Drop default admin password '12345'

Now generate one and store in 'data/_data_/_default_/admin_password.txt' And instructions at https://snappymail.eu/install.html
2025-01-21 14:22:23 +08:00 · 2021-04-08 12:11:06 +02:00 · 2021-04-08 12:11:06 +02:00 · 8ef00edb86
commit 8ef00edb86
parent ff13ff688c
3 changed files with 21 additions and 5 deletions
--- a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php
@ -1101,6 +1101,16 @@ class Actions

 		$oSettings = null;

+		$passfile = APP_PRIVATE_DATA.'admin_password.txt';
+		$sPassword = $oConfig->Get('security', 'admin_password', '');
+		if (!$sPassword) {
+			$sPassword = \substr(\base64_encode(\random_bytes(16)), 0, 12);
+			\file_put_contents($passfile, $sPassword);
+			\chmod($passfile, 0600);
+			$oConfig->SetPassword($sPassword);
+			$oConfig->Save();
+		}
+
 		if (!$bAdmin) {
 			$oAccount = $this->getAccountFromToken(false);
 			if ($oAccount) {
@ -1194,7 +1204,7 @@ class Actions
 				$aResult['ContactsPdoUser'] = (string)$oConfig->Get('contacts', 'pdo_user', '');
 				$aResult['ContactsPdoPassword'] = (string)APP_DUMMY;

-				$aResult['WeakPassword'] = (bool)$oConfig->ValidatePassword('12345');
+				$aResult['WeakPassword'] = \is_file($passfile);

 				$aResult['PhpUploadSizes'] = array(
 					'upload_max_filesize' => \ini_get('upload_max_filesize'),
--- a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/Admin.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/Admin.php
@ -255,6 +255,8 @@ trait Admin
 			$this->Logger()->AddSecret($sNewPassword);
 		}

+		$passfile = APP_PRIVATE_DATA.'admin_password.txt';
+
 		if ($oConfig->ValidatePassword($sPassword))
 		{
 			if (0 < \strlen($sLogin))
@ -265,13 +267,17 @@ trait Admin
 			if (0 < \strlen(\trim($sNewPassword)))
 			{
 				$oConfig->SetPassword($sNewPassword);
+				if (\is_file($passfile) && \trim(\file_get_contents($passfile)) !== $sNewPassword) {
+					\unlink($passfile);
+				}
 			}

-			$bResult = true;
+			$bResult = $oConfig->Save();
 		}

-		return $this->DefaultResponse(__FUNCTION__, $bResult ?
-			($oConfig->Save() ? array('Weak' => $oConfig->ValidatePassword('12345')) : false) : false);
+		return $this->DefaultResponse(__FUNCTION__, $bResult
+			? array('Weak' => \is_file($passfile))
+			: false);
 	}

 	public function DoAdminDomainLoad() : array
--- a/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php
@ -158,7 +158,7 @@ class Application extends \RainLoop\Config\AbstractConfig
 				'openpgp'                    => array(false),

 				'admin_login'                => array('admin', 'Login and password for web admin panel'),
-				'admin_password'             => array(\password_hash('12345', PASSWORD_DEFAULT)),
+				'admin_password'             => array(''),
 				'allow_admin_panel'          => array(true, 'Access settings'),
 				'allow_two_factor_auth'      => array(false),
 				'force_two_factor_auth'      => array(false),