From eb4dd632ae846926c7633d0b03d1028bc2dc03e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 22 Feb 2018 09:16:16 +0100 Subject: [PATCH] [Web] Fix autodiscover triggering fail2ban implementation, fixes #1069 --- .../override.d/worker-controller-password.inc | 0 data/web/autodiscover.php | 150 +++++++++--------- 2 files changed, 74 insertions(+), 76 deletions(-) create mode 100644 data/conf/rspamd/override.d/worker-controller-password.inc diff --git a/data/conf/rspamd/override.d/worker-controller-password.inc b/data/conf/rspamd/override.d/worker-controller-password.inc new file mode 100644 index 00000000..e69de29b diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php index a8d8073b..88f91da8 100644 --- a/data/web/autodiscover.php +++ b/data/web/autodiscover.php @@ -36,9 +36,8 @@ $opt = [ $pdo = new PDO($dsn, $database_user, $database_pass, $opt); $login_user = strtolower(trim($_SERVER['PHP_AUTH_USER'])); $login_pass = trim(htmlspecialchars_decode($_SERVER['PHP_AUTH_PW'])); -$login_role = check_login($login_user, $login_pass); -if (!isset($_SERVER['PHP_AUTH_USER']) OR $login_role !== "user") { +if (empty($_SERVER['PHP_AUTH_USER']) || empty($_SERVER['PHP_AUTH_PW'])) { try { $json = json_encode( array( @@ -62,35 +61,36 @@ if (!isset($_SERVER['PHP_AUTH_USER']) OR $login_role !== "user") { header('HTTP/1.0 401 Unauthorized'); exit(0); } -else { - if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { - if ($login_role === "user") { - header("Content-Type: application/xml"); - echo '' . PHP_EOL; + +$login_role = check_login($login_user, $login_pass); + +if ($login_role === "user") { + header("Content-Type: application/xml"); + echo '' . PHP_EOL; ?> time(), - "ua" => $_SERVER['HTTP_USER_AGENT'], - "user" => $_SERVER['PHP_AUTH_USER'], - "service" => "Error: invalid or missing request data" - ) - ); - $redis->lPush('AUTODISCOVER_LOG', $json); - $redis->lTrim('AUTODISCOVER_LOG', 0, 100); - } - catch (RedisException $e) { - $_SESSION['return'] = array( - 'type' => 'danger', - 'msg' => 'Redis: '.$e - ); - return false; - } - list($usec, $sec) = explode(' ', microtime()); + if(!$data) { + try { + $json = json_encode( + array( + "time" => time(), + "ua" => $_SERVER['HTTP_USER_AGENT'], + "user" => $_SERVER['PHP_AUTH_USER'], + "service" => "Error: invalid or missing request data" + ) + ); + $redis->lPush('AUTODISCOVER_LOG', $json); + $redis->lTrim('AUTODISCOVER_LOG', 0, 100); + } + catch (RedisException $e) { + $_SESSION['return'] = array( + 'type' => 'danger', + 'msg' => 'Redis: '.$e + ); + return false; + } + list($usec, $sec) = explode(' ', microtime()); ?> @@ -101,50 +101,50 @@ else { Request->EMailAddress; - } catch (Exception $e) { - $email = $_SERVER['PHP_AUTH_USER']; - } + exit(0); + } + try { + $discover = new SimpleXMLElement($data); + $email = $discover->Request->EMailAddress; + } catch (Exception $e) { + $email = $_SERVER['PHP_AUTH_USER']; + } - $username = trim($email); - try { - $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username"); - $stmt->execute(array(':username' => $username)); - $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC); - } - catch(PDOException $e) { - die("Failed to determine name from SQL"); - } - if (!empty($MailboxData['name'])) { - $displayname = $MailboxData['name']; - } - else { - $displayname = $email; - } - try { - $json = json_encode( - array( - "time" => time(), - "ua" => $_SERVER['HTTP_USER_AGENT'], - "user" => $_SERVER['PHP_AUTH_USER'], - "service" => $autodiscover_config['autodiscoverType'] - ) - ); - $redis->lPush('AUTODISCOVER_LOG', $json); - $redis->lTrim('AUTODISCOVER_LOG', 0, 100); - } - catch (RedisException $e) { - $_SESSION['return'] = array( - 'type' => 'danger', - 'msg' => 'Redis: '.$e - ); - return false; - } - if ($autodiscover_config['autodiscoverType'] == 'imap') { + $username = trim($email); + try { + $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username"); + $stmt->execute(array(':username' => $username)); + $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC); + } + catch(PDOException $e) { + die("Failed to determine name from SQL"); + } + if (!empty($MailboxData['name'])) { + $displayname = $MailboxData['name']; + } + else { + $displayname = $email; + } + try { + $json = json_encode( + array( + "time" => time(), + "ua" => $_SERVER['HTTP_USER_AGENT'], + "user" => $_SERVER['PHP_AUTH_USER'], + "service" => $autodiscover_config['autodiscoverType'] + ) + ); + $redis->lPush('AUTODISCOVER_LOG', $json); + $redis->lTrim('AUTODISCOVER_LOG', 0, 100); + } + catch (RedisException $e) { + $_SESSION['return'] = array( + 'type' => 'danger', + 'msg' => 'Redis: '.$e + ); + return false; + } + if ($autodiscover_config['autodiscoverType'] == 'imap') { ?> @@ -190,8 +190,8 @@ else { en:en @@ -210,11 +210,9 @@ else {