lib/kolab_sync.php
Aleksander Machniak
machniak at kolabsys.com
Thu Feb 27 13:57:43 CET 2014
lib/kolab_sync.php | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
New commits:
commit d557cfc61053b189d7c6f458dd8c764c7324c53d
Author: Aleksander Machniak <machniak at kolabsys.com>
Date: Thu Feb 27 13:56:20 2014 +0100
Do not use user password to build authentication cache key. Use sha1() instead of md5().
This way it's more secure. Also password change does not invalidate the cached
username/host, so there was not really need for including password there.
diff --git a/lib/kolab_sync.php b/lib/kolab_sync.php
index 740d6d3..fba0eb2 100644
--- a/lib/kolab_sync.php
+++ b/lib/kolab_sync.php
@@ -174,21 +174,19 @@ class kolab_sync extends rcube
{
// use shared cache for kolab_auth plugin result (username canonification)
$cache = $this->get_cache_shared('activesync_auth');
- $cache_key = md5($username . '::' . $password);
+ $cache_key = sha1($username);
if (!$cache || !($auth = $cache->get($cache_key))) {
$auth = $this->plugins->exec_hook('authenticate', array(
'host' => $this->select_host($username),
'user' => $username,
'pass' => $password,
- 'valid' => true,
));
- if ($auth['valid'] && $cache) {
+ if (!$auth['abort'] && $cache) {
$cache->set($cache_key, array(
'user' => $auth['user'],
'host' => $auth['host'],
- 'valid' => $auth['valid'],
));
}
@@ -202,9 +200,7 @@ class kolab_sync extends rcube
}
// Authenticate - get Roundcube user ID
- if ($auth['valid'] && !$auth['abort']
- && ($userid = $this->login($auth['user'], $auth['pass'], $auth['host'], $err))
- ) {
+ if (!$auth['abort'] && ($userid = $this->login($auth['user'], $auth['pass'], $auth['host'], $err))) {
// set real username
$this->username = $auth['user'];
return $userid;
More information about the commits
mailing list