[prev in list] [next in list] [prev in thread] [next in thread]
List: squirrelmail-devel
Subject: [SM-DEVEL] Fwd: changes in plugin change_password
From: Pablo Alvarez de Sotomayor Posadillo <i02sopop () gmail ! com>
Date: 2008-09-18 3:57:53
Message-ID: 200809180558.00761.i02sopop () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
It seems the last message I've sent to the list didn't arrive well (at least I
can't see it in the archive well), so I resend it.
regards
--
Pablo Alvarez de Sotomayor Posadillo
Ingeniero Tecnico en Informatica de Sistemas
http://ritho.net
"De todas las cosas que he perdido la que
mas hecho de menos es mi cerebro"
["forwarded message" (message/rfc822)]
[Attachment #9 (multipart/mixed)]
Hi all,
In one of the mail system I'm administrate I use the digest-md5 method to
store the passwords in a mysql table, so I've decided to add this encrypt
method to the change_password plugin. I'm using squirrelmail 1.5.2 from
subversion. I send you attached the patch to include it in the case.
I've seen that the plugin didn't make any variable checking, and this is a
potential bug, specially with those variables sets by the user. Should I add
some variable checking to the plugin? Also, if you are interested I can add
new methods to store the password in the plugin.
I have another doubt, but this is about the functionality: Can I actually have
configured a different password for squirrelmail webmail and the imap server?
I know it can sound a bit strange this question, but I'm interested in give
access to some users only to squirrelmail but not to imap server.
Regards
--
Pablo Alvarez de Sotomayor Posadillo
Ingeniero Tecnico en Informatica de Sistemas
http://ritho.net
"De todas las cosas que he perdido la que
mas hecho de menos es mi cerebro"
["plugin_change_password_digest_md5.patch" (text/x-diff)]
Index: plugins/change_password/backend/mysql.php
===================================================================
--- plugins/change_password/backend/mysql.php (revision 13271)
+++ plugins/change_password/backend/mysql.php (working copy)
@@ -17,7 +17,7 @@
global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
$mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
- $mysql_saslcrypt, $mysql_unixcrypt, $cpw_mysql;
+ $mysql_saslcrypt, $mysql_unixcrypt, $mysql_digest_md5_crypt, $cpw_mysql;
// Initialize defaults
$mysql_server = 'localhost';
@@ -35,6 +35,7 @@
// saslcrypt checked first - if it is 1, UNIX crypt is not used.
$mysql_saslcrypt = 0; // use MySQL password() function
$mysql_unixcrypt = 0; // use UNIX crypt() function
+$mysql_digest_md5_crypt = 0; // use md5() function with digest method
// get overrides from config.
if ( isset($cpw_mysql) && is_array($cpw_mysql) && !empty($cpw_mysql) )
@@ -75,7 +76,7 @@
global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
$mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
- $mysql_saslcrypt, $mysql_unixcrypt;
+ $mysql_saslcrypt, $mysql_unixcrypt, $mysql_digest_md5_crypt;
// TODO: allow to choose between mysql_connect() and mysql_pconnect() functions.
$ds = mysql_pconnect($mysql_server, $mysql_manager_id, $mysql_manager_pw);
@@ -98,6 +99,8 @@
} elseif ($mysql_unixcrypt) {
// FIXME: why password field name is used for salting
$query_string .= '=encrypt("'.mysql_real_escape_string($curpw, $ds).'", \
'.$mysql_password_field . ')'; + } elseif ($mysql_digest_md5_crypt) {
+ $query_string .= '=MD5("'.mysql_real_escape_string($username, \
$ds).'::'.mysql_real_escape_string($curpw, $ds).'")'; } else {
$query_string .= '="' . mysql_real_escape_string($curpw, $ds) . '"';
}
@@ -125,6 +128,8 @@
} elseif ($mysql_unixcrypt) {
// FIXME: use random salt when you create new password
$update_string .= '=encrypt("'.mysql_real_escape_string($newpw, $ds).'", \
'.$mysql_password_field . ')'; + } elseif ($mysql_digest_md5_crypt) {
+ $update_string .= '=MD5("'.mysql_real_escape_string($username, \
$ds).'::'.mysql_real_escape_string($newpw, $ds).'")'; } else {
$update_string .= '="' . mysql_real_escape_string($newpw, $ds) . '"';
}
["signature.asc" (application/pgp-signature)]
["signature.asc" (application/pgp-signature)]
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): \
https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic