maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

don't db->escape the password for makeCryptPassword as its result is being db->escaped anyway; refs #852

Browse Source 
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
2013-04-14 11:56:01 +02:00
parent 1c0937f29b
commit 271e4a660b
4 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
admin_customers.php
View File

@@ -789,7 +789,7 @@ if($page == 'customers'
}
inserttask('1');
$cryptPassword = makeCryptPassword($db->escape($password),1);
$cryptPassword = makeCryptPassword($password ,1);
$result = $db->query("INSERT INTO `" . TABLE_FTP_USERS . "` " . "(`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) " . "VALUES ('" . (int)$customerid . "', '" . $db->escape($loginname) . "', '" . $db->escape($cryptPassword) . "', '" . $db->escape($documentroot) . "', 'y', '" . (int)$guid . "', '" . (int)$guid . "')");
$result = $db->query("INSERT INTO `" . TABLE_FTP_GROUPS . "` " . "(`customerid`, `groupname`, `gid`, `members`) " . "VALUES ('" . (int)$customerid . "', '" . $db->escape($loginname) . "', '" . $db->escape($guid) . "', '" . $db->escape($loginname) . "')");
$result = $db->query("INSERT INTO `" . TABLE_FTP_QUOTATALLIES . "` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) VALUES ('" . $db->escape($loginname) . "', 'user', '0', '0', '0', '0', '0', '0')");

4
customer_email.php
View File

@@ -458,7 +458,7 @@ elseif($page == 'accounts')
$password = substr(md5(uniqid(microtime(), 1)), 12, 6);
}
$cryptPassword = makeCryptPassword($db->escape($password),1);
$cryptPassword = makeCryptPassword($password, 1);
$email_user=substr($email_full,0,strrpos($email_full,"@"));
$email_domain=substr($email_full,strrpos($email_full,"@")+1);
@@ -607,7 +607,7 @@ elseif($page == 'accounts')
$password = validatePassword($password);
$log->logAction(USR_ACTION, LOG_NOTICE, "changed email password for '" . $result['email_full'] . "'");
$cryptPassword = makeCryptPassword($db->escape($password),1);
$cryptPassword = makeCryptPassword($password,1);
$result = $db->query("UPDATE `" . TABLE_MAIL_USERS . "` SET " . ($settings['system']['mailpwcleartext'] == '1' ? "`password` = '" . $db->escape($password) . "', " : '') . " `password_enc`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$result['popaccountid'] . "'");
redirectTo($filename, Array('page' => 'emails', 'action' => 'edit', 'id' => $id, 's' => $s));
}

4
customer_ftp.php
View File

@@ -188,7 +188,7 @@ elseif($page == 'accounts')
{
$path = makeCorrectDir($userinfo['documentroot'] . '/' . $path);
$cryptPassword = makeCryptPassword($db->escape($password),1);
$cryptPassword = makeCryptPassword($password, 1);
$db->query("INSERT INTO `" . TABLE_FTP_USERS . "` (`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) VALUES ('" . (int)$userinfo['customerid'] . "', '" . $db->escape($username) . "', '" . $db->escape($cryptPassword) . "', '" . $db->escape($path) . "', 'y', '" . (int)$userinfo['guid'] . "', '" . (int)$userinfo['guid'] . "')");
$result = $db->query("SELECT `bytes_in_used` FROM `" . TABLE_FTP_QUOTATALLIES . "` WHERE `name` = '" . $userinfo['loginname'] . "'");
while($row = $db->fetch_array($result))
@@ -312,7 +312,7 @@ elseif($page == 'accounts')
else
{
$log->logAction(USR_ACTION, LOG_INFO, "updated ftp-account password for '" . $result['username'] . "'");
$cryptPassword = makeCryptPassword($db->escape($password),1);
$cryptPassword = makeCryptPassword($password, 1);
$db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$id . "'");
// also update customers backup user password if password of main ftp user is changed

2
customer_index.php
View File

@@ -124,7 +124,7 @@ elseif($page == 'change_password')
if(isset($_POST['change_main_ftp'])
&& $_POST['change_main_ftp'] == 'true')
{
$cryptPassword = makeCryptPassword($db->escape($new_password),1);
$cryptPassword = makeCryptPassword($new_password, 1);
$db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `username`='" . $db->escape($userinfo['loginname']) . "'");
$log->logAction(USR_ACTION, LOG_NOTICE, 'changed main ftp password');
}