do not allow to enable fcgid/fpm at the same time when both are set to 'yes' simultaneously in settings

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
generate only password that match our complexity-settings in customer_email.php; don't use md5() for the admin password in the installation process
2015-02-01 18:02:29 +01:00 · 2015-02-01 13:57:06 +01:00 · 2015-02-01 13:12:24 +01:00 · 2015-02-01 13:05:10 +01:00 · 2015-02-01 12:25:26 +01:00 · 2015-02-01 03:08:18 +01:00
16 changed files with 86 additions and 52 deletions
--- a/admin_admins.php
+++ b/admin_admins.php
@@ -372,7 +372,7 @@ if ($page == 'admins'
 				$ins_data = array(
 					'loginname' => $loginname,
-					'password' => md5($password),
+					'password' => makeCryptPassword($password),
 					'name' => $name,
 					'email' => $email,
 					'lang' => $def_language,
@@ -637,7 +637,7 @@ if ($page == 'admins'
 				} else {
 					if ($password != '') {
 						$password = validatePassword($password);
-						$password = md5($password);
+						$password = makeCryptPassword($password);
 					} else {
 						$password = $result['password'];
 					}
--- a/admin_customers.php
+++ b/admin_customers.php
@@ -645,7 +645,7 @@ if ($page == 'customers'
 					$ins_data = array(
 						'adminid' => $userinfo['adminid'],
 						'loginname' => $loginname,
-						'passwd' => md5($password),
+						'passwd' => makeCryptPassword($password),
 						'name' => $name,
 						'firstname' => $firstname,
 						'gender' => $gender,
@@ -1215,7 +1215,7 @@ if ($page == 'customers'
 					if ($password != '') {
 						$password = validatePassword($password);
-						$password = md5($password);
+						$password = makeCryptPassword($password);
 					} else {
 						$password = $result['password'];
 					}
--- a/admin_index.php
+++ b/admin_index.php
@@ -199,7 +199,7 @@ if ($page == 'overview') {
 	) {
 		$old_password = validate($_POST['old_password'], 'old password');
-		if (md5($old_password) != $userinfo['password']) {
+		if (!validatePasswordLogin($userinfo,$old_password,TABLE_PANEL_ADMINS,'adminid')) {
 			standard_error('oldpasswordnotcorrect');
 			exit;
 		}
@@ -219,13 +219,11 @@ if ($page == 'overview') {
 			$chgpwd_stmt = Database::prepare("
 				UPDATE `" . TABLE_PANEL_ADMINS . "`
 				SET `password`= :newpasswd
-				WHERE `adminid`= :adminid
+				WHERE `adminid`= :adminid"
 				AND `password`= :oldpasswd"
 			);
 			Database::pexecute($chgpwd_stmt, array(
-				'newpasswd' => md5($new_password),
+				'newpasswd' => makeCryptPassword($new_password),
-				'adminid' => (int)$userinfo['adminid'],
+				'adminid' => (int)$userinfo['adminid']
 				'oldpasswd' => md5($old_password)
 			));
 			$log->logAction(ADM_ACTION, LOG_NOTICE, 'changed password');
 			redirectTo($filename, Array('s' => $s));
--- a/customer_email.php
+++ b/customer_email.php
@@ -451,7 +451,7 @@ if ($page == 'overview') {
 						standard_error('passwordshouldnotbeusername');
 					} else {
 						if ($password == '') {
-							$password = substr(md5(uniqid(microtime(), 1)), 12, 6);
+							$password = generatePassword();
 						}
 						$cryptPassword = makeCryptPassword($password);
--- a/customer_index.php
+++ b/customer_index.php
@@ -99,7 +99,7 @@ if ($page == 'overview') {
 } elseif ($page == 'change_password') {
 	if (isset($_POST['send']) && $_POST['send'] == 'send') {
 		$old_password = validate($_POST['old_password'], 'old password');
-		if (md5($old_password) != $userinfo['password']) {
