From 1dbf2e909fe8593ed5edfb45e292aaa71e777274 Mon Sep 17 00:00:00 2001 From: the-djmaze <> Date: Mon, 31 Oct 2022 14:56:42 +0100 Subject: [PATCH] Prevent nextcloud impersonate plugin to login #561 --- .../nextcloud/snappymail/lib/AppInfo/Application.php | 3 +++ .../snappymail/lib/Util/SnappyMailHelper.php | 12 ++++++++++-- .../app/libraries/RainLoop/Actions/UserAuth.php | 2 +- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/integrations/nextcloud/snappymail/lib/AppInfo/Application.php b/integrations/nextcloud/snappymail/lib/AppInfo/Application.php index c5dae876da..0161c95684 100644 --- a/integrations/nextcloud/snappymail/lib/AppInfo/Application.php +++ b/integrations/nextcloud/snappymail/lib/AppInfo/Application.php @@ -79,7 +79,9 @@ public function boot(IBootContext $context): void ]; }); */ + $userSession = \OC::$server->getUserSession(); +// $userSession->listen('\OC\User', 'postRememberedLogin', function($loginName, $password) { $userSession->listen('\OC\User', 'postLogin', function($user, $loginName, $password, $isTokenLogin) { $config = \OC::$server->getConfig(); $sEmail = ''; @@ -91,6 +93,7 @@ public function boot(IBootContext $context): void $sEmail = $config->getUserValue($user->getUID(), 'settings', 'email', ''); } if ($sEmail) { + \OC::$server->getSession()['snappymail-email'] = $sEmail; \OC::$server->getSession()['snappymail-password'] = SnappyMailHelper::encodePassword($password, \md5($sEmail)); } }); diff --git a/integrations/nextcloud/snappymail/lib/Util/SnappyMailHelper.php b/integrations/nextcloud/snappymail/lib/Util/SnappyMailHelper.php index 1d5cb8f915..3e163c22f7 100644 --- a/integrations/nextcloud/snappymail/lib/Util/SnappyMailHelper.php +++ b/integrations/nextcloud/snappymail/lib/Util/SnappyMailHelper.php @@ -106,9 +106,13 @@ public static function startApp(bool $handle = false) : void \RainLoop\Utils::SetCookie('smadmin', $sToken); } } - } else if (!$oActions->getMainAccountFromToken(false)) { + } else { $aCredentials = SnappyMailHelper::getLoginCredentials(); - if ($aCredentials[0] && $aCredentials[1]) { + if ($oActions->getMainAccountFromToken(false)) { + if (!$aCredentials[0] || !$aCredentials[1]) { + $oActions->Logout(true); + } + } else if ($aCredentials[0] && $aCredentials[1]) { $oActions->Logger()->AddSecret($aCredentials[1]); $oAccount = $oActions->LoginProcess($aCredentials[0], $aCredentials[1], false); if ($oAccount) { @@ -143,6 +147,10 @@ public static function getLoginCredentials() : array $sEmail = $config->getUserValue($sUID, 'settings', 'email', ''); $sPassword = \OC::$server->getSession()['snappymail-password']; } + if (\OC::$server->getSession()['snappymail-email'] != $sEmail) { + $sPassword = ''; + } + // If the user has set credentials for SnappyMail in their personal // settings, override everything before and use those instead. $sCustomEmail = $config->getUserValue($sUID, 'snappymail', 'snappymail-email', ''); diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php index 7948bdc0ac..883caaa910 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php @@ -429,7 +429,7 @@ public function SetSpecLogoutCustomMgsWithDeletion(string $sMessage): void Utils::SetCookie(self::AUTH_SPEC_LOGOUT_CUSTOM_MSG_KEY, $sMessage); } - protected function Logout(bool $bMain) : void + public function Logout(bool $bMain) : void { Utils::ClearCookie(self::AUTH_ADDITIONAL_TOKEN_KEY); $bMain && Utils::ClearCookie(self::AUTH_SPEC_TOKEN_KEY);