SF.net SVN: postfixadmin:[1397] trunk

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 1397
          http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=1397&view=rev
Author:   christian_boltz
Date:     2012-05-28 20:05:48 +0000 (Mon, 28 May 2012)
Log Message:
-----------
functions.inc.php:
- pacrypt(): no longer escape_string() the result. This fixes
  https://sourceforge.net/tracker/index.php?func=detail&aid=3094804&group_id=191583&atid=937964

create-mailbox.php, password.php:
- escape_string() the pacrypt() result

login.php:
- simplify code to require one query less (this also removes the need 
  to escape_string() the password)

I also checked the other files using pacrypt() - they don't need 
escaping or already do it.

Modified Paths:
--------------
    trunk/create-mailbox.php
    trunk/functions.inc.php
    trunk/login.php
    trunk/password.php

Modified: trunk/create-mailbox.php
===================================================================

--- trunk/create-mailbox.php	2012-05-28 18:07:33 UTC (rev 1396)
+++ trunk/create-mailbox.php	2012-05-28 20:05:48 UTC (rev 1397)
@@ -139,7 +139,7 @@
       $tQuota = $fQuota;
       $tDomain = $fDomain;
    } else {
-      $password = pacrypt ($fPassword);
+      $password = escape_string(pacrypt ($fPassword));
 
       if($CONF['maildir_name_hook'] != 'NO' && function_exists($CONF['maildir_name_hook'])) {
          $hook_func = $CONF['maildir_name_hook'];

Modified: trunk/functions.inc.php
===================================================================
--- trunk/functions.inc.php	2012-05-28 18:07:33 UTC (rev 1396)
+++ trunk/functions.inc.php	2012-05-28 20:05:48 UTC (rev 1397)
@@ -1184,7 +1184,6 @@
         die ('unknown/invalid $CONF["encrypt"] setting: ' . $CONF['encrypt']);
     }
 
-    $password = escape_string ($password); # TODO: disable escaping - https://sourceforge.net/tracker/?func=detail&aid=3301752&group_id=191583&atid=937964
     return $password;
 }
 

Modified: trunk/login.php
===================================================================
--- trunk/login.php	2012-05-28 18:07:33 UTC (rev 1396)
+++ trunk/login.php	2012-05-28 20:05:48 UTC (rev 1397)
@@ -48,14 +48,13 @@
         # (language preference cookie is processed even if username and/or password are invalid)
     }
 
+    # TODO: move to AdminHandler->login
     $result = db_query ("SELECT password FROM $table_admin WHERE username='$fUsername' AND active='1'");
     if ($result['rows'] == 1)
     {
         $row = db_array ($result['result']);
-        $password = pacrypt ($fPassword, $row['password']);
-        $result = db_query ("SELECT * FROM $table_admin WHERE username='$fUsername' AND password='$password' AND active='1'");
-        if ($result['rows'] != 1)
-        {
+        $crypt_password = pacrypt ($fPassword, $row['password']);
+        if ($row['password'] != $crypt_password) {
             $error = 1;
             flash_error($PALANG['pLogin_failed']);
         }

Modified: trunk/password.php
===================================================================
--- trunk/password.php	2012-05-28 18:07:33 UTC (rev 1396)
+++ trunk/password.php	2012-05-28 20:05:48 UTC (rev 1397)
@@ -56,7 +56,7 @@
     if ($result['rows'] == 1)
     {
         $row = db_array ($result['result']);
-        $checked_password = pacrypt ($fPassword_current, $row['password']);
+        $checked_password = escape_string(pacrypt ($fPassword_current, $row['password']));
 
         $result = db_query ("SELECT * FROM $table_admin WHERE username='$username' AND password='$checked_password'");
         if ($result['rows'] != 1)
@@ -79,7 +79,7 @@
 
     if ($error != 1)
     {
-        $password = pacrypt ($fPassword);
+        $password = escape_string(pacrypt ($fPassword));
         $result = db_query ("UPDATE $table_admin SET password='$password',modified=NOW() WHERE username='$username'");
         if ($result['rows'] == 1)
         {

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



