git subrepo commit (merge) mailcow/src/mailcow-dockerized
subrepo: subdir: "mailcow/src/mailcow-dockerized"
merged: "32243e56"
upstream: origin: "https://github.com/mailcow/mailcow-dockerized.git"
branch: "master"
commit: "e2b4b6f6"
git-subrepo: version: "0.4.3"
origin: "???"
commit: "???"
Change-Id: I51e2016ef5ab88a8b0bdc08551b18f48ceef0aa5
diff --git a/mailcow/src/mailcow-dockerized/data/web/sogo-auth.php b/mailcow/src/mailcow-dockerized/data/web/sogo-auth.php
index 3bd19c6..bb2673a 100644
--- a/mailcow/src/mailcow-dockerized/data/web/sogo-auth.php
+++ b/mailcow/src/mailcow-dockerized/data/web/sogo-auth.php
@@ -14,7 +14,16 @@
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
- $login_check = check_login($username, $password);
+ $is_eas = false;
+ $is_dav = false;
+ $original_uri = isset($_SERVER['HTTP_X_ORIGINAL_URI']) ? $_SERVER['HTTP_X_ORIGINAL_URI'] : '';
+ if (preg_match('/^(\/SOGo|)\/dav.*/', $original_uri) === 1) {
+ $is_dav = true;
+ }
+ elseif (preg_match('/^(\/SOGo|)\/Microsoft-Server-ActiveSync.*/', $original_uri) === 1) {
+ $is_eas = true;
+ }
+ $login_check = check_login($username, $password, array('dav' => $is_dav, 'eas' => $is_eas));
if ($login_check === 'user') {
header("X-User: $username");
header("X-Auth: Basic ".base64_encode("$username:$password"));
@@ -34,13 +43,8 @@
$is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
// check permissions (if dual_login is active, deny sso when acl is not given)
$login = html_entity_decode(rawurldecode($_GET["login"]));
- if ($ALLOW_ADMIN_EMAIL_LOGIN === 0 && $is_dual === true) {
- header('HTTP/1.0 403 Forbidden');
- echo "Admin login is forbidden";
- exit;
- }
if (isset($_SESSION['mailcow_cc_role']) &&
- ($_SESSION['acl']['login_as'] == "1" || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) {
+ (($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0) || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) {
if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
if (user_get_alias_details($login) !== false) {
// load master password
@@ -48,6 +52,13 @@
// register username and password in session
$_SESSION[$session_var_user_allowed][] = $login;
$_SESSION[$session_var_pass] = $sogo_sso_pass;
+ // update sasl logs
+ $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
+ $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
+ $stmt->execute(array(
+ ':username' => $login,
+ ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
+ ));
// redirect to sogo (sogo will get the correct credentials via nginx auth_request
header("Location: /SOGo/so/${login}");
exit;
@@ -55,13 +66,11 @@
}
}
header('HTTP/1.0 403 Forbidden');
- echo "Access is forbidden";
+ echo "Forbidden";
exit;
}
// only check for admin-login on sogo GUI requests
-elseif (
- strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0
-) {
+elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0) {
// this is an nginx auth_request call, we check for existing sogo-sso session variables
session_start();
// extract email address from "/SOGo/so/user@domain/xy"