rc1: vendor/pear/net_sieve/Sieve.php comparison

comparison vendor/pear/net_sieve/Sieve.php @ 35:05c4c32948af

.hgignore: add vendor tree composer.json: new packages plugins/thunderbird_labels/thunderbird_labels.php: change hook and RFC822 use wrt whitelisting to avoid deprecated stuff index.php: commented debugging hooks others: new releases of vendor packages?

author	Charlie Root
date	Thu, 30 Aug 2018 16:21:59 -0400
parents	1e000243b222
children

comparison

equal deleted inserted replaced

-:50ac5484d514
+:05c4c32948af
 require_once 'PEAR.php';
 require_once 'Net/Socket.php';
 /**
-* TODO
+* Disconnected state
 *
-* o supportsAuthMech()
-*/
-/**
-* Disconnected state
 * @const NET_SIEVE_STATE_DISCONNECTED
 */
 define('NET_SIEVE_STATE_DISCONNECTED', 1, true);
 /**
 * Authorisation state
+*
 * @const NET_SIEVE_STATE_AUTHORISATION
 */
 define('NET_SIEVE_STATE_AUTHORISATION', 2, true);
 /**
 * Transaction state
+*
 * @const NET_SIEVE_STATE_TRANSACTION
 */
 define('NET_SIEVE_STATE_TRANSACTION', 3, true);
 * @package   Net_Sieve
 * @author    Richard Heyes <richard@phpguru.org>
 * @author    Damian Fernandez Sosa <damlists@cnba.uba.ar>
 * @author    Anish Mistry <amistry@am-productions.biz>
 * @author    Jan Schneider <jan@horde.org>
+* @author    Neil Munday <neil@mundayweb.com>
 * @copyright 2002-2003 Richard Heyes
 * @copyright 2006-2008 Anish Mistry
 * @license   http://www.opensource.org/licenses/bsd-license.php BSD
 * @version   Release: @package_version@
 * @link      http://pear.php.net/package/Net_Sieve
 var $supportedAuthMethods = array(
 'DIGEST-MD5',
 'CRAM-MD5',
 'EXTERNAL',
 'PLAIN' ,
-'LOGIN'
+'LOGIN',
+'GSSAPI'
 );
 /**
 * SASL authentication methods that require Auth_SASL.
 *
 * Maximum number of referral loops
 *
 * @var array
 */
 var $_maxReferralCount = 15;
+/**
+* Kerberos service principal to use for GSSAPI authentication.
+*
+* @var string
+*/
+var $_gssapiPrincipal = null;
+/**
+* Kerberos service cname to use for GSSAPI authentication.
+*
+* @var string
+*/
+var $_gssapiCN = null;
 /**
 * Constructor.
 *
 * Sets up the object, connects to the server and logs in. Stores any
 *                            socket is already open.
 * @param boolean $useTLS     Use TLS if available.
 * @param array   $options    Additional options for
 *                            stream_context_create().
 * @param mixed   $handler    A callback handler for the debug output.
+* @param string  $principal  Kerberos service principal to use
+*                            with GSSAPI authentication.
+* @param string  $cname      Kerberos service cname to use
+*                            with GSSAPI authentication.
 */
 function __construct($user = null, $pass  = null, $host = 'localhost',
 $port = 2000, $logintype = '', $euser = '',
 $debug = false, $bypassAuth = false, $useTLS = true,
-$options = null, $handler = null
+$options = null, $handler = null, $principal = null, $cname = null
 ) {
 $this->_pear = new PEAR();
 $this->_state             = NET_SIEVE_STATE_DISCONNECTED;
 $this->_data['user']      = $user;
 $this->_data['pass']      = $pass;
 $this->_data['euser']     = $euser;
 $this->_sock              = new Net_Socket();
 $this->_bypassAuth        = $bypassAuth;
 $this->_useTLS            = $useTLS;
 $this->_options           = (array) $options;
+$this->_gssapiPrincipal   = $principal;
+$this->_gssapiCN          = $cname;
