Главная Обзор Помощь
Вход
yosoyhendrix
/
hestiacp
1
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Дерево: 3e9bc06bd0
Ветки Метки
hestiacp
/
web
/
reset
/
mail
/
index.php

index.php 2.7 KB
История Исходник

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788 
  1. <?php
    2. 

  2. // Init
    3. 

  3. define('NO_AUTH_REQUIRED',true);
    4. 

  4. define('NO_AUTH_REQUIRED2',true);
    5. 

  5. header('Content-Type: text/plain; charset=utf-8');
    6. 

  6. 

  7. include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
    8. 

  8. 

  9. // Checking IP of incoming connection, checking is it NAT address
    10. 

  10. $ok=0;
    11. 

  11. $ip=$_SERVER['REMOTE_ADDR'];
    12. 

  12. 

  13. exec (HESTIA_CMD."v-list-sys-ips json", $output, $return_var);
    14. 

  14. $output=implode('', $output);
    15. 

  15. $arr=json_decode($output, true);
    16. 

  16. foreach ($arr as $arr_key => $arr_val) {
    17. 

  17.     // search for NAT IPs and allow them
    18. 

  18. 	if ($ip==$arr_key || $ip==$arr_val['NAT']) {
    19. 

  19. 		$ok=1;
    20. 

  20. 		break;
    21. 

  21. 	}
    22. 

  22. }
    23. 

  23. if ($ip == $_SERVER['SERVER_ADDR']) $ok=1;
    24. 

  24. if ($ip == '127.0.0.1') $ok=1;
    25. 

  25. if ($ok==0) exit;
    26. 

  26. if (isset($_SERVER['HTTP_X_REAL_IP']) || isset($_SERVER['HTTP_X_FORWARDED_FOR'])) exit;
    27. 

  27. 

  28. 

  29. 

  30. // Check arguments
    31. 

  31. 

  32. if (empty($_POST['email'])) {
    33. 

  33.     echo "error email address not provided";
    34. 

  34.     exit;
    35. 

  35. }
    36. 

  36. if (empty($_POST['password'])) {
    37. 

  37.     echo "error old password provided";
    38. 

  38.     exit;
    39. 

  39. }
    40. 

  40. if (empty($_POST['new'])) {
    41. 

  41.     echo "error new password not provided";
    42. 

  42.     exit;
    43. 

  43. }
    44. 

  44. 

  45. list($v_account, $v_domain) = explode('@', $_POST['email']);
    46. 

  46. $v_domain = escapeshellarg($v_domain);
    47. 

  47. $v_account = escapeshellarg($v_account);
    48. 

  48. $v_password = $_POST['password'];
    49. 

  49. 

  50. // Get domain owner
    51. 

  51. exec(HESTIA_CMD . "v-search-domain-owner " . $v_domain . " 'mail'", $output, $return_var);
    52. 

  52. if ($return_var != 0 || empty($output[0])) {
    53. 

  53.     echo "error domain owner not found";
    54. 

  54.     exit;
    55. 

  55. }
    56. 

  56. $v_user = $output[0];
    57. 

  57. unset($output);
    58. 

  58. 

  59. 

  60. // Get current password hash (called "md5" for legacy reasons, it's not guaranteed to be md5)
    61. 

  61. exec(HESTIA_CMD . "v-get-mail-account-value " . escapeshellarg($v_user) . " " . $v_domain . " " . $v_account . " 'md5'", $output, $return_var);
    62. 

  62. if ($return_var != 0 || empty($output[0])) {
    63. 

  63.     echo "error unable to get current account password hash";
    64. 

  64.     exit;
    65. 

  65. }
    66. 

  66. $v_hash = $output[0];
    67. 

  67. unset($output);
    68. 

  68. 

  69. // v_hash use doveadm password hash format, which is basically {HASH_NAME}normal_crypt_format,
    70. 

  70. // so we just need to remove the {HASH_NAME} before we can ask password_verify if its correct or not.
    71. 

  71. $hash_for_password_verify = explode('}', $v_hash, 2);
    72. 

  72. $hash_for_password_verify = end($hash_for_password_verify);
    73. 

  73. if (!password_verify($v_password, $hash_for_password_verify)) {
    74. 

  74.     die("error old password does not match");
    75. 

  75. }
    76. 

  76. 

  77. // Change password
    78. 

  78. $fp = tmpfile();
    79. 

  79. $new_password_file = stream_get_meta_data($fp)['uri'];
    80. 

  80. fwrite($fp, $_POST['new'] . "\n");
    81. 

  81. exec(HESTIA_CMD . "v-change-mail-account-password " . escapeshellarg($v_user) . " " . $v_domain . " " . $v_account . " " . escapeshellarg($new_password_file), $output, $return_var);
    82. 

  82. fclose($fp);
    83. 

  83. if ($return_var == 0) {
    84. 

  84.     echo "==ok==";
    85. 

  85.     exit;
    86. 

  86. }
    87. 

  87. echo 'error v-change-mail-account-password returned non-zero: ' . $return_var;
    88. 

  88. exit;
    89.