AddDefaultCharset UTF-8
php_flag display_errors Off
+php_flag log_errors On
+php_value error_log logs/errors
php_value upload_max_filesize 2M
Index: CHANGELOG
===================================================================
--- CHANGELOG (revision 321302e52788e79c3548adde8d66f8ad426c9591)
+++ CHANGELOG (revision bac7d1742d45f256ded98656482ec9995e1c330a)
@@ -1,4 +1,13 @@
CHANGELOG RoundCube Webmail
---------------------------
+
+2006/07/18
+----------
+- Fixed password with spaces issue (Bug #1364122)
+- Replaced _auth hash with second cookie (Ticket #1483811)
+- Don't use get_input_value() for passwords (Bug #1468895)
+- Made password encryption key configurable
+- Minor bugfixes with charset encoding
+
2006/07/07
Index: config/main.inc.php.dist
===================================================================
--- config/main.inc.php.dist (revision b4b081713ee88c9a7b2515d18c36bedf966641ce)
+++ config/main.inc.php.dist (revision bac7d1742d45f256ded98656482ec9995e1c330a)
@@ -99,4 +99,9 @@
// check client IP in session athorization
$rcmail_config['ip_check'] = TRUE;
+
+// this key is used to encrypt the users imap password which is stored
+// in the session record (and the client cookie if remember password is enabled).
+// please provide a string of exactly 24 chars.
+$rcmail_config['des_key'] = 'rcmail-!24ByteDESkey*Str';
// the default locale setting
Index: index.php
===================================================================
--- index.php (revision 321302e52788e79c3548adde8d66f8ad426c9591)
+++ index.php (revision bac7d1742d45f256ded98656482ec9995e1c330a)
@@ -3,5 +3,5 @@
+-----------------------------------------------------------------------+
| RoundCube Webmail IMAP Client |
- | Version 0.1-20060505 |
+ | Version 0.1-20060718 |
| |
| Copyright (C) 2005, RoundCube Dev. - Switzerland |
@@ -41,5 +41,5 @@
*/
-define('RCMAIL_VERSION', '0.1-20060707');
+define('RCMAIL_VERSION', '0.1-20060718');
// define global vars
@@ -54,5 +54,11 @@
else
$INSTALL_PATH .= '/';
-
+
+
+// make sure path_separator is defined
+if (!defined('PATH_SEPARATOR'))
+ define('PATH_SEPARATOR', (eregi('win', PHP_OS) ? ';' : ':'));
+
+
// RC include folders MUST be included FIRST to avoid other
// possible not compatible libraries (i.e PEAR) to be included
@@ -90,5 +96,5 @@
// catch some url/post parameters
-$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
+//$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
$_task = get_input_value('_task', RCUBE_INPUT_GPC);
$_action = get_input_value('_action', RCUBE_INPUT_GPC);
@@ -105,6 +111,6 @@
// set session related variables
-$COMM_PATH = sprintf('./?_auth=%s&_task=%s', $sess_auth, $_task);
-$SESS_HIDDEN_FIELD = sprintf('', $sess_auth);
+$COMM_PATH = sprintf('./?_task=%s', $_task);
+$SESS_HIDDEN_FIELD = '';
@@ -147,7 +153,5 @@
}
else if (isset($_POST['_user']) && isset($_POST['_pass']) &&
- rcmail_login(get_input_value('_user', RCUBE_INPUT_POST),
- get_input_value('_pass', RCUBE_INPUT_POST),
- $host))
+ rcmail_login(get_input_value('_user', RCUBE_INPUT_POST), $_POST['_pass'], $host))
{
// send redirect
@@ -169,8 +173,8 @@
}
-// check session cookie and auth string
-else if ($_action!='login' && $sess_auth && $_SESSION['user_id'])
- {
- if ($_auth !== $sess_auth || $_auth != rcmail_auth_hash($_SESSION['client_id'], $_SESSION['auth_time']) ||
+// check session and auth cookie
+else if ($_action!='login' && $_SESSION['user_id'])
+ {
+ if (!rcmail_authenticate_session() ||
($CONFIG['session_lifetime'] && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime()))
{
Index: program/include/main.inc
===================================================================
--- program/include/main.inc (revision c8c1e0ef3b229a82e74c70aeacc29f2ba021afbe)
+++ program/include/main.inc (revision bac7d1742d45f256ded98656482ec9995e1c330a)
@@ -47,5 +47,5 @@
rcmail_load_host_config($CONFIG);
- $CONFIG['skin_path'] = $CONFIG['skin_path'] ? preg_replace('/\/$/', '', $CONFIG['skin_path']) : 'skins/default';
+ $CONFIG['skin_path'] = $CONFIG['skin_path'] ? unslashify($CONFIG['skin_path']) : 'skins/default';
// load db conf
@@ -56,5 +56,5 @@
$CONFIG['log_dir'] = $INSTALL_PATH.'logs';
else
- $CONFIG['log_dir'] = ereg_replace('\/$', '', $CONFIG['log_dir']);
+ $CONFIG['log_dir'] = unslashify($CONFIG['log_dir']);
// set PHP error logging according to config
@@ -68,5 +68,6 @@
else
ini_set('display_errors', 0);
-
+
+
// set session garbage collecting time according to session_lifetime
if (!empty($CONFIG['session_lifetime']))
@@ -82,5 +83,4 @@
// we can use the database for storing session data
- // session queries do not work with MDB2
if (!$DB->is_error())
include_once('include/session.inc');
@@ -91,15 +91,12 @@
