You can not select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
					
					
						
							118 lines
						
					
					
						
							2.8 KiB
						
					
					
				
			
		
		
	
	
							118 lines
						
					
					
						
							2.8 KiB
						
					
					
				| <?php
 | |
| use function Hestiacp\quoteshellarg\quoteshellarg;
 | |
| // Init
 | |
| define("NO_AUTH_REQUIRED", true);
 | |
| define("NO_AUTH_REQUIRED2", true);
 | |
| header("Content-Type: text/plain; charset=utf-8");
 | |
| 
 | |
| include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
 | |
| 
 | |
| // Checking IP of incoming connection, checking is it NAT address
 | |
| $ok = 0;
 | |
| $ip = $_SERVER["REMOTE_ADDR"];
 | |
| 
 | |
| exec(HESTIA_CMD . "v-list-sys-ips json", $output, $return_var);
 | |
| $output = implode("", $output);
 | |
| $arr = json_decode($output, true);
 | |
| foreach ($arr as $arr_key => $arr_val) {
 | |
| 	// search for NAT IPs and allow them
 | |
| 	if ($ip == $arr_key || $ip == $arr_val["NAT"]) {
 | |
| 		$ok = 1;
 | |
| 		break;
 | |
| 	}
 | |
| }
 | |
| if ($ip == $_SERVER["SERVER_ADDR"]) {
 | |
| 	$ok = 1;
 | |
| }
 | |
| if ($ip == "127.0.0.1") {
 | |
| 	$ok = 1;
 | |
| }
 | |
| if ($ok == 0) {
 | |
| 	exit();
 | |
| }
 | |
| if (isset($_SERVER["HTTP_X_REAL_IP"]) || isset($_SERVER["HTTP_X_FORWARDED_FOR"])) {
 | |
| 	exit();
 | |
| }
 | |
| 
 | |
| // Check arguments
 | |
| 
 | |
| if (empty($_POST["email"])) {
 | |
| 	echo "error email address not provided";
 | |
| 	exit();
 | |
| }
 | |
| if (empty($_POST["password"])) {
 | |
| 	echo "error old password provided";
 | |
| 	exit();
 | |
| }
 | |
| if (empty($_POST["new"])) {
 | |
| 	echo "error new password not provided";
 | |
| 	exit();
 | |
| }
 | |
| 
 | |
| [$v_account, $v_domain] = explode("@", $_POST["email"]);
 | |
| $v_domain = quoteshellarg($v_domain);
 | |
| $v_account = quoteshellarg($v_account);
 | |
| $v_password = $_POST["password"];
 | |
| 
 | |
| // Get domain owner
 | |
| exec(HESTIA_CMD . "v-search-domain-owner " . $v_domain . " 'mail'", $output, $return_var);
 | |
| if ($return_var != 0 || empty($output[0])) {
 | |
| 	echo "error domain owner not found";
 | |
| 	exit();
 | |
| }
 | |
| $v_user = $output[0];
 | |
| unset($output);
 | |
| 
 | |
| // Get current password hash (called "md5" for legacy reasons, it's not guaranteed to be md5)
 | |
| exec(
 | |
| 	HESTIA_CMD .
 | |
| 		"v-get-mail-account-value " .
 | |
| 		quoteshellarg($v_user) .
 | |
| 		" " .
 | |
| 		$v_domain .
 | |
| 		" " .
 | |
| 		$v_account .
 | |
| 		" 'md5'",
 | |
| 	$output,
 | |
| 	$return_var,
 | |
| );
 | |
| if ($return_var != 0 || empty($output[0])) {
 | |
| 	echo "error unable to get current account password hash";
 | |
| 	exit();
 | |
| }
 | |
| $v_hash = $output[0];
 | |
| unset($output);
 | |
| 
 | |
| // v_hash use doveadm password hash format, which is basically {HASH_NAME}normal_crypt_format,
 | |
| // so we just need to remove the {HASH_NAME} before we can ask password_verify if its correct or not.
 | |
| $hash_for_password_verify = explode("}", $v_hash, 2);
 | |
| $hash_for_password_verify = end($hash_for_password_verify);
 | |
| if (!password_verify($v_password, $hash_for_password_verify)) {
 | |
| 	die("error old password does not match");
 | |
| }
 | |
| 
 | |
| // Change password
 | |
| $fp = tmpfile();
 | |
| $new_password_file = stream_get_meta_data($fp)["uri"];
 | |
| fwrite($fp, $_POST["new"] . "\n");
 | |
| exec(
 | |
| 	HESTIA_CMD .
 | |
| 		"v-change-mail-account-password " .
 | |
| 		quoteshellarg($v_user) .
 | |
| 		" " .
 | |
| 		$v_domain .
 | |
| 		" " .
 | |
| 		$v_account .
 | |
| 		" " .
 | |
| 		quoteshellarg($new_password_file),
 | |
| 	$output,
 | |
| 	$return_var,
 | |
| );
 | |
| fclose($fp);
 | |
| if ($return_var == 0) {
 | |
| 	echo "==ok==";
 | |
| 	exit();
 | |
| }
 | |
| echo "error v-change-mail-account-password returned non-zero: " . $return_var;
 | |
| exit();
 |