Merge pull request #32 from scarya/ticket852

Added support for encrypted passwords, refs #852

admin_customers.php

@@ -820,7 +820,8 @@ if($page == 'customers'
 					}
 
 					inserttask('1');
-					$result = $db->query("INSERT INTO `" . TABLE_FTP_USERS . "` " . "(`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) " . "VALUES ('" . (int)$customerid . "', '" . $db->escape($loginname) . "', ENCRYPT('" . $db->escape($password) . "'), '" . $db->escape($documentroot) . "', 'y', '" . (int)$guid . "', '" . (int)$guid . "')");
+					$cryptPassword = makeCryptPassword($db->escape($password),1);
+					$result = $db->query("INSERT INTO `" . TABLE_FTP_USERS . "` " . "(`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) " . "VALUES ('" . (int)$customerid . "', '" . $db->escape($loginname) . "', '" . $db->escape($cryptPassword) . "', '" . $db->escape($documentroot) . "', 'y', '" . (int)$guid . "', '" . (int)$guid . "')");
 					$result = $db->query("INSERT INTO `" . TABLE_FTP_GROUPS . "` " . "(`customerid`, `groupname`, `gid`, `members`) " . "VALUES ('" . (int)$customerid . "', '" . $db->escape($loginname) . "', '" . $db->escape($guid) . "', '" . $db->escape($loginname) . "')");
 					$result = $db->query("INSERT INTO `" . TABLE_FTP_QUOTATALLIES . "` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) VALUES ('" . $db->escape($loginname) . "', 'user', '0', '0', '0', '0', '0', '0')");
 					$log->logAction(ADM_ACTION, LOG_NOTICE, "automatically added ftp-account for user '" . $loginname . "'");

customer_email.php

@@ -438,6 +438,9 @@ elseif($page == 'accounts')
 						{
 							$password = substr(md5(uniqid(microtime(), 1)), 12, 6);
 						}
+
+						$cryptPassword = makeCryptPassword($db->escape($password),1);
+
 						$email_user=substr($email_full,0,strrpos($email_full,"@"));
 						$email_domain=substr($email_full,strrpos($email_full,"@")+1);
 						$maildirname=trim($settings['system']['vmail_maildirname']);
@@ -452,7 +455,7 @@ elseif($page == 'accounts')
 							"'" . $db->escape($email_full) . "', ".
 							"'" . $db->escape($username) . "', " .
 							($settings['system']['mailpwcleartext'] == '1' ? "'" . $db->escape($password) . "', " : '') .
-							"ENCRYPT('" . $db->escape($password) . "'), ".
+							"'" . $db->escape($cryptPassword) . "', ".
 							"'" . $db->escape($settings['system']['vmail_homedir']) . "', '" . $db->escape($userinfo['loginname'] . '/' . $email_domain . "/" . $email_user . "/" . $maildirpath) . "', ".
 							"'" . (int)$settings['system']['vmail_uid'] . "', ".
 							"'" . (int)$settings['system']['vmail_gid'] . "', ".
@@ -461,6 +464,7 @@ elseif($page == 'accounts')
 							"'" . (int)$quota . "', ".
 							"'" . (int)$userinfo['imap'] . "', ".
 							"'" . (int)$userinfo['pop3'] . "')");
+
 						$popaccountid = $db->insert_id();
 						$result['destination'].= ' ' . $email_full;
 						$db->query("UPDATE `" . TABLE_MAIL_VIRTUAL . "` SET ".
@@ -584,7 +588,8 @@ elseif($page == 'accounts')
 				$password = validatePassword($password);
 				
 				$log->logAction(USR_ACTION, LOG_NOTICE, "changed email password for '" . $result['email_full'] . "'");
-				$result = $db->query("UPDATE `" . TABLE_MAIL_USERS . "` SET " . ($settings['system']['mailpwcleartext'] == '1' ? "`password` = '" . $db->escape($password) . "', " : '') . " `password_enc`=ENCRYPT('" . $db->escape($password) . "') WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$result['popaccountid'] . "'");
+				$cryptPassword = makeCryptPassword($db->escape($password),1);
+				$result = $db->query("UPDATE `" . TABLE_MAIL_USERS . "` SET " . ($settings['system']['mailpwcleartext'] == '1' ? "`password` = '" . $db->escape($password) . "', " : '') . " `password_enc`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$result['popaccountid'] . "'");
 				redirectTo($filename, Array('page' => 'emails', 'action' => 'edit', 'id' => $id, 's' => $s));
 			}
 			else

customer_ftp.php

@@ -188,7 +188,8 @@ elseif($page == 'accounts')
 				{
 					$path = makeCorrectDir($userinfo['documentroot'] . '/' . $path);
 