+		if (!validatePasswordLogin($userinfo,$old_password,TABLE_PANEL_CUSTOMERS,'customerid')) {
 			standard_error('oldpasswordnotcorrect');
 			exit;
 		}
@@ -119,13 +119,11 @@ if ($page == 'overview') {
 			// Update user password
 			$stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "`
 				SET `password` = :newpassword
-				WHERE `customerid` = :customerid
+				WHERE `customerid` = :customerid"
 				AND `password` = :oldpassword"
 			);
 			$params = array(
-				"newpassword" => md5($new_password),
+				"newpassword" => makeCryptPassword($new_password),
-				"customerid" => $userinfo['customerid'],
+				"customerid" => $userinfo['customerid']
 				"oldpassword" => md5($old_password)
 			);
 			Database::pexecute($stmt, $params);
 			$log->logAction(USR_ACTION, LOG_NOTICE, 'changed password');
--- a/index.php
+++ b/index.php
@@ -511,7 +511,7 @@ if ($action == 'resetpwd') {
 								WHERE `customerid` = :userid"
 							);
 						}
-						Database::pexecute($stmt, array("newpassword" => md5($new_password), "userid" => $result['userid']));
+						Database::pexecute($stmt, array("newpassword" => makeCryptPassword($new_password), "userid" => $result['userid']));
 						$rstlog = FroxlorLogger::getInstanceOf(array('loginname' => 'password_reset'));
 						$rstlog->logAction(USR_ACTION, LOG_NOTICE, "changed password using password reset.");
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -538,7 +538,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('panel', 'password_numeric', '0'),
 	('panel', 'password_special_char_required', '0'),
 	('panel', 'password_special_char', '!?<>§$%+#=@'),
-	('panel', 'version', '0.9.33-rc2');
+	('panel', 'version', '0.9.33-rc3');
 DROP TABLE IF EXISTS `panel_tasks`;
--- a/install/lib/class.FroxlorInstall.php
+++ b/install/lib/class.FroxlorInstall.php
@@ -372,7 +372,8 @@ class FroxlorInstall {
 		$content .= $this->_status_message('begin', $this->_lng['install']['adding_admin_user']);
 		$ins_data = array(
 				'loginname' => $this->_data['admin_user'],
-				'password' => md5($this->_data['admin_pass1']),
+				/* use SHA256 default crypt */
 				'password' => crypt($this->_data['admin_pass1'], '$5$'. md5(uniqid(microtime(), 1)) . md5(uniqid(microtime(), 1))),
 				'email' => 'admin@' . $this->_data['servername'],
 				'deflang' => $this->_languages[$this->_activelng]
 		);
--- a/install/updates/froxlor/0.9/update_0.9.inc.php
+++ b/install/updates/froxlor/0.9/update_0.9.inc.php
@@ -2876,3 +2876,11 @@ if (isFroxlorVersion('0.9.33-rc1')) {
 	updateToVersion('0.9.33-rc2');
 }
 if (isFroxlorVersion('0.9.33-rc2')) {
 	showUpdateStep("Updating from 0.9.33-rc2 to 0.9.33-rc3");
 	lastStepStatus(0);
 	updateToVersion('0.9.33-rc3');
 }
--- a/lib/functions/validate/function.checkFcgidPhpFpm.php
+++ b/lib/functions/validate/function.checkFcgidPhpFpm.php
@@ -14,25 +14,49 @@
 * @package    Functions
 *
 */
-
+function checkFcgidPhpFpm($fieldname, $fielddata, $newfieldvalue, $allnewfieldvalues)
-function checkFcgidPhpFpm($fieldname, $fielddata, $newfieldvalue, $allnewfieldvalues) {
+{
-
+    $returnvalue = array(
-	$returnvalue = array(FORMFIELDS_PLAUSIBILITY_CHECK_OK);
+        FORMFIELDS_PLAUSIBILITY_CHECK_OK
-
+    );
-	// check whether fcgid should be enabled but php-fpm is
+    
-	if($fieldname == 'system_mod_fcgid_enabled'
+    $check_array = array(
-		&& (int)$newfieldvalue == 1
+        'system_mod_fcgid_enabled' => array(
-		&& (int)Settings::Get('phpfpm.enabled') == 1
+            'other_post_field' => 'system_phpfpm_enabled',
-	) {
