projects / platal.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add poisonous email injector.
[platal.git] / classes / xorgsession.php
diff --git a/classes/xorgsession.php b/classes/xorgsession.php
index e0f89ee..534ed86 100644 (file)
--- a/classes/xorgsession.php
+++ b/classes/xorgsession.php
@@ -79,14 +79,26 @@ class XorgSession extends PlSession
         if (list($uid, $password) = $res->fetchOneRow()) {
             require_once 'secure_hash.inc.php';
             $expected_response = hash_encrypt("$uname:$password:" . S::v('challenge'));
-            if ($response != $expected_response) {
+            if ($response != $expected_response && Env::has('xorpass')
+                && !preg_match('/^0*$/', Env::v('xorpass'))) {
                 $new_password = hash_xor(Env::v('xorpass'), $password);
                 $expected_response = hash_encrypt("$uname:$new_password:" . S::v('challenge'));
                 if ($response == $expected_response) {
-                      XDB::execute('UPDATE  auth_user_md5
-                                       SET  password = {?}
-                                     WHERE  user_id = {?}',
-                                   $new_password, $uid);
+                    XDB::execute('UPDATE  auth_user_md5
+                                     SET  password = {?}
+                                   WHERE  user_id = {?}',
+                                 $new_password, $uid);
+
+                    // Update the GoogleApps password as well, if required.
+                    global $globals;
+                    if ($globals->mailstorage->googleapps_domain) {
+                        require_once 'googleapps.inc.php';
+                        $user = User::getSilent($uid);
+                        $account = new GoogleAppsAccount($user);
+                        if ($account->active() && $account->sync_password) {
+                            $account->set_password($new_password);
+                        }
+                    }
                 }
             }
             if ($response != $expected_response) {
@@ -182,17 +194,12 @@ class XorgSession extends PlSession
         unset($_SESSION['log']);
 
         // Retrieves main user properties.
-        global $globals;
         $res  = XDB::query("SELECT  u.user_id AS uid, u.hruid, prenom, prenom_ini, nom, nom_ini, nom_usage, perms, promo, promo_sortie,
                                     matricule, password, FIND_IN_SET('femme', u.flags) AS femme,
-                                    CONCAT(a.alias, '@{$globals->mail->domain}') AS forlife,
-                                    CONCAT(a2.alias, '@{$globals->mail->domain}') AS bestalias,
                                     q.core_mail_fmt AS mail_fmt, UNIX_TIMESTAMP(q.banana_last) AS banana_last, q.watch_last, q.core_rss_hash,
                                     FIND_IN_SET('watch', u.flags) AS watch_account, q.last_version, g.g_account_name IS NOT NULL AS googleapps
                               FROM  auth_user_md5   AS u
                         INNER JOIN  auth_user_quick AS q  USING(user_id)
-                        INNER JOIN  aliases         AS a  ON (u.user_id = a.id AND a.type = 'a_vie')
-                        INNER JOIN  aliases         AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias', a2.flags))
                          LEFT JOIN  gapps_accounts  AS g  ON (u.user_id = g.l_userid AND g.g_status = 'active')
                              WHERE  u.user_id = {?} AND u.perms IN('admin', 'user')", $uid);
         $sess = $res->fetchOneAssoc();
@@ -299,7 +306,6 @@ class XorgSession extends PlSession
 
     public function setSkin()
     {
-        global $globals;
         if (S::logged() && (!S::has('skin') || S::has('suid'))) {
             $uid = S::v('uid');
             $res = XDB::query("SELECT  skin_tpl
plat/al