From 8ef00edb86fed6f9ab1dc518d90fe883bebeace0 Mon Sep 17 00:00:00 2001 From: djmaze Date: Thu, 8 Apr 2021 12:11:06 +0200 Subject: [PATCH] Drop default admin password '12345' Now generate one and store in 'data/_data_/_default_/admin_password.txt' And instructions at https://snappymail.eu/install.html --- .../v/0.0.0/app/libraries/RainLoop/Actions.php | 12 +++++++++++- .../v/0.0.0/app/libraries/RainLoop/Actions/Admin.php | 12 +++++++++--- .../app/libraries/RainLoop/Config/Application.php | 2 +- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php index 2ef08dc68..8941206b3 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php @@ -1101,6 +1101,16 @@ class Actions $oSettings = null; + $passfile = APP_PRIVATE_DATA.'admin_password.txt'; + $sPassword = $oConfig->Get('security', 'admin_password', ''); + if (!$sPassword) { + $sPassword = \substr(\base64_encode(\random_bytes(16)), 0, 12); + \file_put_contents($passfile, $sPassword); + \chmod($passfile, 0600); + $oConfig->SetPassword($sPassword); + $oConfig->Save(); + } + if (!$bAdmin) { $oAccount = $this->getAccountFromToken(false); if ($oAccount) { @@ -1194,7 +1204,7 @@ class Actions $aResult['ContactsPdoUser'] = (string)$oConfig->Get('contacts', 'pdo_user', ''); $aResult['ContactsPdoPassword'] = (string)APP_DUMMY; - $aResult['WeakPassword'] = (bool)$oConfig->ValidatePassword('12345'); + $aResult['WeakPassword'] = \is_file($passfile); $aResult['PhpUploadSizes'] = array( 'upload_max_filesize' => \ini_get('upload_max_filesize'), diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/Admin.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/Admin.php index 8ba997b16..f7255d28f 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/Admin.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/Admin.php @@ -255,6 +255,8 @@ trait Admin $this->Logger()->AddSecret($sNewPassword); } + $passfile = APP_PRIVATE_DATA.'admin_password.txt'; + if ($oConfig->ValidatePassword($sPassword)) { if (0 < \strlen($sLogin)) @@ -265,13 +267,17 @@ trait Admin if (0 < \strlen(\trim($sNewPassword))) { $oConfig->SetPassword($sNewPassword); + if (\is_file($passfile) && \trim(\file_get_contents($passfile)) !== $sNewPassword) { + \unlink($passfile); + } } - $bResult = true; + $bResult = $oConfig->Save(); } - return $this->DefaultResponse(__FUNCTION__, $bResult ? - ($oConfig->Save() ? array('Weak' => $oConfig->ValidatePassword('12345')) : false) : false); + return $this->DefaultResponse(__FUNCTION__, $bResult + ? array('Weak' => \is_file($passfile)) + : false); } public function DoAdminDomainLoad() : array diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php index 0548107fe..962d296ef 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php @@ -158,7 +158,7 @@ class Application extends \RainLoop\Config\AbstractConfig 'openpgp' => array(false), 'admin_login' => array('admin', 'Login and password for web admin panel'), - 'admin_password' => array(\password_hash('12345', PASSWORD_DEFAULT)), + 'admin_password' => array(''), 'allow_admin_panel' => array(true, 'Access settings'), 'allow_two_factor_auth' => array(false), 'force_two_factor_auth' => array(false),