صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
yosoyhendrix
/
hestiacp
mirrorاز https://github.com/hestiacp/hestiacp
1
0
انشعاب 0
پرونده‌ها مشکلات 0 ویکی
درخت: 2d66a472cb
شاخه‌ها تگ‌ها
hestiacp
/
web
/
reset
/
mail
/
index.php

index.php 2.8 KB
تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117 
  1. <?php
    2. 

  2. use function Hestiacp\quoteshellarg\quoteshellarg;
    3. 

  3. // Init
    4. 

  4. define("NO_AUTH_REQUIRED", true);
    5. 

  5. define("NO_AUTH_REQUIRED2", true);
    6. 

  6. header("Content-Type: text/plain; charset=utf-8");
    7. 

  7. 

  8. include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
    9. 

  9. 

  10. // Checking IP of incoming connection, checking is it NAT address
    11. 

  11. $ok = 0;
    12. 

  12. $ip = $_SERVER["REMOTE_ADDR"];
    13. 

  13. 

  14. exec(HESTIA_CMD . "v-list-sys-ips json", $output, $return_var);
    15. 

  15. $output = implode("", $output);
    16. 

  16. $arr = json_decode($output, true);
    17. 

  17. foreach ($arr as $arr_key => $arr_val) {
    18. 

  18. 	// search for NAT IPs and allow them
    19. 

  19. 	if ($ip == $arr_key || $ip == $arr_val["NAT"]) {
    20. 

  20. 		$ok = 1;
    21. 

  21. 		break;
    22. 

  22. 	}
    23. 

  23. }
    24. 

  24. if ($ip == $_SERVER["SERVER_ADDR"]) {
    25. 

  25. 	$ok = 1;
    26. 

  26. }
    27. 

  27. if ($ip == "127.0.0.1") {
    28. 

  28. 	$ok = 1;
    29. 

  29. }
    30. 

  30. if ($ok == 0) {
    31. 

  31. 	exit();
    32. 

  32. }
    33. 

  33. if (isset($_SERVER["HTTP_X_REAL_IP"]) || isset($_SERVER["HTTP_X_FORWARDED_FOR"])) {
    34. 

  34. 	exit();
    35. 

  35. }
    36. 

  36. 

  37. // Check arguments
    38. 

  38. 

  39. if (empty($_POST["email"])) {
    40. 

  40. 	echo "error email address not provided";
    41. 

  41. 	exit();
    42. 

  42. }
    43. 

  43. if (empty($_POST["password"])) {
    44. 

  44. 	echo "error old password provided";
    45. 

  45. 	exit();
    46. 

  46. }
    47. 

  47. if (empty($_POST["new"])) {
    48. 

  48. 	echo "error new password not provided";
    49. 

  49. 	exit();
    50. 

  50. }
    51. 

  51. 

  52. [$v_account, $v_domain] = explode("@", $_POST["email"]);
    53. 

  53. $v_domain = quoteshellarg($v_domain);
    54. 

  54. $v_account = quoteshellarg($v_account);
    55. 

  55. $v_password = $_POST["password"];
    56. 

  56. 

  57. // Get domain owner
    58. 

  58. exec(HESTIA_CMD . "v-search-domain-owner " . $v_domain . " 'mail'", $output, $return_var);
    59. 

  59. if ($return_var != 0 || empty($output[0])) {
    60. 

  60. 	echo "error domain owner not found";
    61. 

  61. 	exit();
    62. 

  62. }
    63. 

  63. $v_user = $output[0];
    64. 

  64. unset($output);
    65. 

  65. 

  66. // Get current password hash (called "md5" for legacy reasons, it's not guaranteed to be md5)
    67. 

  67. exec(
    68. 

  68. 	HESTIA_CMD .
    69. 

  69. 		"v-get-mail-account-value " .
    70. 

  70. 		quoteshellarg($v_user) .
    71. 

  71. 		" " .
    72. 

  72. 		$v_domain .
    73. 

  73. 		" " .
    74. 

  74. 		$v_account .
    75. 

  75. 		" 'md5'",
    76. 

  76. 	$output,
    77. 

  77. 	$return_var,
    78. 

  78. );
    79. 

  79. if ($return_var != 0 || empty($output[0])) {
    80. 

  80. 	echo "error unable to get current account password hash";
    81. 

  81. 	exit();
    82. 

  82. }
    83. 

  83. $v_hash = $output[0];
    84. 

  84. unset($output);
    85. 

  85. 

  86. // v_hash use doveadm password hash format, which is basically {HASH_NAME}normal_crypt_format,
    87. 

  87. // so we just need to remove the {HASH_NAME} before we can ask password_verify if its correct or not.
    88. 

  88. $hash_for_password_verify = explode("}", $v_hash, 2);
    89. 

  89. $hash_for_password_verify = end($hash_for_password_verify);
    90. 

  90. if (!password_verify($v_password, $hash_for_password_verify)) {
    91. 

  91. 	die("error old password does not match");
    92. 

  92. }
    93. 

  93. 

  94. // Change password
    95. 

  95. $fp = tmpfile();
    96. 

  96. $new_password_file = stream_get_meta_data($fp)["uri"];
    97. 

  97. fwrite($fp, $_POST["new"] . "\n");
    98. 

  98. exec(
    99. 

  99. 	HESTIA_CMD .
    100. 

  100. 		"v-change-mail-account-password " .
    101. 

  101. 		quoteshellarg($v_user) .
    102. 

  102. 		" " .
    103. 

  103. 		$v_domain .
    104. 

  104. 		" " .
    105. 

  105. 		$v_account .
    106. 

  106. 		" " .
    107. 

  107. 		quoteshellarg($new_password_file),
    108. 

  108. 	$output,
    109. 

  109. 	$return_var,
    110. 

  110. );
    111. 

  111. fclose($fp);
    112. 

  112. if ($return_var == 0) {
    113. 

  113. 	echo "==ok==";
    114. 

  114. 	exit();
    115. 

  115. }
    116. 

  116. echo "error v-change-mail-account-password returned non-zero: " . $return_var;
    117. 

  117. exit();
    118.