Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.

password-recover.php 3.1KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798
  1. <?php
  2. /**
  3. * Postfix Admin
  4. *
  5. * LICENSE
  6. * This source file is subject to the GPL license that is bundled with
  7. * this package in the file LICENSE.TXT.
  8. *
  9. * Further details on the project are available at http://postfixadmin.sf.net
  10. *
  11. * @version $Id$
  12. * @license GNU GPL v2 or later.
  13. *
  14. * File: password-recover.php
  15. * Used by users and admins to recover their forgotten login password.
  16. * Template File: password-recover.tpl
  17. *
  18. * Template Variables:
  19. *
  20. * none
  21. *
  22. * Form POST \ GET Variables:
  23. *
  24. * fUsername
  25. */
  26. if (preg_match('/\/users\//', $_SERVER['REQUEST_URI'])) {
  27. $rel_path = '../';
  28. $context = 'users';
  29. } else {
  30. $rel_path = './';
  31. $context = 'admin';
  32. }
  33. require_once($rel_path . 'common.php');
  34. if ($context === 'admin' && !Config::read('forgotten_admin_password_reset') || $context === 'users' && !Config::read('forgotten_user_password_reset')) {
  35. die('Password reset is disabled by configuration option: forgotten_admin_password_reset');
  36. }
  37. function sendCodebyEmail($to, $username, $code) {
  38. $url = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']) . '/password-change.php?username=' . urlencode($username) . '&code=' . $code;
  39. return smtp_mail($to, Config::read('admin_email'), Config::Lang('pPassword_welcome'), Config::lang_f('pPassword_recovery_email_body', $url));
  40. }
  41. function sendCodebySMS($to, $username, $code) {
  42. $text = Config::lang_f('pPassword_recovery_sms_body', $code);
  43. if (Config::read('sms_send_function') && is_callable(Config::read('sms_send_function'))) {
  44. $result = call_user_func(Config::read('sms_send_function'), $to, $text);
  45. return $result !== false;
  46. }
  47. return false;
  48. }
  49. if ($_SERVER['REQUEST_METHOD'] === "POST") {
  50. $start_time = microtime(true);
  51. $tUsername = escape_string(safepost('fUsername'));
  52. $handler = $context === 'admin' ? new AdminHandler : new MailboxHandler;
  53. $token = $handler->getPasswordRecoveryCode($tUsername);
  54. if ($token !== false) {
  55. $table = table_by_key($context === 'users' ? 'mailbox' : 'admin');
  56. $result = db_query("SELECT * FROM $table WHERE username='$tUsername'");
  57. $row = db_assoc($result['result']);
  58. $email_other = trim($row['email_other']);
  59. $phone = trim($row['phone']);
  60. if ($email_other) {
  61. sendCodeByEmail($email_other, $tUsername, $token);
  62. }
  63. if ($phone) {
  64. sendCodeBySMS($phone, $tUsername, $token);
  65. }
  66. if ($email_other || $phone) {
  67. header("Location: password-change.php?username=" . $tUsername);
  68. exit(0);
  69. }
  70. }
  71. // throttle password reset requests to prevent brute force attack
  72. $elapsed_time = microtime(true) - $start_time;
  73. if ($elapsed_time < 2 * pow(10, 6)) {
  74. usleep(2 * pow(10, 6) - $elapsed_time);
  75. }
  76. flash_info(Config::Lang('pPassword_recovery_processed'));
  77. }
  78. $smarty->assign('language_selector', language_selector(), false);
  79. $smarty->assign('smarty_template', 'password-recover');
  80. $smarty->display('index.tpl');
  81. /* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */