From 696ed946bcbd4b5fe210a4c65b6631f67b9e45a4 Mon Sep 17 00:00:00 2001
From: prasad <prasad@vtiger.com>
Date: Fri, 20 Apr 2018 18:00:25 +0530
Subject: [PATCH] Fixes #861: Enforce protection on outgoing server credential

---
 cron/SendReminder.service                  | 2 +-
 cron/intimateTaskStatus.php                | 2 +-
 cron/send_mail.php                         | 2 +-
 modules/Emails/mail.php                    | 2 +-
 modules/Migration/schema/710_to_711.php    | 3 +++
 modules/Settings/Vtiger/models/Systems.php | 8 +++++++-
 schema/DatabaseSchema.xml                  | 2 +-
 vtlib/Vtiger/Mailer.php                    | 2 +-
 8 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/cron/SendReminder.service b/cron/SendReminder.service
index 0f8562d7b..f93347203 100644
--- a/cron/SendReminder.service
+++ b/cron/SendReminder.service
@@ -253,7 +253,7 @@ function send_email($to,$from,$subject,$contents,$mail_server,$mail_server_usern
 	else
 		$mail->SMTPAuth = false;
 	$mail->Username = $mail_server_username ;	// SMTP username
-	$mail->Password = $mail_server_password ;	// SMTP password
+	$mail->Password = Vtiger_Functions::fromProtectedText($mail_server_password) ;	// SMTP password
 	$mail->From = $from;
 	$mail->FromName = $initialfrom;
 	$log->info("Mail sending process : From Name & email id => '".$initialfrom."','".$from."'");
diff --git a/cron/intimateTaskStatus.php b/cron/intimateTaskStatus.php
index cc6122efb..0e7252d9d 100755
--- a/cron/intimateTaskStatus.php
+++ b/cron/intimateTaskStatus.php
@@ -22,7 +22,7 @@ $mailserveresult = $adb->pquery("SELECT server,server_username,server_password,s
 $mailrow = $adb->fetch_array($mailserveresult);
 $mailserver = $mailrow[0];
 $mailuname = $mailrow[1];
-$mailpwd = $mailrow[2];
+$mailpwd = Vtiger_Functions::fromProtectedText($mailrow[2]);
 $smtp_auth = $mailrow[3];
 // End Email Setup
 
diff --git a/cron/send_mail.php b/cron/send_mail.php
index 918f3632b..695f79c21 100755
--- a/cron/send_mail.php
+++ b/cron/send_mail.php
@@ -42,7 +42,7 @@ function sendmail($to,$from,$subject,$contents,$mail_server,$mail_server_usernam
 	else
 		$mail->SMTPAuth = false;
 	$mail->Username = $mail_server_username ;//$smtp_username;  // SMTP username
-	$mail->Password = $mail_server_password ;//$smtp_password; // SMTP password
+	$mail->Password = Vtiger_Functions::fromProtectedText($mail_server_password);//$smtp_password; // SMTP password
 	$mail->From = $from;
 	$mail->FromName = $initialfrom;
 	$mail->AddAddress($to);                  // name is optional
diff --git a/modules/Emails/mail.php b/modules/Emails/mail.php
index cb5359cee..911bc30d1 100755
--- a/modules/Emails/mail.php
+++ b/modules/Emails/mail.php
@@ -326,7 +326,7 @@ function setMailServerProperties($mail)
 	}
     $mail->Host = $server;		// specify main and backup server
 	$mail->Username = $username ;	// SMTP username
-    $mail->Password = $password ;	// SMTP password
+    $mail->Password = Vtiger_Functions::fromProtectedText($password);	// SMTP password
     
     // To Support TLS
     $serverinfo = explode("://", $server);
diff --git a/modules/Migration/schema/710_to_711.php b/modules/Migration/schema/710_to_711.php
index 118c9656b..bea8a87d5 100644
--- a/modules/Migration/schema/710_to_711.php
+++ b/modules/Migration/schema/710_to_711.php
@@ -17,4 +17,7 @@ if (defined('VTIGER_UPGRADE')) {
 	if (in_array('user_hash', $columns)) {
 		$db->pquery('ALTER TABLE vtiger_users DROP COLUMN user_hash', array());
 	}
+
+	// Resizing column to hold wider string value.
+	$db->pquery('ALTER TABLE vtiger_systems MODIFY server_password VARCHAR(255)', array());
 }
diff --git a/modules/Settings/Vtiger/models/Systems.php b/modules/Settings/Vtiger/models/Systems.php
index 57c67dc75..d4beccb1e 100644
--- a/modules/Settings/Vtiger/models/Systems.php
+++ b/modules/Settings/Vtiger/models/Systems.php
@@ -26,7 +26,13 @@ class Settings_Vtiger_Systems_Model extends Vtiger_Base_Model{
 
         $id = $this->getId();
         $params = array();
-        array_push($params, $this->get('server'),$this->get('server_port'),$this->get('server_username'),$this->get('server_password'),$this->get('server_type'),
+
+        $server_password = $this->get('server_password');
+        if ($id && !Vtiger_Functions::isProtectedText($server_password)) {
+            $server_password = Vtiger_Functions::toProtectedText($server_password);
+        }
+        
+        array_push($params, $this->get('server'),$this->get('server_port'),$this->get('server_username'),$server_password,$this->get('server_type'),
                    $this->isSmtpAuthEnabled(),$this->get('server_path'),$this->get('from_email_field'));
 
         if(empty($id)) {
diff --git a/schema/DatabaseSchema.xml b/schema/DatabaseSchema.xml
index efbe43015..68d7d560e 100644
--- a/schema/DatabaseSchema.xml
+++ b/schema/DatabaseSchema.xml
@@ -1822,7 +1822,7 @@
 		<field name="server" type="C" size="100" />
 		<field name="server_port" type="I" size="19" />
 		<field name="server_username" type="C" size="100" />
-		<field name="server_password" type="C" size="100" />
+		<field name="server_password" type="C" size="255" />
 		<field name="server_type" type="C" size="20" />
 		<field name="smtp_auth" type="C" size="5" />
 		<field name="server_path" type="C" size="256" />
diff --git a/vtlib/Vtiger/Mailer.php b/vtlib/Vtiger/Mailer.php
index 3c69bc872..8eb3871ec 100644
--- a/vtlib/Vtiger/Mailer.php
+++ b/vtlib/Vtiger/Mailer.php
@@ -52,7 +52,7 @@ class Vtiger_Mailer extends PHPMailer {
 		if($adb->num_rows($result)) {
 			$this->Host = $adb->query_result($result, 0, 'server');
 			$this->Username = decode_html($adb->query_result($result, 0, 'server_username'));
-			$this->Password = decode_html($adb->query_result($result, 0, 'server_password'));
+			$this->Password = Vtiger_Functions::fromProtectedText(decode_html($adb->query_result($result, 0, 'server_password')));
 			$this->SMTPAuth = $adb->query_result($result, 0, 'smtp_auth');
 
 			// To support TLS
-- 
GitLab