-					$db->query("INSERT INTO `" . TABLE_FTP_USERS . "` (`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) VALUES ('" . (int)$userinfo['customerid'] . "', '" . $db->escape($username) . "', ENCRYPT('" . $db->escape($password) . "'), '" . $db->escape($path) . "', 'y', '" . (int)$userinfo['guid'] . "', '" . (int)$userinfo['guid'] . "')");
+					$cryptPassword = makeCryptPassword($db->escape($password),1);					
+					$db->query("INSERT INTO `" . TABLE_FTP_USERS . "` (`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) VALUES ('" . (int)$userinfo['customerid'] . "', '" . $db->escape($username) . "', '" . $db->escape($cryptPassword) . "', '" . $db->escape($path) . "', 'y', '" . (int)$userinfo['guid'] . "', '" . (int)$userinfo['guid'] . "')");
 					$result = $db->query("SELECT `bytes_in_used` FROM `" . TABLE_FTP_QUOTATALLIES . "` WHERE `name` = '" . $userinfo['loginname'] . "'");
 					while($row = $db->fetch_array($result))
 					{
@@ -311,11 +312,12 @@ elseif($page == 'accounts')
 					else
 					{
 						$log->logAction(USR_ACTION, LOG_INFO, "updated ftp-account password for '" . $result['username'] . "'");
-						$db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`=ENCRYPT('" . $db->escape($password) . "') WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$id . "'");
+						$cryptPassword = makeCryptPassword($db->escape($password),1);
+						$db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$id . "'");
 						
 						// also update customers backup user password if password of main ftp user is changed
 						if(!preg_match('/' . $settings['customer']['ftpprefix'] . '/', $result['username'])){
-						    $db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`=ENCRYPT('" . $db->escape($password) . "') WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `username`='" . $result['username'] . "_backup'");
+						    $db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `username`='" . $result['username'] . "_backup'");
 						}
 					}
 				}

customer_index.php

@@ -124,7 +124,8 @@ elseif($page == 'change_password')
 			if(isset($_POST['change_main_ftp'])
 			   && $_POST['change_main_ftp'] == 'true')
 			{
-				$db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`=ENCRYPT('" . $db->escape($new_password) . "') WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `username`='" . $db->escape($userinfo['loginname']) . "'");
+				$cryptPassword = makeCryptPassword($db->escape($new_password),1);
+				$db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `username`='" . $db->escape($userinfo['loginname']) . "'");
 				$log->logAction(USR_ACTION, LOG_NOTICE, 'changed main ftp password');
 			}
 

install/froxlor.sql

@@ -34,7 +34,7 @@ CREATE TABLE `ftp_users` (
   `username` varchar(255) NOT NULL default '',
   `uid` int(5) NOT NULL default '0',
   `gid` int(5) NOT NULL default '0',
-  `password` varchar(20) NOT NULL default '',
+  `password` varchar(128) NOT NULL default '',
   `homedir` varchar(255) NOT NULL default '',
   `shell` varchar(255) NOT NULL default '/bin/false',
   `login_enabled` enum('N','Y') NOT NULL default 'N',

install/updates/froxlor/0.9/update_0.9.inc.php

@@ -1911,6 +1911,9 @@ if(isFroxlorVersion('0.9.28-svn2')) {
 	showUpdateStep("Updating from 0.9.28-svn2 to 0.9.28-svn3");
 	lastStepStatus(0);
 	
+	// change lenght of passwd column
+	$db->query("ALTER TABLE `" . TABLE_FTP_USERS . "` MODIFY `password` varchar(128) NOT NULL default ''");
+	
 	// Add default setting for vmail_maildirname if not already in place
 	$handle = $db->query("SELECT `value` FROM `panel_settings` WHERE `settinggroup` = 'system' AND `varname` = 'vmail_maildirname';");
 	if ($db->num_rows($handle) < 1) {

lib/functions/system/function.makeCryptPassword.php

@@ -0,0 +1,58 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2010 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Michal Wojcik <m.wojcik@sonet3.pl>
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Functions
+ *
+ */
+
+/**
+ * Make crypted password from clear text password
+ * @param string Password to be crypted
+ * @param int Type of algorithm
+ * @return string encrypted password
+ *
+ * @author Michal Wojcik <m.wojcik@sonet3.pl>
+ *
+ * 0 - default crypt (depenend on system configuration)
+ * 1 - MD5 $1$
+ * 2 - BLOWFISH $2a$
+ * 3 - SHA-256 $5$
+ * 4 - SHA-512 $6$
+ */
+
+function makeCryptPassword ($password, $type = 0)
+{
+        switch($type)
+        {
+                case 0:
+			$cryptPassword = crypt($password);
+                        break;
+                case 1:
+			$cryptPassword = crypt($password, '$1$' . generatePassword().  generatePassword());
+                        break;
+                case 2:
+			$cryptPassword = crypt($password, '$2a$' . generatePassword().  generatePassword());
+                        break;
+                case 3:
+			$cryptPassword = crypt($password, '$5$' . generatePassword().  generatePassword());
+                        break;
+                case 4:
+			$cryptPassword = crypt($password, '$6$' . generatePassword().  generatePassword());
+                        break;
+                default:
+			$cryptPassword = crypt($password);
+                        break;
+        }
+
+	return ($cryptPassword);
+}