 $this->setDebug($debug, $handler);
 /* Try to include the Auth_SASL package.  If the package is not
 * available, we disable the authentication methods that depend upon
 * it. */
 $this->_debug = $debug;
 $this->_debug_handler = $handler;
 }
 /**
+* Sets the Kerberos service principal for use with GSSAPI
+* authentication.
+*
+* @param string $principal The Kerberos service principal
+*
+* @return void
+*/
+function setServicePrincipal($principal)
+{
+$this->_gssapiPrincipal = $principal;
+}
+/**
+* Sets the Kerberos service CName for use with GSSAPI
+* authentication.
+*
+* @param string $cname The Kerberos service principal
+*
+* @return void
+*/
+function setServiceCN($cname)
+{
+$this->_gssapiCN = $cname;
+}
+/**
 * Connects to the server and logs in.
 *
 * @return boolean  True on success, PEAR_Error on failure.
 */
 function _handleConnectAndLogin()
 return $res;
 }
 if ($this->_bypassAuth) {
 $this->_state = NET_SIEVE_STATE_TRANSACTION;
+// Reset capabilities
+$this->_parseCapability('');
 } else {
 $this->_state = NET_SIEVE_STATE_AUTHORISATION;
 $res = $this->_doCmd();
 if (is_a($res, 'PEAR_Error')) {
 return $res;
 }
-}
+// Reset capabilities (use unattended capabilities)
-// Explicitly ask for the capabilities in case the connection is
+$this->_parseCapability($res);
-// picked up from an existing connection.
+}
-$res = $this->_cmdCapability();
-if (is_a($res, 'PEAR_Error')) {
+// Explicitly ask for the capabilities if needed
-return $this->_pear->raiseError(
+if (empty($this->_capability['implementation'])) {
-'Failed to connect, server said: ' . $res->getMessage(), 2
+$res = $this->_cmdCapability();
-);
+if (is_a($res, 'PEAR_Error')) {
+return $this->_pear->raiseError(
+'Failed to connect, server said: ' . $res->getMessage(), 2
+);
+}
 }
 // Check if we can enable TLS via STARTTLS.
 if ($useTLS && !empty($this->_capability['starttls'])
 && function_exists('stream_socket_enable_crypto')
 $res = $this->_cmdAuthenticate($user, $pass, $logintype, $euser);
 if (is_a($res, 'PEAR_Error')) {
 return $res;
 }
 }
 $this->_state = NET_SIEVE_STATE_TRANSACTION;
 return true;
 }
 /**
 * Returns an indexed array of scripts currently on the server.
 *
-* @return array  Indexed array of scriptnames.
+* @param string $active Will be set to the name of the active script
-*/
+*
-function listScripts()
+* @return array  Indexed array of scriptnames, PEAR_Error on failure
+*/
+function listScripts(&$active = null)
 {
 if (is_array($scripts = $this->_cmdListScripts())) {
+if (isset($scripts[1])) {
+$active = $scripts[1];
+}
 return $scripts[0];
-} else {
+}
-return $scripts;
-}
+return $scripts;
 }
 /**
 * Returns the active script.
 *
 {
 $res = $this->_cmdPutScript($scriptname, $script);
 if (is_a($res, 'PEAR_Error')) {
 return $res;
 }
 if ($makeactive) {
 return $this->_cmdSetActive($scriptname);
 }
 return true;
 }
 /**
 * Removes a script from the server.
 $res = $this->_doCmd(sprintf('HAVESPACE %s %d', $this->_escape($scriptname), $size));
 if (is_a($res, 'PEAR_Error')) {
 return $res;
 }
 return true;
 }
 /**
 * Returns the list of extensions the server supports.
 function getExtensions()
 {
 if (NET_SIEVE_STATE_DISCONNECTED == $this->_state) {
 return $this->_pear->raiseError('Not currently connected', 7);
 }
 return $this->_capability['extensions'];
 }
 /**
 * Returns whether the server supports an extension.
 function getAuthMechs()
 {
