From cd2f1b28875694787b718b45e201cd49d685ed78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20H=C3=B6ft?= Date: Wed, 31 Oct 2012 13:34:10 +0100 Subject: [PATCH 2/2] SQLSource,LDAPSource: do not write a password when the scheme is unknown _encryptPassword did not return nil when the password generated from NSString+Crypto returned an error. This patch changes this behaviour and also does not write the password to the SQL or LDAP database when _encryptPassword returns nil. --- SoObjects/SOGo/LDAPSource.m | 45 +++++++++++++++++++++++++++++---------------- SoObjects/SOGo/SQLSource.m | 15 ++++++++++----- 2 files changed, 39 insertions(+), 21 deletions(-) diff --git a/SoObjects/SOGo/LDAPSource.m b/SoObjects/SOGo/LDAPSource.m index 81024a2..96a98ef 100644 --- a/SoObjects/SOGo/LDAPSource.m +++ b/SoObjects/SOGo/LDAPSource.m @@ -586,7 +586,10 @@ andMultipleBookingsField: (NSString *) newMultipleBookingsField pass = [plainPassword asCryptedPassUsingScheme: _userPasswordAlgorithm]; if (pass == nil) - [self errorWithFormat: @"Unsupported user-password algorithm: %@", _userPasswordAlgorithm]; + { + [self errorWithFormat: @"Unsupported user-password algorithm: %@", _userPasswordAlgorithm]; + return nil; + } return [NSString stringWithFormat: @"{%@}%@", _userPasswordAlgorithm, pass]; } @@ -629,24 +632,34 @@ andMultipleBookingsField: (NSString *) newMultipleBookingsField NGLdapModification *mod; NGLdapAttribute *attr; NSArray *changes; + NSString* encryptedPass; attr = [[NGLdapAttribute alloc] initWithAttributeName: @"userPassword"]; if ([_userPasswordAlgorithm isEqualToString: @"none"]) - [attr addStringValue: newPassword]; - else - [attr addStringValue: [self _encryptPassword: newPassword]]; - - mod = [NGLdapModification replaceModification: attr]; - changes = [NSArray arrayWithObject: mod]; - *perr = PolicyNoError; - - if ([bindConnection bindWithMethod: @"simple" - binddn: userDN - credentials: oldPassword]) - didChange = [bindConnection modifyEntryWithDN: userDN - changes: changes]; - else - didChange = NO; + { + encryptedPass = newPassword; + } + else + { + encryptedPass = [self _encryptPassword: newPassword]; + } + if(encryptedPass != nil) + { + [attr addStringValue: encryptedPass]; + mod = [NGLdapModification replaceModification: attr]; + changes = [NSArray arrayWithObject: mod]; + *perr = PolicyNoError; + + if ([bindConnection bindWithMethod: @"simple" + binddn: userDN + credentials: oldPassword]) + { + didChange = [bindConnection modifyEntryWithDN: userDN + changes: changes]; + } + else + didChange = NO; + } } else didChange = [bindConnection changePasswordAtDn: userDN diff --git a/SoObjects/SOGo/SQLSource.m b/SoObjects/SOGo/SQLSource.m index 2c50913..d3ceeca 100644 --- a/SoObjects/SOGo/SQLSource.m +++ b/SoObjects/SOGo/SQLSource.m @@ -187,7 +187,10 @@ pass = [plainPassword asCryptedPassUsingScheme: _userPasswordAlgorithm]; if (pass == nil) - [self errorWithFormat: @"Unsupported user-password algorithm: %@", _userPasswordAlgorithm]; + { + [self errorWithFormat: @"Unsupported user-password algorithm: %@", _userPasswordAlgorithm]; + return nil; + } if (_prependPasswordScheme) result = [NSString stringWithFormat: @"{%@}%@", _userPasswordAlgorithm, pass]; @@ -308,18 +311,20 @@ NSString *sqlstr; BOOL didChange; BOOL isOldPwdOk; - + isOldPwdOk = NO; didChange = NO; - + // Verify current password isOldPwdOk = [self checkLogin:login password:oldPassword perr:perr expire:0 grace:0]; - + if (isOldPwdOk) { // Encrypt new password NSString *encryptedPassword = [self _encryptPassword: newPassword]; - + if(encryptedPassword == nil) + return NO; + // Save new password login = [login stringByReplacingString: @"'" withString: @"''"]; cm = [GCSChannelManager defaultChannelManager]; -- 1.8.0