// create session and set session vars
- if (!$_SESSION['client_id'])
- {
- $_SESSION['client_id'] = $sess_id;
+ if (!isset($_SESSION['auth_time']))
+ {
$_SESSION['user_lang'] = rcube_language_prop($CONFIG['locale_string']);
$_SESSION['auth_time'] = mktime();
- $_SESSION['auth'] = rcmail_auth_hash($sess_id, $_SESSION['auth_time']);
- unset($GLOBALS['_auth']);
+ setcookie('sessauth', rcmail_auth_hash($sess_id, $_SESSION['auth_time']));
}
// set session vars global
- $sess_auth = $_SESSION['auth'];
$sess_user_lang = rcube_language_prop($_SESSION['user_lang']);
@@ -149,5 +146,5 @@
}
}
-
+
// create authorization hash
@@ -168,4 +165,20 @@
}
+
+// compare the auth hash sent by the client with the local session credentials
+function rcmail_authenticate_session()
+ {
+ $now = mktime();
+ $valid = ($_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['auth_time']));
+
+ // renew auth cookie every 5 minutes
+ if (!$valid || ($now-$_SESSION['auth_time'] > 300))
+ {
+ $_SESSION['auth_time'] = $now;
+ setcookie('sessauth', rcmail_auth_hash(session_id(), $now));
+ }
+
+ return $valid;
+ }
@@ -719,15 +732,33 @@
+// encrypt IMAP password using DES encryption
function encrypt_passwd($pass)
{
- $cypher = des('rcmail?24BitPwDkeyF**ECB', $pass, 1, 0, NULL);
+ $cypher = des(get_des_key(), $pass, 1, 0, NULL);
return base64_encode($cypher);
}
+// decrypt IMAP password using DES encryption
function decrypt_passwd($cypher)
{
- $pass = des('rcmail?24BitPwDkeyF**ECB', base64_decode($cypher), 0, 0, NULL);
- return trim($pass);
+ $pass = des(get_des_key(), base64_decode($cypher), 0, 0, NULL);
+ return preg_replace('/\x00/', '', $pass);
+ }
+
+
+// return a 24 byte key for the DES encryption
+function get_des_key()
+ {
+ $key = !empty($GLOBALS['CONFIG']['des_key']) ? $GLOBALS['CONFIG']['des_key'] : 'rcmail?24BitPwDkeyF**ECB';
+ $len = strlen($key);
+
+ // make sure the key is exactly 24 chars long
+ if ($len<24)
+ $key .= str_repeat('_', 24-$len);
+ else if ($len>24)
+ substr($key, 0, 24);
+
+ return $key;
}
@@ -803,5 +834,5 @@
global $CONFIG;
- $temp_dir = $CONFIG['temp_dir'].(!eregi('\/$', $CONFIG['temp_dir']) ? '/' : '');
+ $temp_dir = slashify($CONFIG['temp_dir']);
$cache_dir = $temp_dir.$sess_id;
Index: program/include/rcube_imap.inc
===================================================================
--- program/include/rcube_imap.inc (revision 25d8ba63b3c4831050e5d190cd42cf2b0b0f3a30)
+++ program/include/rcube_imap.inc (revision bac7d1742d45f256ded98656482ec9995e1c330a)
@@ -1733,5 +1733,5 @@
* @access static
*/
- function decode_mime_string($input)
+ function decode_mime_string($input, $recursive=false)
{
$out = '';
@@ -1754,5 +1754,5 @@
return $out;
}
-
+
// no encoding information, defaults to what is specified in the class header
return rcube_charset_convert($input, 'ISO-8859-1');
Index: program/include/rcube_shared.inc
===================================================================
--- program/include/rcube_shared.inc (revision dd53e2b489e8787bb339511e33f2d6c4fd5efe3f)
+++ program/include/rcube_shared.inc (revision bac7d1742d45f256ded98656482ec9995e1c330a)
@@ -1335,5 +1335,6 @@
-
+// replace the middle part of a string with ...
+// if it is longer than the allowed length
function abbrevate_string($str, $maxlength, $place_holder='...')
{
@@ -1350,4 +1351,18 @@
}
+
+// make sure the string ends with a slash
+function slashify($str)
+ {
+ return unslashify($str).'/';
+ }
+
+
+// remove slash at the end of the string
+function unslashify($str)
+ {
+ return preg_replace('/\/$/', '', $str);
+ }
+
// delete all files within a folder
Index: program/steps/mail/func.inc
===================================================================
--- program/steps/mail/func.inc (revision 5f383dc98c40a6d3c230c81113b980fcac179ac4)
+++ program/steps/mail/func.inc (revision bac7d1742d45f256ded98656482ec9995e1c330a)
@@ -215,5 +215,5 @@
$class_name = 'junk';
- $out .= sprintf('%s',
@@ -438,5 +438,5 @@
$cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
// firefox/mozilla temporary workaround to pad subject with content so that whitespace in rows responds to drag+drop
- $cont .= sprintf('
', $skin_path, "/images/cleardot.png");
+ $cont .= '
';
}
else if ($col=='size')
@@ -1018,5 +1018,5 @@
$header_value = format_date(strtotime($headers[$hkey]));
else if (in_array($hkey, array('from', 'to', 'cc', 'bcc', 'reply-to')))
- $header_value = rep_specialchars_output(rcmail_address_string($IMAP->decode_header($headers[$hkey]), NULL, $attrib['addicon']));
+ $header_value = rep_specialchars_output(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']));
else
$header_value = rep_specialchars_output($IMAP->decode_header($headers[$hkey]), '', 'all');