You can not select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
					118 lines
				
				2.8 KiB
			
		
		
			
		
	
	
					118 lines
				
				2.8 KiB
			| 
											2 years ago
										 | <?php | ||
|  | use function Hestiacp\quoteshellarg\quoteshellarg; | ||
|  | // Init | ||
|  | define("NO_AUTH_REQUIRED", true); | ||
|  | define("NO_AUTH_REQUIRED2", true); | ||
|  | header("Content-Type: text/plain; charset=utf-8"); | ||
|  | 
 | ||
|  | include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php"; | ||
|  | 
 | ||
|  | // Checking IP of incoming connection, checking is it NAT address | ||
|  | $ok = 0; | ||
|  | $ip = $_SERVER["REMOTE_ADDR"]; | ||
|  | 
 | ||
|  | exec(HESTIA_CMD . "v-list-sys-ips json", $output, $return_var); | ||
|  | $output = implode("", $output); | ||
|  | $arr = json_decode($output, true); | ||
|  | foreach ($arr as $arr_key => $arr_val) { | ||
|  | 	// search for NAT IPs and allow them | ||
|  | 	if ($ip == $arr_key || $ip == $arr_val["NAT"]) { | ||
|  | 		$ok = 1; | ||
|  | 		break; | ||
|  | 	} | ||
|  | } | ||
|  | if ($ip == $_SERVER["SERVER_ADDR"]) { | ||
|  | 	$ok = 1; | ||
|  | } | ||
|  | if ($ip == "127.0.0.1") { | ||
|  | 	$ok = 1; | ||
|  | } | ||
|  | if ($ok == 0) { | ||
|  | 	exit(); | ||
|  | } | ||
|  | if (isset($_SERVER["HTTP_X_REAL_IP"]) || isset($_SERVER["HTTP_X_FORWARDED_FOR"])) { | ||
|  | 	exit(); | ||
|  | } | ||
|  | 
 | ||
|  | // Check arguments | ||
|  | 
 | ||
|  | if (empty($_POST["email"])) { | ||
|  | 	echo "error email address not provided"; | ||
|  | 	exit(); | ||
|  | } | ||
|  | if (empty($_POST["password"])) { | ||
|  | 	echo "error old password provided"; | ||
|  | 	exit(); | ||
|  | } | ||
|  | if (empty($_POST["new"])) { | ||
|  | 	echo "error new password not provided"; | ||
|  | 	exit(); | ||
|  | } | ||
|  | 
 | ||
|  | [$v_account, $v_domain] = explode("@", $_POST["email"]); | ||
|  | $v_domain = quoteshellarg($v_domain); | ||
|  | $v_account = quoteshellarg($v_account); | ||
|  | $v_password = $_POST["password"]; | ||
|  | 
 | ||
|  | // Get domain owner | ||
|  | exec(HESTIA_CMD . "v-search-domain-owner " . $v_domain . " 'mail'", $output, $return_var); | ||
|  | if ($return_var != 0 || empty($output[0])) { | ||
|  | 	echo "error domain owner not found"; | ||
|  | 	exit(); | ||
|  | } | ||
|  | $v_user = $output[0]; | ||
|  | unset($output); | ||
|  | 
 | ||
|  | // Get current password hash (called "md5" for legacy reasons, it's not guaranteed to be md5) | ||
|  | exec( | ||
|  | 	HESTIA_CMD . | ||
|  | 		"v-get-mail-account-value " . | ||
|  | 		quoteshellarg($v_user) . | ||
|  | 		" " . | ||
|  | 		$v_domain . | ||
|  | 		" " . | ||
|  | 		$v_account . | ||
|  | 		" 'md5'", | ||
|  | 	$output, | ||
|  | 	$return_var, | ||
|  | ); | ||
|  | if ($return_var != 0 || empty($output[0])) { | ||
|  | 	echo "error unable to get current account password hash"; | ||
|  | 	exit(); | ||
|  | } | ||
|  | $v_hash = $output[0]; | ||
|  | unset($output); | ||
|  | 
 | ||
|  | // v_hash use doveadm password hash format, which is basically {HASH_NAME}normal_crypt_format, | ||
|  | // so we just need to remove the {HASH_NAME} before we can ask password_verify if its correct or not. | ||
|  | $hash_for_password_verify = explode("}", $v_hash, 2); | ||
|  | $hash_for_password_verify = end($hash_for_password_verify); | ||
|  | if (!password_verify($v_password, $hash_for_password_verify)) { | ||
|  | 	die("error old password does not match"); | ||
|  | } | ||
|  | 
 | ||
|  | // Change password | ||
|  | $fp = tmpfile(); | ||
|  | $new_password_file = stream_get_meta_data($fp)["uri"]; | ||
|  | fwrite($fp, $_POST["new"] . "\n"); | ||
|  | exec( | ||
|  | 	HESTIA_CMD . | ||
|  | 		"v-change-mail-account-password " . | ||
|  | 		quoteshellarg($v_user) . | ||
|  | 		" " . | ||
|  | 		$v_domain . | ||
|  | 		" " . | ||
|  | 		$v_account . | ||
|  | 		" " . | ||
|  | 		quoteshellarg($new_password_file), | ||
|  | 	$output, | ||
|  | 	$return_var, | ||
|  | ); | ||
|  | fclose($fp); | ||
|  | if ($return_var == 0) { | ||
|  | 	echo "==ok=="; | ||
|  | 	exit(); | ||
|  | } | ||
|  | echo "error v-change-mail-account-password returned non-zero: " . $return_var; | ||
|  | exit(); |