From: ebullient <ebullient@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Wed, 8 Sep 2004 15:24:22 +0000 (+0000)
Subject: updates to mysql backend in change_password plugin..
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=4165198dd11d9bae29e7784400bec7031b696403;p=squirrelmail.git

updates to mysql backend in change_password plugin..
Different mechanism to override backend settings so that backend/<type>.php
doesn't have config stuff in it, and added support for MySQL password and
UNIX crypt password encryption (like old mysql changepass plugin).


git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@8042 7612ce4b-ef26-0410-bec9-ea0150e637f0
---

diff --git a/ChangeLog b/ChangeLog
index 456d85ad..e34b72c1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -102,6 +102,8 @@ Version 1.5.1 -- CVS
     squirrelmail functions are assume English conversion rules.
   - Fixed problem that caused an error when deleting all messages on the last page
     of a paginated view (provides fix for #1014612)
+  - Added MySQL password/UNIX crypt support to mysql backend in the
+    change_password plugin
 
 Version 1.5.0
 --------------------
diff --git a/plugins/change_password/README b/plugins/change_password/README
index c3ea0793..778ef34c 100644
--- a/plugins/change_password/README
+++ b/plugins/change_password/README
@@ -15,7 +15,18 @@ Probably, you need to set some config vars in the backend too
 (backend/<yourbackend>.php).
 
 BACKENDS
--
+- mysql
+
+  Default settings are supplied in backends/mysql.php.
+
+  You do not have to change any configuration vars in 
+  backend/mysql.php - instead, create an array in config.php 
+  containing the variable you want to override, for example:
+
+  To override the server name ($mysql_server), you would add
+    $mysql['server'] = 'remote_servername';
+  to config.php.
+
 -
 -
 
diff --git a/plugins/change_password/backend/mysql.php b/plugins/change_password/backend/mysql.php
index c2f50447..a9ff7a86 100644
--- a/plugins/change_password/backend/mysql.php
+++ b/plugins/change_password/backend/mysql.php
@@ -13,9 +13,10 @@
  */
 
 global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
-       $mysql_password_field, $mysql_manager_id, $mysql_manager_pw;
+       $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
+       $mysql_saslcrypt, $mysql_unixcrypt, $mysql;
 
-// The MySQL Server
+// Initialize defaults
 $mysql_server = 'localhost';
 $mysql_database = 'email';
 $mysql_table = 'users';
@@ -28,6 +29,18 @@ $mysql_password_field ='password';
 $mysql_manager_id = 'email_admin';
 $mysql_manager_pw = 'xxxxxxx';
 
+// saslcrypt checked first - if it is 1, UNIX crypt is not used.
+$mysql_saslcrypt = 0; // use MySQL password() function
+$mysql_unixcrypt = 0; // use UNIX crypt() function
+
+if ( isset($mysql) && is_array($mysql) && !empty($mysql) )
+{
+  foreach ( $mysql as $key => $value )
+  {
+    if ( isset(${'mysql_'.$key}) )
+      ${'mysql_'.$key} = $value;
+  }   
+}
 
 // NO NEED TO CHANGE ANYTHING BELOW THIS LINE
 
@@ -59,22 +72,32 @@ function cpw_mysql_dochange($data)
     $msgs = array();
 
     global $mysql_server, $mysql_database, $mysql_table, $mysql_userid_field,
-           $mysql_password_field, $mysql_manager_id, $mysql_manager_pw;
+           $mysql_password_field, $mysql_manager_id, $mysql_manager_pw,
+           $mysql_saslcrypt, $mysql_unixcrypt;
 
     $ds = mysql_pconnect($mysql_server, $mysql_manager_id, $mysql_manager_pw);
     if (! $ds) {
         array_push($msgs, _("Cannot connect to Database Server, please try later!"));
-	return $msgs;
+        return $msgs;
     }
     if (!mysql_select_db($mysql_database, $ds)) {
         array_push($msgs, _("Database not found on server"));
-	return $msgs;
+        return $msgs;
     }
 
