From d6297d17c324fc4c48517b42a3decebfad8c440f Mon Sep 17 00:00:00 2001 From: Phoenix Eve Aspacio Date: Sat, 11 Feb 2017 13:20:04 +0800 Subject: [PATCH] Improved Autodiscover This update is for security purposes. --- data/web/autodiscover.php | 196 +++++++++++++++++++++----------------- 1 file changed, 106 insertions(+), 90 deletions(-) diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php index a503b80cc..5f9025e86 100644 --- a/data/web/autodiscover.php +++ b/data/web/autodiscover.php @@ -1,6 +1,4 @@ 'yes', 'autodiscoverType' => 'activesync', @@ -15,22 +13,43 @@ $config = array( 'ssl' => 'on' ), 'activesync' => array( - 'url' => 'https://' . $mailcow_hostname . '/Microsoft-Server-ActiveSync' + 'url' => 'https://'.$mailcow_hostname.'/Microsoft-Server-ActiveSync' ) ); -// If useEASforOutlook == no, the autodiscoverType option will be replaced to imap. + +/* ---------- DO NOT MODIFY ANYTHING BEYOND THIS LINE. IGNORE AT YOUR OWN RISK. ---------- */ + if ($config['useEASforOutlook'] == 'no') { if (strpos($_SERVER['HTTP_USER_AGENT'], 'Outlook')) { $config['autodiscoverType'] = 'imap'; } } -// Workaround for short open tags -echo ''; -?> - - PDO::ERRMODE_EXCEPTION, + PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, + PDO::ATTR_EMULATE_PREPARES => false, +]; +$pdo = new PDO($dsn, $database_user, $database_pass, $opt); +$login_user = strtolower(trim($_SERVER['PHP_AUTH_USER'])); +$as = check_login($login_user, $_SERVER['PHP_AUTH_PW']); + +if (!isset($_SERVER['PHP_AUTH_USER']) OR $as !== "user") { + header('WWW-Authenticate: Basic realm=""'); + header('HTTP/1.0 401 Unauthorized'); + exit; +} else { + if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { + if ($as === "user") { + header("Content-Type: application/xml"); + echo ''; + + $data = trim(file_get_contents("php://input")); + if(!$data) { list($usec, $sec) = explode(' ', microtime()); echo ''; echo ''; @@ -38,84 +57,81 @@ if(!$data) { echo ''; echo ''; exit(0); -} + } + $discover = new SimpleXMLElement($data); + $email = $discover->Request->EMailAddress; -$discover = new SimpleXMLElement($data); -$email = $discover->Request->EMailAddress; - -if ($config['autodiscoverType'] == 'imap') { -?> - - - email - settings - - IMAP - - - off - - off - - on - - - SMTP - - - off - - off - - on - on - off - - - - PDO::ERRMODE_EXCEPTION, - PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, - PDO::ATTR_EMULATE_PREPARES => false, - ]; - $pdo = new PDO($dsn, $database_user, $database_pass, $opt); - $username = trim($email); - try { - $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username"); - $stmt->execute(array(':username' => $username)); - $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC); - } - catch(PDOException $e) { - die("Failed to determine name from SQL"); - } - if (!empty($MailboxData['name'])) { - $displayname = utf8_encode($MailboxData['name']); - } - else { - $displayname = $email; - } -?> - - en:en - - - - - - - - MobileSync - - - - - - - + if ($config['autodiscoverType'] == 'imap') { + ?> + + + email + settings + + IMAP + + + off + + off + + on + + + SMTP + + + off + + off + + on + on + off + + + + prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username"); + $stmt->execute(array(':username' => $username)); + $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC); + } + catch(PDOException $e) { + die("Failed to determine name from SQL"); + } + if (!empty($MailboxData['name'])) { + $displayname = utf8_encode($MailboxData['name']); + } + else { + $displayname = $email; + } + ?> + + en:en + + + + + + + + MobileSync + + + + + + + +