 if (NET_SIEVE_STATE_DISCONNECTED == $this->_state) {
 return $this->_pear->raiseError('Not currently connected', 7);
 }
 return $this->_capability['sasl'];
 }
 /**
 * Returns whether the server supports an authentication method.
 if (NET_SIEVE_STATE_DISCONNECTED == $this->_state) {
 return $this->_pear->raiseError('Not currently connected', 7);
 }
 $method = trim($this->_toUpper($method));
 if (is_array($this->_capability['sasl'])) {
 foreach ($this->_capability['sasl'] as $sasl) {
 if ($sasl == $method) {
 return true;
 }
 {
 $method = $this->_getBestAuthMethod($userMethod);
 if (is_a($method, 'PEAR_Error')) {
 return $method;
 }
 switch ($method) {
 case 'DIGEST-MD5':
 return $this->_authDigestMD5($uid, $pwd, $euser);
 case 'CRAM-MD5':
 $result = $this->_authCRAMMD5($uid, $pwd, $euser);
 $result = $this->_authPLAIN($uid, $pwd, $euser);
 break;
 case 'EXTERNAL':
 $result = $this->_authEXTERNAL($uid, $pwd, $euser);
 break;
+case 'GSSAPI':
+$result = $this->_authGSSAPI($pwd);
+break;
 default :
 $result = $this->_pear->raiseError(
 $method . ' is not a supported authentication method'
 );
 break;
 $res = $this->_doCmd();
 if (is_a($res, 'PEAR_Error')) {
 return $res;
 }
-// Query the server capabilities again now that we are authenticated.
 if ($this->_pear->isError($res = $this->_cmdCapability())) {
 return $this->_pear->raiseError(
 'Failed to connect, server said: ' . $res->getMessage(), 2
 );
 }
 )
 );
 }
 /**
+* Authenticates the user using the GSSAPI method.
+*
+* @note the PHP krb5 extension is required and the service principal and cname
+*       must have been set.
+* @see  setServicePrincipal()
+*
+* @return void
+*/
+function _authGSSAPI()
+{
+if (!extension_loaded('krb5')) {
+return $this->_pear->raiseError('The krb5 extension is required for GSSAPI authentication', 2);
+}
+if (!$this->_gssapiPrincipal) {
+return $this->_pear->raiseError('No Kerberos service principal set', 2);
+}
+if (!$this->_gssapiCN) {
+return $this->_pear->raiseError('No Kerberos service CName set', 2);
+}
+putenv('KRB5CCNAME=' . $this->_gssapiCN);
+try {
+$ccache = new KRB5CCache();
+$ccache->open($this->_gssapiCN);
+$gssapicontext = new GSSAPIContext();
+$gssapicontext->acquireCredentials($ccache);
+$token   = '';
+$success = $gssapicontext->initSecContext($this->_gssapiPrincipal, null, null, null, $token);
+$token   = base64_encode($token);
+}
+catch (Exception $e) {
+return $this->_pear->raiseError('GSSAPI authentication failed: ' . $e->getMessage());
+}
+$this->_sendCmd("AUTHENTICATE \"GSSAPI\" {" . strlen($token) . "+}");
+$response = $this->_doCmd($token, true);
+try {
+$challenge = base64_decode(substr($response, 1, -1));
+$gssapicontext->unwrap($challenge, $challenge);
+$gssapicontext->wrap($challenge, $challenge, true);
+}
+catch (Exception $e) {
+return $this->_pear->raiseError('GSSAPI authentication failed: ' . $e->getMessage());
+}
+$response = base64_encode($challenge);
+$this->_sendCmd("{" . strlen($response) . "+}");
+return $this->_sendCmd($response);
+}
+/**
 * Authenticates the user using the LOGIN method.
 *
 * @param string $user  The userid to authenticate as.
 * @param string $pass  The password to authenticate with.
 * @param string $euser The effective uid to authenticate as. Not used.
 {
 $result = $this->_sendCmd('AUTHENTICATE "LOGIN"');
 if (is_a($result, 'PEAR_Error')) {
 return $result;
 }
 $result = $this->_doCmd('"' . base64_encode($user) . '"', true);