+            'other_enabled' => 'phpfpm.enabled',
-		$returnvalue = array(FORMFIELDS_PLAUSIBILITY_CHECK_ERROR, 'phpfpmstillenabled');
+            'other_enabled_lng' => 'phpfpmstillenabled'
-	}
+        ),
-	// check whether php-fpm should be enabled but fcgid is
+        'system_phpfpm_enabled' => array(
-	elseif($fieldname == 'system_phpfpm_enabled'
+            'other_post_field' => 'system_mod_fcgid_enabled',
-		&& (int)$newfieldvalue == 1
+            'other_enabled' => 'system.mod_fcgid',
-		&& (int)Settings::Get('system.mod_fcgid') == 1
+            'other_enabled_lng' => 'fcgidstillenabled'
-	) {
+        )
-		$returnvalue = array(FORMFIELDS_PLAUSIBILITY_CHECK_ERROR, 'fcgidstillenabled');
+    );
-	}
+    
-
+    // interface is to be enabled
-	return $returnvalue;
+    if ((int) $newfieldvalue == 1) {
        // check for POST value of the other field == 1 (active)
        if (isset($_POST[$check_array[$fieldname]['other_post_field']]) && (int) $_POST[$check_array[$fieldname]['other_post_field']] == 1) {
            // the other interface is activated already and STAYS activated
            if ((int) Settings::Get($check_array[$fieldname]['other_enabled']) == 1) {
                $returnvalue = array(
                    FORMFIELDS_PLAUSIBILITY_CHECK_ERROR,
                    $check_array[$fieldname]['other_enabled_lng']
                );
            } else {
                // fcgid is being validated before fpm -> "ask" fpm about its state
                if ($fieldname == 'system_mod_fcgid_enabled') {
                    $returnvalue = checkFcgidPhpFpm('system_phpfpm_enabled', null, $check_array[$fieldname]['other_post_field'], null);
                } else {
                    // not, bot are nogo
                    $returnvalue = $returnvalue = array(
                        FORMFIELDS_PLAUSIBILITY_CHECK_ERROR,
                        'fcgidandphpfpmnogoodtogether'
                    );
                }
            }
        }
    }
    return $returnvalue;
 }
--- a/lib/functions/validate/function.validatePasswordLogin.php
+++ b/lib/functions/validate/function.validatePasswordLogin.php
@@ -60,19 +60,20 @@ function validatePasswordLogin($userinfo = null, $password = null, $table = 'pan
 		}
 	}
-	// check for update of hash
+	if ($pwd_hash == $pwd_check) {
-	if ($update_hash) {
+
-		$upd_stmt = Database::prepare("
+		// check for update of hash
-			UPDATE " . $table . " SET `password` = :newpasswd WHERE `" . $uid . "` = :uid
+		if ($update_hash) {
-		");
+			$upd_stmt = Database::prepare("
-		$params = array (
+				UPDATE " . $table . " SET `password` = :newpasswd WHERE `" . $uid . "` = :uid
 			");
 			$params = array (
 				'newpasswd' => makeCryptPassword($password),
 				'uid' => $userinfo[$uid]
-		);
+			);
-		Database::pexecute($upd_stmt, $params);
+			Database::pexecute($upd_stmt, $params);
-	}
+		}
 	if ($pwd_hash == $pwd_check) {
 		return true;
 	}
 	return false;
--- a/lib/tables.inc.php
+++ b/lib/tables.inc.php
@@ -51,6 +51,6 @@ define('TABLE_PANEL_DOMAIN_SSL_SETTINGS', 'domain_ssl_settings');
 define('TABLE_DOMAINTOIP', 'panel_domaintoip');
 // VERSION INFO
-$version = '0.9.33-rc2';
+$version = '0.9.33-rc3';
 $dbversion = '2';
 $branding = '';
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -1838,3 +1838,4 @@ $lng['usersettings']['custom_notes']['description'] = 'Feel free to put any note
 $lng['usersettings']['custom_notes']['show'] = 'Show your notes on the dashboard of the user';
