Tree - rpms/zarafa - src.fedoraproject.org

rpms / zarafa

Overview Files Commits Branches Forks Releases

Monitoring status:

Orphaned for:

Take

Bugzilla Assignee:

Fedora:: orphan
EPEL:: robert

Files

Commit: ce0e01723f2fe9e281c4e63436caa81558cb7a9f

Blob Blame History Raw

Patch by Robert Scheck <robert@fedoraproject.org> for Zarafa <= 7.1.0 which logs authentication
failures of Zarafa WebAccess into the error log of the webserver. This is basically a backport of
https://jira.zarafa.com/browse/WA-6908 from WebApp to WebAccess. In difference to original patch
there is no inappropriate space before a punctuation mark also known as "plenken".

The second part of this patch is a backport of Zarafa WebApp 1.6 which ensures that authentication
is only performed if username and password are filled. This avoids a) strange looking results of
error_log() from the first part and b) reduces the possible risk of denial of service given that
PHP is not connecting the Zarafa server if not really needed.

I guess the usage of isset() rather !empty() was accidential because isset() is always true once
the HTTP POST via the login formular happens.

Proposed to upstream via e-mail on Wed, 13 Aug 2014 22:56:09 +0200, patch was put into the upstream
ticket https://jira.zarafa.com/browse/ZCP-12543.

--- zarafa-7.1.10/php-webclient-ajax/client/login.php		2014-05-23 15:56:38.000000000 +0200
+++ zarafa-7.1.10/php-webclient-ajax/client/login.php		2014-08-13 22:11:38.000000000 +0200
@@ -86,6 +86,8 @@
 		switch($_SESSION["hresult"]){
 			case MAPI_E_LOGON_FAILED:
 			case MAPI_E_UNCONFIGURED:
+				// Print error message to error_log of webserver
+				error_log('user '.$_POST["username"].': authentication failure at MAPI');
 				echo _("Logon failed, please check your name/password.");
 				break;
 			case MAPI_E_NETWORK_ERROR:
--- zarafa-7.1.10/php-webclient-ajax/index.php			2014-05-23 15:56:38.000000000 +0200
+++ zarafa-7.1.10/php-webclient-ajax/index.php			2014-08-13 22:11:11.000000000 +0200
@@ -153,7 +153,7 @@
 
 	// Create global mapi object. This object is used in many other files
 	$GLOBALS["mapisession"] = new MAPISession();
-	if (isset($_SESSION["username"]) && isset($_SESSION["password"])) {
+	if (!empty($_SESSION["username"]) && !empty($_SESSION["password"])) {
 		$sslcert_file = defined('SSLCERT_FILE') ? SSLCERT_FILE : null;
 		$sslcert_pass = defined('SSLCERT_PASS') ? SSLCERT_PASS : null;
 		$hresult = $GLOBALS["mapisession"]->logon($_SESSION["username"], $_SESSION["password"], DEFAULT_SERVER, $sslcert_file, $sslcert_pass);

rpms / zarafa

Source Code

Files