functions.inc.php:

- handle dovecot passwords without any tempfile (to prevent safe_mode issues) Changed based on a patch from Aleksandr @SF, https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2890471&group_id=191583 git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@752 a1433add-5e2c-0410-b055-b7f2511e0802
2026-01-03 17:02:30 +03:00 · 2009-11-02 18:46:48 +00:00
parent 6220b6d85c
commit 188aa2bd5c
1 changed files with 18 additions and 10 deletions
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -1199,22 +1199,30 @@ function pacrypt ($pw, $pw_db="")
        $dovecotpw = "dovecotpw";
        if (!empty($CONF['dovecotpw'])) $dovecotpw = $CONF['dovecotpw'];

-        // prevent showing plain password in process table
-        $prefix = "postfixadmin-";
-        $tmpfile = tempnam('/tmp', $prefix);
-        $pipe = popen("'$dovecotpw' -s '$method' > '$tmpfile'", 'w'); # TODO: replace tempfile usage with proc_open call
+        # Use proc_open call to avoid safe_mode problems and to prevent showing plain password in process table
+        $spec = array(
+            0 => array("pipe", "r"), // stdin
+            1 => array("pipe", "w") // stdout
+        );
+
+        $pipe = proc_open("$dovecotpw '-s' $method", $spec, $pipes);

        if (!$pipe) {
-            unlink($tmpfile);
+            die("can't proc_open $dovecotpw");
        } else {
            // use dovecot's stdin, it uses getpass() twice
-            fwrite($pipe, $pw . "\n", 1+strlen($pw)); usleep(1000);
-            fwrite($pipe, $pw . "\n", 1+strlen($pw));
-            pclose($pipe);
-            $password = file_get_contents($tmpfile);
+            // Write pass in pipe stdin
+            fwrite($pipes[0], $pw . "\n", 1+strlen($pw)); usleep(1000);
+            fwrite($pipes[0], $pw . "\n", 1+strlen($pw));
+            fclose($pipes[0]);
+
+            // Read hash from pipe stdout
+            $password = fread($pipes[1], "200");
+    		fclose($pipes[1]);
+            proc_close($pipe);
+
            if ( !preg_match('/^\{' . $method . '\}/', $password)) { die("can't encrypt password with dovecotpw"); }
            $password = trim(str_replace('{' . $method . '}', '', $password));
-            unlink($tmpfile);
        }
    }