2017-05-07 19:38:31 +08:00
|
|
|
<?php
|
|
|
|
// Start session
|
2019-02-05 05:34:03 +08:00
|
|
|
if (session_status() !== PHP_SESSION_ACTIVE) {
|
|
|
|
ini_set("session.cookie_httponly", 1);
|
|
|
|
ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
|
|
|
|
}
|
2017-07-16 17:03:28 +08:00
|
|
|
|
2017-05-07 19:38:31 +08:00
|
|
|
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
|
|
|
|
strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") {
|
2019-02-05 05:34:03 +08:00
|
|
|
if (session_status() !== PHP_SESSION_ACTIVE) {
|
|
|
|
ini_set("session.cookie_secure", 1);
|
|
|
|
}
|
2017-05-07 19:38:31 +08:00
|
|
|
$IS_HTTPS = true;
|
|
|
|
}
|
|
|
|
elseif (isset($_SERVER['HTTPS'])) {
|
2019-02-05 05:34:03 +08:00
|
|
|
if (session_status() !== PHP_SESSION_ACTIVE) {
|
|
|
|
ini_set("session.cookie_secure", 1);
|
|
|
|
}
|
2017-05-07 19:38:31 +08:00
|
|
|
$IS_HTTPS = true;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$IS_HTTPS = false;
|
|
|
|
}
|
2019-04-14 19:01:40 +08:00
|
|
|
|
2019-02-05 05:34:03 +08:00
|
|
|
if (session_status() !== PHP_SESSION_ACTIVE) {
|
|
|
|
session_start();
|
|
|
|
}
|
|
|
|
|
2017-05-15 17:37:12 +08:00
|
|
|
if (!isset($_SESSION['CSRF']['TOKEN'])) {
|
|
|
|
$_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32));
|
2017-05-07 19:38:31 +08:00
|
|
|
}
|
|
|
|
|
2017-05-19 01:45:41 +08:00
|
|
|
// Set session UA
|
2017-05-07 19:38:31 +08:00
|
|
|
if (!isset($_SESSION['SESS_REMOTE_UA'])) {
|
|
|
|
$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
|
|
|
|
}
|
|
|
|
|
2019-04-14 19:01:40 +08:00
|
|
|
// Keep session active
|
|
|
|
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $SESSION_LIFETIME)) {
|
|
|
|
session_unset();
|
|
|
|
session_destroy();
|
|
|
|
}
|
|
|
|
$_SESSION['LAST_ACTIVITY'] = time();
|
|
|
|
|
2017-12-09 20:17:15 +08:00
|
|
|
// API
|
|
|
|
if (!empty($_SERVER['HTTP_X_API_KEY'])) {
|
2018-10-11 17:59:23 +08:00
|
|
|
$stmt = $pdo->prepare("SELECT `allow_from` FROM `api` WHERE `api_key` = :api_key AND `active` = '1';");
|
2017-12-09 20:17:15 +08:00
|
|
|
$stmt->execute(array(
|
2018-10-11 17:59:23 +08:00
|
|
|
':api_key' => preg_replace('/[^a-zA-Z0-9-]/', '', $_SERVER['HTTP_X_API_KEY'])
|
2017-12-09 20:17:15 +08:00
|
|
|
));
|
|
|
|
$api_return = $stmt->fetch(PDO::FETCH_ASSOC);
|
2018-10-17 02:09:01 +08:00
|
|
|
if (!empty($api_return['allow_from'])) {
|
2018-08-04 02:31:33 +08:00
|
|
|
$remote = get_remote_ip(false);
|
|
|
|
$allow_from = array_map('trim', preg_split( "/( |,|;|\n)/", $api_return['allow_from']));
|
|
|
|
if (in_array($remote, $allow_from)) {
|
2018-10-11 17:59:23 +08:00
|
|
|
$_SESSION['mailcow_cc_username'] = 'API';
|
2017-12-09 20:17:15 +08:00
|
|
|
$_SESSION['mailcow_cc_role'] = 'admin';
|
|
|
|
$_SESSION['mailcow_cc_api'] = true;
|
|
|
|
}
|
2019-02-05 05:34:03 +08:00
|
|
|
else {
|
|
|
|
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);
