replace custom HTTPS socket code with libcurl (hestiacp#3160)

divinity76 · web-flow · commit 788ff120c768 · 2022-12-20T16:38:31.000+01:00
* replace custom HTTPS socket code with libcurl several reasons, for one, "$result = fread($fp, 2048);" is not the correct way to read the result, what if its more than 2048 bytes? or what if its less, and the server doesn't close the connection, then you risk a stalling read taking much longer than than required, the correct way is to parse out the "Content-Length" header and read that many bytes (which curl does, the custom https socket code didn't), and.. its just simpler and easier to read curl code than custom https socket code~ * formatting * PR feedback hestiacp#3160 (comment) * PR feedback hestiacp#3160 (comment) * PR feedback/useragent
diff --git a/install/common/roundcube/hestia.php b/install/common/roundcube/hestia.php
@@ -7,7 +7,7 @@
  * @author HestiaCP <info@hestiacp.com>
  */
 class rcube_hestia_password {
-	function save($curpass, $passwd) {
+	public function save($curpass, $passwd) {
 		$rcmail = rcmail::get_instance();
 		$hestia_host = $rcmail->config->get("password_hestia_host");
 
@@ -25,45 +25,29 @@ function save($curpass, $passwd) {
 			"password" => $curpass,
 			"new" => $passwd,
 		];
-
-		$postdata = http_build_query($postvars);
-
-		$send = "POST /reset/mail/ HTTP/1.1" . PHP_EOL;
-		$send .= "Host: " . $hestia_host . PHP_EOL;
-		$send .= "User-Agent: PHP Script" . PHP_EOL;
-		$send .= "Content-length: " . strlen($postdata) . PHP_EOL;
-		$send .= "Content-type: application/x-www-form-urlencoded" . PHP_EOL;
-		$send .= "Connection: close" . PHP_EOL;
-		$send .= PHP_EOL;
-		$send .= $postdata . PHP_EOL . PHP_EOL;
-
-		//$fp = fsockopen('ssl://' . $hestia_host, $hestia_port);
-		$errno = "";
-		$errstr = "";
-		$context = stream_context_create();
-
-		$result = stream_context_set_option($context, "ssl", "verify_peer", false);
-		$result = stream_context_set_option($context, "ssl", "verify_peer_name", false);
-		$result = stream_context_set_option($context, "ssl", "verify_host", false);
-		$result = stream_context_set_option($context, "ssl", "allow_self_signed", true);
-
-		$fp = stream_socket_client(
-			"ssl://" . $hestia_host . ":" . $hestia_port,
-			$errno,
-			$errstr,
-			60,
-			STREAM_CLIENT_CONNECT,
-			$context,
-		);
-		fputs($fp, $send);
-		$result = fread($fp, 2048);
-		fclose($fp);
-
-		$fp = fopen("/tmp/roundcube.log", "w");
-		fwrite($fp, "test ok");
-		fwrite($fp, "\n");
-		fclose($fp);
-
+		$url = "https://{$hestia_host}:{$hestia_port}/reset/mail/";
+		$ch = curl_init();
+		if (
+			false ===
+			curl_setopt_array($ch, [
+				CURLOPT_URL => $url,
+				CURLOPT_RETURNTRANSFER => true,
+				CURLOPT_HEADER => true,
+				CURLOPT_POST => true,
+				CURLOPT_POSTFIELDS => http_build_query($postvars),
+				CURLOPT_USERAGENT => "Hestia Control Panel Password Driver",
+				CURLOPT_SSL_VERIFYPEER => false,
+				CURLOPT_SSL_VERIFYHOST => false,
+			])
+		) {
+			// should never happen
+			throw new Exception("curl_setopt_array() failed: " . curl_error($ch));
+		}
+		$result = curl_exec($ch);
+		if (curl_errno($ch) !== CURLE_OK) {
+			throw new Exception("curl_exec() failed: " . curl_error($ch));
+		}
+		curl_close($ch);
 		if (strpos($result, "ok") && !strpos($result, "error")) {
 			return PASSWORD_SUCCESS;
 		} else {
