diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 97f97a421..15c3b0b9e 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -834,7 +834,7 @@ function update_sogo_static_view($mailbox = null) { // Check if the mailbox exists $stmt = $pdo->prepare("SELECT username FROM mailbox WHERE username = :mailbox AND active = '1'"); $stmt->execute(array(':mailbox' => $mailbox)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); + $row = $stmt->fetch(PDO::FETCH_ASSOC); if ($row){ $mailbox_exists = true; } @@ -844,7 +844,7 @@ function update_sogo_static_view($mailbox = null) { $random_password = base64_encode(openssl_random_pseudo_bytes(24)); $random_salt = base64_encode(openssl_random_pseudo_bytes(16)); $random_hash = '{SSHA256}' . base64_encode(hash('sha256', base64_decode($password) . $salt, true) . $salt); - + $subquery = "GROUP BY mailbox.username"; if ($mailbox_exists) { $subquery = "AND mailbox.username = :mailbox"; @@ -882,7 +882,7 @@ function update_sogo_static_view($mailbox = null) { `kind` = VALUES(`kind`), `multiple_bookings` = VALUES(`multiple_bookings`)"; - + if ($mailbox_exists) { $stmt = $pdo->prepare($query); $stmt->execute(array( @@ -895,9 +895,9 @@ function update_sogo_static_view($mailbox = null) { ':random_hash' => $random_hash )); } - + $stmt = $pdo->query("DELETE FROM _sogo_static_view WHERE `c_uid` NOT IN (SELECT `username` FROM `mailbox` WHERE `active` = '1');"); - + flush_memcached(); } function edit_user_account($_data) { @@ -930,7 +930,7 @@ function edit_user_account($_data) { AND `username` = :user AND authsource = 'mailcow'"); $stmt->execute(array(':user' => $username)); $row = $stmt->fetch(PDO::FETCH_ASSOC); - + if (!verify_hash($row['password'], $password_old)) { $_SESSION['return'][] = array( 'type' => 'danger', @@ -939,7 +939,7 @@ function edit_user_account($_data) { ); return false; } - + $password_new = $_data['user_new_pass']; $password_new2 = $_data['user_new_pass2']; if (password_check($password_new, $password_new2) !== true) { @@ -954,7 +954,7 @@ function edit_user_account($_data) { ':password_hashed' => $password_hashed, ':username' => $username )); - + update_sogo_static_view(); } // edit password recovery email @@ -1210,7 +1210,7 @@ function set_tfa($_data) { $_data['registration']->certificate, 0 )); - + $_SESSION['return'][] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_data_log), @@ -1380,7 +1380,7 @@ function unset_tfa_key($_data) { try { if (!is_numeric($id)) $access_denied = true; - + // set access_denied error if ($access_denied){ $_SESSION['return'][] = array( @@ -1389,7 +1389,7 @@ function unset_tfa_key($_data) { 'msg' => 'access_denied' ); return false; - } + } // check if it's last key $stmt = $pdo->prepare("SELECT COUNT(*) AS `keys` FROM `tfa` @@ -1438,7 +1438,7 @@ function get_tfa($username = null, $id = null) { WHERE `username` = :username AND `active` = '1'"); $stmt->execute(array(':username' => $username)); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); - + // no tfa methods found if (count($results) == 0) { $data['name'] = 'none'; @@ -1646,8 +1646,8 @@ function verify_tfa_login($username, $_data) { 'msg' => array('webauthn_authenticator_failed') ); return false; - } - + } + if (empty($process_webauthn['publicKey']) || $process_webauthn['publicKey'] === false) { $_SESSION['return'][] = array( 'type' => 'danger', @@ -2009,7 +2009,7 @@ function cors($action, $data = null) { 'msg' => 'access_denied' ); return false; - } + } $allowed_origins = isset($data['allowed_origins']) ? $data['allowed_origins'] : array($_SERVER['SERVER_NAME']); $allowed_origins = !is_array($allowed_origins) ? array_filter(array_map('trim', explode("\n", $allowed_origins))) : $allowed_origins; @@ -2042,7 +2042,7 @@ function cors($action, $data = null) { $redis->hMSet('CORS_SETTINGS', array( 'allowed_origins' => implode(', ', $allowed_origins), 'allowed_methods' => implode(', ', $allowed_methods) - )); + )); } catch (RedisException $e) { $_SESSION['return'][] = array( 'type' => 'danger', @@ -2094,10 +2094,10 @@ function cors($action, $data = null) { header('Access-Control-Allow-Headers: Accept, Content-Type, X-Api-Key, Origin'); // Access-Control settings requested, this is just a preflight request - if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' && + if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' && isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) && isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) { - + $allowed_methods = explode(', ', $cors_settings["allowed_methods"]); if (in_array($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'], $allowed_methods, true)) // method allowed send 200 OK @@ -2216,7 +2216,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { $stmt = $pdo->prepare("SELECT * FROM `mailbox` WHERE `authsource` != 'mailcow' AND `authsource` IS NOT NULL - AND `authsource` != :authsource"); + AND `authsource` != :authsource"); $stmt->execute(array(':authsource' => $_data['authsource'])); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); if ($rows) { @@ -2247,7 +2247,8 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { break; case "ldap": $_data['port'] = (!empty($_data['port'])) ? intval($_data['port']) : 389; - $_data['username_field'] = (!empty($_data['username_field'])) ? $_data['username_field'] : "mail"; + $_data['username_field'] = (!empty($_data['username_field'])) ? strtolower($_data['username_field']) : "mail"; + $_data['attribute_field'] = (!empty($_data['attribute_field'])) ? strtolower($_data['attribute_field']) : ""; $_data['filter'] = (!empty($_data['filter'])) ? $_data['filter'] : ""; $_data['periodic_sync'] = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0; $_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0; @@ -2259,7 +2260,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { $required_settings = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error'); break; } - + $pdo->beginTransaction(); $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); // add connection settings @@ -2343,7 +2344,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { $res = curl_exec($curl); $code = curl_getinfo($curl, CURLINFO_HTTP_CODE); curl_close ($curl); - + if ($code != 200) { return false; } @@ -2391,7 +2392,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { ); return false; } - + $stmt = $pdo->query("SELECT * FROM `mailbox` WHERE `authsource` != 'mailcow' AND `authsource` IS NOT NULL"); @@ -2428,7 +2429,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { 'clientId' => $iam_settings['client_id'], 'clientSecret' => $iam_settings['client_secret'], 'redirectUri' => $iam_settings['redirect_url'], - 'version' => $iam_settings['version'], + 'version' => $iam_settings['version'], // 'encryptionAlgorithm' => 'RS256', // optional // 'encryptionKeyPath' => '../key.pem' // optional // 'encryptionKey' => 'contents_of_key_or_certificate' // optional @@ -2488,7 +2489,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { ); return false; } - + try { $token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]); $_SESSION['iam_token'] = $token->getToken(); @@ -2504,7 +2505,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { } // check if email address is given if (empty($info['email'])) return false; - + // token valid, get mailbox $stmt = $pdo->prepare("SELECT * FROM `mailbox` INNER JOIN domain on mailbox.domain = domain.domain @@ -2530,7 +2531,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { // also return false if no mappers were defined $user_template = $info['mailcow_template']; if (empty($iam_settings['mappers']) || empty($user_template)){ - clear_session(); + clear_session(); $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $info['email']), @@ -2542,7 +2543,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { // check if matching attribute exist $mapper_key = array_search($user_template, $iam_settings['mappers']); if ($mapper_key === false) { - clear_session(); + clear_session(); $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $info['email']), @@ -2560,7 +2561,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { 'template' => $iam_settings['templates'][$mapper_key] )); if (!$create_res){ - clear_session(); + clear_session(); $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $info['email']), @@ -2568,7 +2569,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { ); return false; } - + set_user_loggedin_session($info['email']); $_SESSION['return'][] = array( 'type' => 'success', @@ -2586,7 +2587,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { $_SESSION['iam_refresh_token'] = $token->getRefreshToken(); $info = $provider->getResourceOwner($token)->toArray(); } catch (Throwable $e) { - clear_session(); + clear_session(); $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__), @@ -2596,7 +2597,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { } if (empty($info['email'])){ - clear_session(); + clear_session(); $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']), @@ -2604,14 +2605,14 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { ); return false; } - + $_SESSION['mailcow_cc_username'] = $info['email']; $_SESSION['mailcow_cc_role'] = "user"; return true; break; case "get-redirect": $iam_settings = identity_provider('get'); - if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc') + if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc') return false; $provider = $_data['iam_provider']; $authUrl = $provider->getAuthorizationUrl(); @@ -2667,7 +2668,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { if ($code != 200) { return false; } - + $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); $stmt->execute(array( ':key' => 'access_token', @@ -2702,7 +2703,7 @@ function reset_password($action, $data = null) { break; case 'issue': $username = $data; - + // perform cleanup $stmt = $pdo->prepare("DELETE FROM `reset_password` WHERE created < DATE_SUB(NOW(), INTERVAL :lifetime MINUTE);"); $stmt->execute(array(':lifetime' => $PW_RESET_TOKEN_LIFETIME)); @@ -2784,8 +2785,8 @@ function reset_password($action, $data = null) { $request_date = new DateTime(); $locale_date = locale_get_default(); $date_formatter = new IntlDateFormatter( - $locale_date, - IntlDateFormatter::FULL, + $locale_date, + IntlDateFormatter::FULL, IntlDateFormatter::FULL ); $formatted_request_date = $date_formatter->format($request_date); @@ -2901,7 +2902,7 @@ function reset_password($action, $data = null) { $stmt->execute(array( ':username' => $username )); - + $_SESSION['return'][] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $action, $_data_log), @@ -2944,7 +2945,7 @@ function reset_password($action, $data = null) { $text = $data['text']; $html = $data['html']; $subject = $data['subject']; - + if (!filter_var($from, FILTER_VALIDATE_EMAIL)) { $_SESSION['return'][] = array( 'type' => 'danger', @@ -2977,7 +2978,7 @@ function reset_password($action, $data = null) { ); return false; } - + ini_set('max_execution_time', 0); ini_set('max_input_time', 0); $mail = new PHPMailer; @@ -3009,7 +3010,7 @@ function reset_password($action, $data = null) { return false; } $mail->ClearAllRecipients(); - + return true; break; }