     $query_string = 'SELECT ' . $mysql_userid_field . ',' . $mysql_password_field
                   . ' FROM '  . $mysql_table
                   . ' WHERE ' . $mysql_userid_field . '="' . mysql_escape_string($username) .'"'
-		  . ' AND ' . $mysql_password_field . '="' . mysql_escape_string($curpw) . '"';
+                  . ' AND ' . $mysql_password_field;
+
+    if ($mysql_saslcrypt) {
+        $query_string  .= '=password("'.mysql_escape_string($curpw).'")';
+    } elseif ($mysql_unixcrypt) {
+        $query_string  .= '=encrypt("'.mysql_escape_string($curpw).'", '.$mysql_password_field . ')';
+    } else {
+        $query_string  .= '="' . mysql_escape_string($curpw) . '"';
+    }
+
     $select_result = mysql_query($query_string, $ds);
     if (!$select_result) {
         array_push($msgs, _("SQL call failed, try again later."));
@@ -91,9 +114,17 @@ function cpw_mysql_dochange($data)
         return $msgs;
     }
 
-    $update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field
-                   . ' = "' . mysql_escape_string($cp_newpass) . '"'
-		   . ' WHERE ' . $mysql_userid_field . ' = "' . mysql_escape_string($username) . '"';
+    $update_string = 'UPDATE '. $mysql_table . ' SET ' . $mysql_password_field;
+
+    if ($mysql_saslcrypt) {
+        $update_string  .= '=password("'.mysql_escape_string($newpw).'")';
+    } elseif ($mysql_unixcrypt) {
+        $update_string  .= '=encrypt("'.mysql_escape_string($newpw).'", '.$mysql_password_field . ')';
+    } else {
+        $update_string  .= '="' . mysql_escape_string($newpw) . '"';
+    }
+    $update_string .= ' WHERE ' . $mysql_userid_field . ' = "' . mysql_escape_string($username) . '"';
+
     if (!mysql_query($update_string, $ds)) {
         array_push($msgs, _("Password change was not successful!"));
     }
diff --git a/plugins/change_password/functions.php b/plugins/change_password/functions.php
index 123ed5d7..5272d6f7 100644
--- a/plugins/change_password/functions.php
+++ b/plugins/change_password/functions.php
@@ -33,11 +33,6 @@ function cpw_check_input()
 
     $msg = array();
 
-    if(!$currentpw) {
-        $msg[] = _("You must type in your current password.");
-    } elseif($currentpw != OneTimePadDecrypt($key, $onetimepad)) {
-        $msg[] = _("Your current password is not correct.");
-    }
     if(!$newpw) {
         $msg[] = _("You must type in a new password.");
     }
@@ -46,6 +41,15 @@ function cpw_check_input()
     } elseif ($verifypw != $newpw) {
         $msg[] = _("Your new password does not match the verify password.");
     }
+
+    $orig_pw = OneTimePadDecrypt($key, $onetimepad);
+
+    if(!$currentpw) {
+        $msg[] = _("You must type in your current password.");
+    } elseif ($currentpw != $orig_pw) {
+        $msg[] = _("Your current password is not correct.");
+    }
+
     if($newpw && (strlen($newpw) < $cpw_pass_min_length ||
                   strlen($newpw) > $cpw_pass_max_length ) ) {
         $msg[] = sprintf(_("Your new password should be %s to %s characters long."),
@@ -85,9 +89,9 @@ function cpw_do_change()
     $msgs = do_hook_function('change_password_dochange',
         array (
             'username' => $username,
-	    'curpw' => $curpw,
-	    'newpw' => $newpw
-	) );
+            'curpw' => $curpw,
+            'newpw' => $newpw
+        ) );
 
     /* something bad happened, return */
     if(count($msgs) > 0) {