'[SM-DEVEL] Fwd: changes in plugin change_password'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squirrelmail-devel
Subject:    [SM-DEVEL] Fwd: changes in plugin change_password
From:       Pablo Alvarez de Sotomayor Posadillo <i02sopop () gmail ! com>
Date:       2008-09-18 3:57:53
Message-ID: 200809180558.00761.i02sopop () gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/signed)]

[Attachment #4 (multipart/mixed)]


It seems the last message I've sent to the list didn't arrive well (at least I 
can't see it in the archive well), so I resend it.

regards

-- 
    Pablo Alvarez de Sotomayor Posadillo
Ingeniero Tecnico en Informatica de Sistemas
	     http://ritho.net
 "De todas las cosas que he perdido la que
      mas hecho de menos es mi cerebro"

["forwarded message" (message/rfc822)]


[Attachment #9 (multipart/mixed)]


Hi all,

In one of the mail system I'm administrate I use the digest-md5 method to 
store the passwords in a mysql table, so I've decided to add this encrypt 
method to the change_password plugin. I'm using squirrelmail 1.5.2 from 
subversion. I send you attached the patch to include it in the case.

I've seen that the plugin didn't make any variable checking, and this is a 
potential bug, specially with those variables sets by the user. Should I add 
some variable checking to the plugin? Also, if you are interested I can add 
new methods to store the password in the plugin.

I have another doubt, but this is about the functionality: Can I actually have 
configured a different password for squirrelmail webmail and the imap server? 
I know it can sound a bit strange this question, but I'm interested in give 
access to some users only to squirrelmail but not to imap server.

Regards

-- 
    Pablo Alvarez de Sotomayor Posadillo
Ingeniero Tecnico en Informatica de Sistemas
	     http://ritho.net
 "De todas las cosas que he perdido la que
      mas hecho de menos es mi cerebro"

["plugin_change_password_digest_md5.patch" (text/x-diff)]

Index: plugins/change_password/backend/mysql.php
===================================================================
--- plugins/change_password/backend/mysql.php	(revision 13271)
+++ plugins/change_password/backend/mysql.php	(working copy)
@@ -17,7 +17,7 @@
 
 global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
        $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
-       $mysql_saslcrypt, $mysql_unixcrypt, $cpw_mysql;
+       $mysql_saslcrypt, $mysql_unixcrypt, $mysql_digest_md5_crypt, $cpw_mysql;
 
 // Initialize defaults
 $mysql_server = 'localhost';
@@ -35,6 +35,7 @@
 // saslcrypt checked first - if it is 1, UNIX crypt is not used.
 $mysql_saslcrypt = 0; // use MySQL password() function
 $mysql_unixcrypt = 0; // use UNIX crypt() function
+$mysql_digest_md5_crypt = 0; // use md5() function with digest method
 
 // get overrides from config.
 if ( isset($cpw_mysql) && is_array($cpw_mysql) && !empty($cpw_mysql) )
@@ -75,7 +76,7 @@
 
     global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
            $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
-           $mysql_saslcrypt, $mysql_unixcrypt;
+           $mysql_saslcrypt, $mysql_unixcrypt, $mysql_digest_md5_crypt;
 
     // TODO: allow to choose between mysql_connect() and mysql_pconnect() functions.
     $ds = mysql_pconnect($mysql_server, $mysql_manager_id, $mysql_manager_pw);
@@ -98,6 +99,8 @@
     } elseif ($mysql_unixcrypt) {
         // FIXME: why password field name is used for salting
         $query_string  .= '=encrypt("'.mysql_real_escape_string($curpw, $ds).'", \
'.$mysql_password_field . ')'; +    } elseif ($mysql_digest_md5_crypt) {
+        $query_string  .= '=MD5("'.mysql_real_escape_string($username, \
$ds).'::'.mysql_real_escape_string($curpw, $ds).'")';  } else {
         $query_string  .= '="' . mysql_real_escape_string($curpw, $ds) . '"';
     }
@@ -125,6 +128,8 @@
     } elseif ($mysql_unixcrypt) {
         // FIXME: use random salt when you create new password
         $update_string  .= '=encrypt("'.mysql_real_escape_string($newpw, $ds).'", \
'.$mysql_password_field . ')'; +    } elseif ($mysql_digest_md5_crypt) {
+        $update_string  .= '=MD5("'.mysql_real_escape_string($username, \
$ds).'::'.mysql_real_escape_string($newpw, $ds).'")';  } else {
         $update_string  .= '="' . mysql_real_escape_string($newpw, $ds) . '"';
     }


["signature.asc" (application/pgp-signature)]
["signature.asc" (application/pgp-signature)]

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): \
https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic