Merge remote-tracking branch 'ispc3/stable-3.1' into rspamd

Client can create global whitelists and blacklists for email, fixes #5356

Author: Marius Burkard

install/sql/incremental/upd_dev_collection.sql

@@ -30,3 +30,8 @@ UPDATE `spamfilter_policy` SET `rspamd_spam_kill_level` = '999.00' WHERE id = 3;
 UPDATE `spamfilter_policy` SET `rspamd_spam_kill_level` = '8.00' WHERE id = 6;
 UPDATE `spamfilter_policy` SET `rspamd_spam_kill_level` = '20.00' WHERE id = 7;
 -- end of rspamd
+ALTER TABLE `client` CHANGE COLUMN `password` `password` VARCHAR(200) DEFAULT NULL;
+ALTER TABLE `ftp_user` CHANGE COLUMN `password` `password` VARCHAR(200) DEFAULT NULL;
+ALTER TABLE `shell_user` CHANGE COLUMN `password` `password` VARCHAR(200) DEFAULT NULL;
+ALTER TABLE `sys_user` CHANGE COLUMN `passwort` `passwort` VARCHAR(200) DEFAULT NULL;
+ALTER TABLE `webdav_user` CHANGE COLUMN `password` `password` VARCHAR(200) DEFAULT NULL;

install/sql/ispconfig3.sql

@@ -243,7 +243,7 @@ CREATE TABLE `client` (
   `limit_openvz_vm_template_id` int(11) NOT NULL DEFAULT '0',
   `parent_client_id` int(11) unsigned NOT NULL DEFAULT '0',
   `username` varchar(64) DEFAULT NULL,
-  `password` varchar(64) DEFAULT NULL,
+  `password` varchar(200) DEFAULT NULL,
   `language` char(2) NOT NULL DEFAULT 'en',
   `usertheme` varchar(32) NOT NULL DEFAULT 'default',
   `template_master` int(11) unsigned NOT NULL DEFAULT '0',
@@ -705,7 +705,7 @@ CREATE TABLE `ftp_user` (
   `parent_domain_id` int(11) unsigned NOT NULL default '0',
   `username` varchar(64) default NULL,
   `username_prefix` varchar(50) NOT NULL default '',
-  `password` varchar(64) default NULL,
+  `password` varchar(200) default NULL,
   `quota_size` bigint(20) NOT NULL default '-1',
   `active` enum('n','y') NOT NULL default 'y',
   `uid` varchar(64) default NULL,
@@ -1440,7 +1440,7 @@ CREATE TABLE `shell_user` (
   `parent_domain_id` int(11) unsigned NOT NULL default '0',
   `username` varchar(64) default NULL,
   `username_prefix` varchar(50) NOT NULL default '',
-  `password` varchar(64) default NULL,
+  `password` varchar(200) default NULL,
   `quota_size` bigint(20) NOT NULL default '-1',
   `active` enum('n','y') NOT NULL default 'y',
   `puser` varchar(255) default NULL,
@@ -1869,7 +1869,7 @@ CREATE TABLE `sys_user` (
   `sys_perm_group` varchar(5) NOT NULL default 'riud',
   `sys_perm_other` varchar(5) NOT NULL default '',
   `username` varchar(64) NOT NULL default '',
-  `passwort` varchar(64) NOT NULL default '',
+  `passwort` varchar(200) NOT NULL default '',
   `modules` varchar(255) NOT NULL default '',
   `startmodule` varchar(255) NOT NULL default '',
   `app_theme` varchar(32) NOT NULL default 'default',
@@ -1904,7 +1904,7 @@ CREATE TABLE `webdav_user` (
   `parent_domain_id` int(11) unsigned NOT NULL DEFAULT '0',
   `username` varchar(64) DEFAULT NULL,
   `username_prefix` varchar(50) NOT NULL default '',
-  `password` varchar(64) DEFAULT NULL,
+  `password` varchar(200) DEFAULT NULL,
   `active` enum('n','y') NOT NULL DEFAULT 'y',
   `dir` varchar(255) DEFAULT NULL,
   PRIMARY KEY (`webdav_user_id`)

interface/lib/app.inc.php

@@ -78,7 +78,7 @@ public function __get($prop) {
 
 		$this->uses($prop);
 		if(property_exists($this, $prop)) return $this->{$prop};
-		else return null;
+		else trigger_error('Undefined property ' . $name . ' of class app', E_USER_WARNING);
 	}
 