 if (is_a($result, 'PEAR_Error')) {
 return $result;
 }
 return $this->_doCmd('"' . base64_encode($pass) . '"', true);
 }
 /**
 * Authenticates the user using the CRAM-MD5 method.
 $result = $this->_sendStringResponse(base64_encode($response));
 if (is_a($result, 'PEAR_Error')) {
 return $result;
 }
 $result = $this->_doCmd('', true);
 if (is_a($result, 'PEAR_Error')) {
 return $result;
 }
 if ($this->_toUpper(substr($result, 0, 2)) == 'OK') {
 return;
 }
 /* We don't use the protocol's third step because SIEVE doesn't allow
 * @param string $pass  The password to authenticate with.
 * @param string $euser The effective uid to authenticate as.
 *
 * @return void
 *
-* @since  1.1.7
+* @since 1.1.7
 */
 function _authEXTERNAL($user, $pass, $euser)
 {
 $cmd = sprintf(
 'AUTHENTICATE "EXTERNAL" "%s"',
 base64_encode(strlen($euser) ? $euser : $user)
 );
 return $this->_sendCmd($cmd);
 }
 /**
 * Removes a script from the server.
 $res = $this->_doCmd(sprintf('DELETESCRIPT %s', $this->_escape($scriptname)));
 if (is_a($res, 'PEAR_Error')) {
 return $res;
 }
 return true;
 }
 /**
 * Retrieves the contents of the named script.
 case 'IMPLEMENTATION':
 $this->_capability['implementation'] = $matches[3];
 break;
 case 'SASL':
-$this->_capability['sasl'] = preg_split('/\s+/', $matches[3]);
+if (!empty($matches[3])) {
+$this->_capability['sasl'] = preg_split('/\s+/', $matches[3]);
+}
 break;
 case 'SIEVE':
-$this->_capability['extensions'] = preg_split('/\s+/', $matches[3]);
+if (!empty($matches[3])) {
+$this->_capability['extensions'] = preg_split('/\s+/', $matches[3]);
+}
 break;
 case 'STARTTLS':
 $this->_capability['starttls'] = true;
 break;
 return $res;
 }
 if (isset($this->_options['ssl']['crypto_method'])) {
 $crypto_method = $this->_options['ssl']['crypto_method'];
-}
+} else {
-else {
 // There is no flag to enable all TLS methods. Net_SMTP
 // handles enabling TLS similarly.
 $crypto_method = STREAM_CRYPTO_METHOD_TLS_CLIENT
 | @STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT
 | @STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
 // CAPABILITY response, thus we would wait here forever. Parse the
 // Cyrus version and work around this broken behavior.
 if (!preg_match('/^CYRUS TIMSIEVED V([0-9.]+)/', $this->_capability['implementation'], $matches)
 || version_compare($matches[1], '2.3.10', '>=')
 ) {
-$this->_doCmd();
+$res = $this->_doCmd();
 }
-// Query the server capabilities again now that we are under
+// Reset capabilities (use unattended capabilities)
-// encryption.
+$this->_parseCapability(is_string($res) ? $res : '');
-$res = $this->_cmdCapability();
-if (is_a($res, 'PEAR_Error')) {
+// Query the server capabilities again now that we are under encryption.
-return $this->_pear->raiseError(
+if (empty($this->_capability['implementation'])) {
-'Failed to connect, server said: ' . $res->getMessage(), 2
+$res = $this->_cmdCapability();
-);
+if (is_a($res, 'PEAR_Error')) {
+return $this->_pear->raiseError(
+'Failed to connect, server said: ' . $res->getMessage(), 2
+);
+}
 }
 return true;
 }
 * @return integer  The length of the string.
 */
 function _getLineLength($string)
 {
 if (extension_loaded('mbstring')) {
-return mb_strlen($string, 'latin1');
+return mb_strlen($string, '8bit');
 } else {
 return strlen($string);
 }
 }

Mercurial > hg > rc1

comparison vendor/pear/net_sieve/Sieve.php @ 35:05c4c32948af