|
|
|
|
error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
|
2019-10-02 19:05:12 +08:00
|
|
|
http_response_code(401);
|
2019-02-05 05:34:03 +08:00
|
|
|
echo json_encode(array(
|
|
|
|
'type' => 'error',
|
|
|
|
'msg' => 'api access denied for ip ' . $_SERVER['REMOTE_ADDR']
|
|
|
|
));
|
|
|
|
unset($_POST);
|
|
|
|
die();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);
|
|
|
|
error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
|
2019-10-02 19:05:12 +08:00
|
|
|
http_response_code(401);
|
2019-02-05 05:34:03 +08:00
|
|
|
echo json_encode(array(
|
|
|
|
'type' => 'error',
|
|
|
|
'msg' => 'authentication failed'
|
|
|
|
));
|
|
|
|
unset($_POST);
|
|
|
|
die();
|
2017-12-09 20:17:15 +08:00
|
|
|
}
|
|
|
|
}
|
2017-07-27 05:09:50 +08:00
|
|
|
|
2019-03-25 19:33:58 +08:00
|
|
|
// Handle logouts
|
|
|
|
if (isset($_POST["logout"])) {
|
|
|
|
if (isset($_SESSION["dual-login"])) {
|
|
|
|
$_SESSION["mailcow_cc_username"] = $_SESSION["dual-login"]["username"];
|
|
|
|
$_SESSION["mailcow_cc_role"] = $_SESSION["dual-login"]["role"];
|
|
|
|
unset($_SESSION["dual-login"]);
|
|
|
|
header("Location: /mailbox");
|
|
|
|
exit();
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
session_regenerate_id(true);
|
|
|
|
session_unset();
|
|
|
|
session_destroy();
|
|
|
|
session_write_close();
|
|
|
|
header("Location: /");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-05-07 19:38:31 +08:00
|
|
|
// Check session
|
|
|
|
function session_check() {
|
2019-02-05 05:34:03 +08:00
|
|
|
if (isset($_SESSION['mailcow_cc_api']) && $_SESSION['mailcow_cc_api'] === true) {
|
2017-12-09 20:17:15 +08:00
|
|
|
return true;
|
|
|
|
}
|
2018-08-04 02:31:33 +08:00
|
|
|
if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {
|
2018-08-14 05:20:40 +08:00
|
|
|
$_SESSION['return'][] = array(
|
2018-08-04 02:31:33 +08:00
|
|
|
'type' => 'warning',
|
|
|
|
'msg' => 'session_ua'
|
|
|
|
);
|
2017-05-07 19:38:31 +08:00
|
|
|
return false;
|
|
|
|
}
|
2017-05-15 17:37:12 +08:00
|
|
|
if (!empty($_POST)) {
|
|
|
|
if ($_SESSION['CSRF']['TOKEN'] != $_POST['csrf_token']) {
|
2018-08-14 05:20:40 +08:00
|
|
|
$_SESSION['return'][] = array(
|
2018-08-04 02:31:33 +08:00
|
|
|
'type' => 'warning',
|
|
|
|
'msg' => 'session_token'
|
|
|
|
);
|
2017-05-15 17:37:12 +08:00
|
|
|
return false;
|
|
|
|
}
|
2018-08-04 02:31:33 +08:00
|
|
|
unset($_POST['csrf_token']);
|
2017-05-15 17:37:12 +08:00
|
|
|
$_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32));
|
|
|
|
$_SESSION['CSRF']['TIME'] = time();
|
|
|
|
}
|
2017-05-07 19:38:31 +08:00
|
|
|
return true;
|
|
|
|
}
|
2017-05-15 17:37:12 +08:00
|
|
|
|
2017-05-07 19:38:31 +08:00
|
|
|
if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) {
|
2017-05-15 17:37:12 +08:00
|
|
|
$_POST = array();
|
2017-10-21 16:07:06 +08:00
|
|
|
$_FILES = array();
|
2017-05-07 19:38:31 +08:00
|
|
|
}
|