 	public function __destruct() {

interface/lib/classes/auth.inc.php

@@ -231,12 +231,27 @@ public function crypt_password($cleartext_password, $charset = 'UTF-8') {
 		if($charset != 'UTF-8') {
 			$cleartext_password = mb_convert_encoding($cleartext_password, $charset, 'UTF-8');
 		}
-		$salt="$1$";
-		$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
-		for ($n=0;$n<8;$n++) {
-			$salt.=$base64_alphabet[mt_rand(0, 63)];
+		
+		if(defined('CRYPT_SHA512') && CRYPT_SHA512 == 1) {
+			$salt = '$6$rounds=5000$';
+			$salt_length = 16;
+		} elseif(defined('CRYPT_SHA256') && CRYPT_SHA256 == 1) {
+			$salt = '$5$rounds=5000$';
+			$salt_length = 16;
+		} else {
+			$salt = '$1$';
+			$salt_length = 12;
+		}
+		
+		if(function_exists('openssl_random_pseudo_bytes')) {
+			$salt .= substr(bin2hex(openssl_random_pseudo_bytes($salt_length)), 0, $salt_length);
+		} else {
+			$base64_alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
+			for($n = 0; $n < $salt_length; $n++) {
+				$salt .= $base64_alphabet[mt_rand(0, 63)];
+			}
 		}
-		$salt.="$";
+		$salt .= "$";
 		return crypt($cleartext_password, $salt);
 	}
 

interface/lib/classes/functions.inc.php

@@ -451,9 +451,9 @@ public function generate_ssh_key($client_id, $username = ''){
 		if(file_exists($id_rsa_file)) unset($id_rsa_file);
 		if(file_exists($id_rsa_pub_file)) unset($id_rsa_pub_file);
 		if(!file_exists($id_rsa_file) && !file_exists($id_rsa_pub_file)) {
-			exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f '.$id_rsa_file.' -N ""');
+			$app->system->exec_safe('ssh-keygen -t rsa -C ? -f ? -N ""', $username.'-rsa-key-'.time(), $id_rsa_file);
 			$app->db->query("UPDATE client SET created_at = UNIX_TIMESTAMP(), id_rsa = ?, ssh_rsa = ? WHERE client_id = ?", @file_get_contents($id_rsa_file), @file_get_contents($id_rsa_pub_file), $client_id);
-			exec('rm -f '.$id_rsa_file.' '.$id_rsa_pub_file);
+			$app->system->exec_safe('rm -f ? ?', $id_rsa_file, $id_rsa_pub_file);
 		} else {
 			$app->log("Failed to create SSH keypair for ".$username, LOGLEVEL_WARN);
 		}

interface/lib/classes/remote.d/client.inc.php

@@ -604,11 +604,9 @@ public function client_login_get($session_id,$username,$password,$remote_ip = ''
 			if($user) {
 				$saved_password = stripslashes($user['password']);
 
-				if(substr($saved_password, 0, 3) == '$1$') {
-					//* The password is crypt-md5 encrypted
-					$salt = '$1$'.substr($saved_password, 3, 8).'$';
-
-					if(crypt(stripslashes($password), $salt) != $saved_password) {
+				if(preg_match('/^\$[156]\$/', $saved_password)) {
+					//* The password is crypt encrypted
+					if(crypt(stripslashes($password), $saved_password) !== $saved_password) {
 						$user = false;
 					}
 				} else {
@@ -636,11 +634,9 @@ public function client_login_get($session_id,$username,$password,$remote_ip = ''
 			if($user) {
 				$saved_password = stripslashes($user['passwort']);
 
-				if(substr($saved_password, 0, 3) == '$1$') {
+				if(preg_match('/^\$[156]\$/', $saved_password)) {
 					//* The password is crypt-md5 encrypted
-					$salt = '$1$'.substr($saved_password, 3, 8).'$';
-
-					if(crypt(stripslashes($password), $salt) != $saved_password) {
+					if(crypt(stripslashes($password), $saved_password) != $saved_password) {
 						$user = false;
 					}
 				} else {

interface/lib/classes/remoting.inc.php

@@ -99,28 +99,22 @@ public function login($username, $password, $client_login = false)
 			if($user) {
 				$saved_password = stripslashes($user['passwort']);
 
