Improve password loading in password_valid (#2739)

* Fix some small bugs in upgrade scripts

* Fix issue with spaces in password

* Prevent  password_valid access other files

Only limit to tmp folder

* Add spacing.

Co-authored-by: Raphael <rs@scit.ch>

bin/v-add-mail-account

@@ -68,7 +68,7 @@ check_hestia_demo_mode
 # Generating hashed password
 if [ -n "$(doveadm pw -l | grep ARGON2ID)" ]; then
     set +H # disable ! style history substitution
-    md5="$(doveadm pw -s ARGON2ID -p $password)"
+    md5="$(doveadm pw -s ARGON2ID -p "$password")"
 else
     # Fall back on MD5
     salt=$(generate_password "$PW_MATRIX" "8")

bin/v-change-mail-account-password

@@ -58,7 +58,7 @@ check_hestia_demo_mode
 # Generating hashed password
 if [ -n "$(doveadm pw -l | grep ARGON2ID)" ]; then
     set +H # disable ! style history substitution
-    md5="$(doveadm pw -s ARGON2ID -p $password)"
+    md5="$(doveadm pw -s ARGON2ID -p "$password")"
 else
     salt=$(generate_password "$PW_MATRIX" "8")
     md5="{MD5}$($BIN/v-generate-password-hash md5 $salt <<<$password)"

bin/v-check-mail-account-hash

@@ -36,7 +36,7 @@ is_password_valid
 #----------------------------------------------------------#
 
 if [ "$type" = "ARGONID2" ]; then
-    match=$(doveadm pw -s ARGON2ID -p $password -t $hash | grep "verified");
+    match=$(doveadm pw -s ARGON2ID -p "$password" -t $hash | grep "verified");
     if [ -n "$match" ]; then
         exit 0;
     else

func/main.sh

@@ -414,17 +414,22 @@ is_object_value_exist() {
 # Check if password is transmitted via file
 is_password_valid() {
     if [[ "$password" =~ ^/tmp/ ]]; then
-        if [ -f "$password" ]; then
-            password="$(head -n1 $password)"
+        if ! [[ "$password" == *../* ]]; then
+            if [ -f "$password" ]; then
+                password="$(head -n1 $password)"
+            fi
         fi
     fi
+    echo $password;
 }
 
 # Check if hash is transmitted via file
 is_hash_valid() {
     if [[ "$hash" =~ ^/tmp/ ]]; then
-        if [ -f "$hash" ]; then
-            hash="$(head -n1 $hash)"
+        if ! [[ "$hash" == *../* ]]; then
+            if [ -f "$hash" ]; then
+                hash="$(head -n1 $hash)"
+            fi
         fi
     fi
 }

install/upgrade/versions/1.6.2.sh

@@ -21,16 +21,18 @@ upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'no'
 upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'no'
 upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
 
-alc=$(cat /etc/exim4/exim4.conf.template | grep '${lookup{${domain:$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits');
-if [ -z "$alc" ]; then
-    sed -i 's| set acl_c_msg_limit|#string1\n#replaceme|'  /etc/exim4/exim4.conf.template
-    sed -i '/#replaceme/d' /etc/exim4/exim4.conf.template
-    sed -i 's|#string1|set acl_c_msg_limit  = \${if exists{/etc/exim4/domains/\${lookup{\${domain:\$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits}{\${lookup {\$authenticated_id} lsearch{/etc/exim4/domains/\${lookup{${domain:\$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits}{\$value}{\${readfile{/etc/exim4/limit.conf}}}}}{\${readfile{/etc/exim4/limit.conf}}} }|g' /etc/exim4/exim4.conf.template
-fi
-
-system_filter=$(cat /etc/exim4/exim4.conf.template | grep 'system_filter');
-if [ -z "$system_filter" ]; then
-    sed -i '/SMTP_RELAY_PASS = \${lookup{pass}lsearch{SMTP_RELAY_FILE}}/a #shouldberemoved\n# Custom Filter\nsystem_filter = \/etc\/exim4\/system.filter\nsystem_filter_user = Debian-exim' /etc/exim4/exim4.conf.template
-    # Keep the spacing between the reley_pass and Custom Filter we need to insert a dummy text and remove it later on
-    sed -i 's/#shouldberemoved//g' /etc/exim4/exim4.conf.template
-fi
+if [ "$MAIL_SYSTEM" == "exim4" ]; then
+    alc=$(cat /etc/exim4/exim4.conf.template | grep '${lookup{${domain:$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits');
+    if [ -z "$alc" ]; then
+        sed -i 's| set acl_c_msg_limit|#string1\n#replaceme|'  /etc/exim4/exim4.conf.template
+        sed -i '/#replaceme/d' /etc/exim4/exim4.conf.template
+        sed -i 's|#string1|set acl_c_msg_limit  = \${if exists{/etc/exim4/domains/\${lookup{\${domain:\$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits}{\${lookup {\$authenticated_id} lsearch{/etc/exim4/domains/\${lookup{${domain:\$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits}{\$value}{\${readfile{/etc/exim4/limit.conf}}}}}{\${readfile{/etc/exim4/limit.conf}}} }|g' /etc/exim4/exim4.conf.template
+    fi
+    
+    system_filter=$(cat /etc/exim4/exim4.conf.template | grep 'system_filter');
+    if [ -z "$system_filter" ]; then
+        sed -i '/SMTP_RELAY_PASS = \${lookup{pass}lsearch{SMTP_RELAY_FILE}}/a #shouldberemoved\n# Custom Filter\nsystem_filter = \/etc\/exim4\/system.filter\nsystem_filter_user = Debian-exim' /etc/exim4/exim4.conf.template
+        # Keep the spacing between the reley_pass and Custom Filter we need to insert a dummy text and remove it later on
+        sed -i 's/#shouldberemoved//g' /etc/exim4/exim4.conf.template
+    fi
+fi

install/upgrade/versions/1.6.3.sh

@@ -21,7 +21,7 @@ upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'yes'
 upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'yes'
 upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
 
-if [ -f /etc/exim4/exim4.conf.template ]; then 
+if [ "$MAIL_SYSTEM" == "exim4" ]; then
     host=$(cat /etc/exim4/exim4.conf.template | grep hosts_try_fastopen);
     if [ -z "$host" ]; then
         echo "[ * ] Fix an issue with sending large attachments to Google / Gmail"