 $lng['serversettings']['system_send_cron_errors']['title'] = 'Send cron-errors to froxlor-admin via e-mail';
 $lng['serversettings']['system_send_cron_errors']['description'] = 'Chose whether you want to receive an e-mail on cronjob errors. Keep in mind that this can lead to an e-mail being sent every 5 minutes depending on the error and your cronjob settings.';
 $lng['error']['fcgidandphpfpmnogoodtogether'] = 'FCGID and PHP-FPM cannot be activated at the same time';
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1565,3 +1565,4 @@ $lng['usersettings']['custom_notes']['description'] = 'Hier können Notizen je n
 $lng['usersettings']['custom_notes']['show'] = 'Zeige die Notizen auf dem Dashboard des Benutzers';
 $lng['serversettings']['system_send_cron_errors']['title'] = 'Sende Cron-Fehler via E-Mail an den Froxlor-Admin';
 $lng['serversettings']['system_send_cron_errors']['description'] = 'Gib an, ob bei einem Cron-Fehler eine E-Mail versendet werden soll. Beachte das es je nach Fehler und Cronjob-Einstellungen dazu kommen kann, dass diese E-Mail alle 5 Minuten gesendet wird.';
 $lng['error']['fcgidandphpfpmnogoodtogether'] = 'FCGID und PHP-FPM können nicht gleichzeitig aktiviert werden.';
--- a/templates/misc/configfiles/ubuntu_precise/postfix_dovecot/etc_postfix_main.cf
+++ b/templates/misc/configfiles/ubuntu_precise/postfix_dovecot/etc_postfix_main.cf
@@ -50,6 +50,7 @@ smtpd_sasl_local_domain = $myhostname
 broken_sasl_auth_clients = yes
 ## Dovecot Settings for deliver, SASL Auth and virtual transport
 smtpd_sasl_type = dovecot
 virtual_transport = dovecot
 dovecot_destination_recipient_limit = 1
 smtpd_sasl_path = private/dovecot-auth
--- a/templates/misc/configfiles/ubuntu_trusty/postfix_dovecot/etc_postfix_main.cf
+++ b/templates/misc/configfiles/ubuntu_trusty/postfix_dovecot/etc_postfix_main.cf
@@ -50,6 +50,7 @@ smtpd_sasl_local_domain = $myhostname
 broken_sasl_auth_clients = yes
 ## Dovecot Settings for deliver, SASL Auth and virtual transport
 smtpd_sasl_type = dovecot
 virtual_transport = dovecot
 dovecot_destination_recipient_limit = 1
 smtpd_sasl_path = private/dovecot-auth
Author	SHA1	Message	Date
Michael Kaufmann (d00p)	f4dff676d6	do not allow to enable fcgid/fpm at the same time when both are set to 'yes' simultaneously in settings Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>	2015-02-01 18:02:29 +01:00
Michael Kaufmann (d00p)	77ae3aa387	generate only password that match our complexity-settings in customer_email.php; don't use md5() for the admin password in the installation process Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>	2015-02-01 13:57:06 +01:00
Michael Kaufmann (d00p)	99bed23b95	another md5() leftover Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>	2015-02-01 13:12:24 +01:00
Michael Kaufmann	5b012a33c3	Merge pull request #226 from RipClaw2971/bug_1482 use new password-hashes everywhere, fixes #1482	2015-02-01 13:05:10 +01:00
Andreas Grundler	28f26cce72	fix for bug #1482	2015-02-01 12:25:26 +01:00
Robert Förster (Dessa)	23b091ea82	add virtual_transport parameter which i somehow missed in my last commit, refs #1465	2015-02-01 03:08:18 +01:00
Michael Kaufmann (d00p)	e92b5e2c05	set version to 0.9.33-rc3 due to the password-hash-update-issue Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>	2015-01-31 12:54:00 +01:00
Michael Kaufmann (d00p)	4d60b19194	only update hash if password matches, fixes #1479 Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>	2015-01-31 12:51:20 +01:00