-				if(substr($saved_password, 0, 3) == '$1$') {
+				if(preg_match('/^\$[156]\$/', $saved_password)) {
 					//* The password is crypt-md5 encrypted
-					$salt = '$1$'.substr($saved_password, 3, 8).'$';
-
-					if(crypt(stripslashes($password), $salt) != $saved_password) {
+					if(crypt(stripslashes($password), $saved_password) != $saved_password) {
 						throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.');
-						return false;
 					}
 				} else {
 					//* The password is md5 encrypted
 					if(md5($password) != $saved_password) {
 						throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.');
-						return false;
 					}
 				}
 			} else {
 				throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.');
-				return false;
 			}
 			if($user['active'] != 1) {
 				throw new SoapFault('client_login_failed', 'The login failed. User is blocked.');
-				return false;
 			}
 
 			// now we need the client data

interface/lib/classes/system.inc.php

@@ -31,6 +31,8 @@
 class system {
 
 	var $client_service = null;
+	private $_last_exec_out = null;
+	private $_last_exec_retcode = null;
 
 	public function has_service($userid, $service) {
 		global $app;
@@ -52,8 +54,47 @@ public function has_service($userid, $service) {
 			return false;
 		}
 	}
-} //* End Class
-
-?>
 
+	public function last_exec_out() {
+		return $this->_last_exec_out;
+	}
+	
+	public function last_exec_retcode() {
+		return $this->_last_exec_retcode;
+	}
+	
+	public function exec_safe($cmd) {
+		$arg_count = func_num_args();
+		if($arg_count != substr_count($cmd, '?') + 1) {
+			trigger_error('Placeholder count not matching argument list.', E_USER_WARNING);
+			return false;
+		}
+		if($arg_count > 1) {
+			$args = func_get_args();
 
+			$pos = 0;
+			$a = 0;
+			foreach($args as $value) {
+				$a++;
+				
+				$pos = strpos($cmd, '?', $pos);
+				if($pos === false) {
+					break;
+				}
+				$value = escapeshellarg($value);
+				$cmd = substr_replace($cmd, $value, $pos, 1);
+				$pos += strlen($value);
+			}
+		}
+		
+		$this->_last_exec_out = null;
+		$this->_last_exec_retcode = null;
+		return exec($cmd, $this->_last_exec_out, $this->_last_exec_retcode);
+	}
+	
+	public function system_safe($cmd) {
+		call_user_func_array(array($this, 'exec_safe'), func_get_args());
+		return implode("\n", $this->_last_exec_out);
+	}	
+	
+} //* End Class

interface/lib/classes/validate_dkim.inc.php

@@ -49,10 +49,13 @@ function get_error($errmsg) {
 	 * Validator function for private DKIM-Key
 	 */
 	function check_private_key($field_name, $field_value, $validator) {
+		global $app;
+		
 		$dkim_enabled=$_POST['dkim'];
 		if ($dkim_enabled == 'y') {
 			if (empty($field_value)) return $this->get_error($validator['errmsg']);
-			exec('echo '.escapeshellarg($field_value).'|openssl rsa -check', $output, $result);
+			$app->system->exec_safe('echo ?|openssl rsa -check', $field_value);
+			$result = $app->system->last_exec_retcode();
 			if($result != 0) return $this->get_error($validator['errmsg']);
 		}
 	}

interface/web/admin/users_edit.php

@@ -104,6 +104,8 @@ function onBeforeUpdate() {
 	function onAfterUpdate() {
 		global $app, $conf;
 
+		$app->uses('auth');
+		
 		$client = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = ?", $this->id);
 		$client_id = $app->functions->intval($client['client_id']);
 		$username = $this->dataRecord["username"];
@@ -121,13 +123,7 @@ function onAfterUpdate() {
 		// password changed
 		if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord["passwort"]) && $this->dataRecord["passwort"] != '') {
 			$password = $this->dataRecord["passwort"];
-			$salt="$1$";
-			$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
-			for ($n=0;$n<8;$n++) {
-				$salt.=$base64_alphabet[mt_rand(0, 63)];
-			}
-			$salt.="$";
-			$password = crypt(stripslashes($password), $salt);
+			$password = $app->auth->crypt_password($password);
 			$sql = "UPDATE client SET password = ? WHERE client_id = ? AND username = ?";
 			$app->db->query($sql, $password, $client_id, $username);
 		}