+ function password_save()
+ {
+ $rcmail = rcmail::get_instance();
+ $this->load_config();
+
+ $this->add_texts('localization/');
+ $this->register_handler('plugin.body', array($this, 'password_form'));
+ $rcmail->output->set_pagetitle($this->gettext('changepasswd'));
+
+ $confirm = $rcmail->config->get('password_confirm_current');
+ $required_length = intval($rcmail->config->get('password_minimum_length'));
+ $check_strength = $rcmail->config->get('password_require_nonalpha');
+
+ if (($confirm && !isset($_POST['_curpasswd'])) || !isset($_POST['_newpasswd'])) {
+ $rcmail->output->command('display_message', $this->gettext('nopassword'), 'error');
+ }
+ else {
+
+ $charset = strtoupper($rcmail->config->get('password_charset', 'ISO-8859-1'));
+ $rc_charset = strtoupper($rcmail->output->get_charset());
+
+ $curpwd = get_input_value('_curpasswd', RCUBE_INPUT_POST, true, $charset);
+ $newpwd = get_input_value('_newpasswd', RCUBE_INPUT_POST, true);
+ $conpwd = get_input_value('_confpasswd', RCUBE_INPUT_POST, true);
+
+ // check allowed characters according to the configured 'password_charset' option
+ // by converting the password entered by the user to this charset and back to UTF-8
+ $orig_pwd = $newpwd;
+ $chk_pwd = rcube_charset_convert($orig_pwd, $rc_charset, $charset);
+ $chk_pwd = rcube_charset_convert($chk_pwd, $charset, $rc_charset);
+
+ // WARNING: Default password_charset is ISO-8859-1, so conversion will
+ // change national characters. This may disable possibility of using
+ // the same password in other MUA's.
+ // We're doing this for consistence with Roundcube core
+ $newpwd = rcube_charset_convert($newpwd, $rc_charset, $charset);
+ $conpwd = rcube_charset_convert($conpwd, $rc_charset, $charset);
+
+ if ($chk_pwd != $orig_pwd) {
+ $rcmail->output->command('display_message', $this->gettext('passwordforbidden'), 'error');
+ }
+ // other passwords validity checks
+ else if ($conpwd != $newpwd) {
+ $rcmail->output->command('display_message', $this->gettext('passwordinconsistency'), 'error');
+ }
+ else if ($confirm && $rcmail->decrypt($_SESSION['password']) != $curpwd) {
+ $rcmail->output->command('display_message', $this->gettext('passwordincorrect'), 'error');
+ }
+ else if ($required_length && strlen($newpwd) < $required_length) {
+ $rcmail->output->command('display_message', $this->gettext(
+ array('name' => 'passwordshort', 'vars' => array('length' => $required_length))), 'error');
+ }
+ else if ($check_strength && (!preg_match("/[0-9]/", $newpwd) || !preg_match("/[^A-Za-z0-9]/", $newpwd))) {
+ $rcmail->output->command('display_message', $this->gettext('passwordweak'), 'error');
+ }
+ // try to save the password
+ else if (!($res = $this->_save($curpwd, $newpwd))) {
+ $rcmail->output->command('display_message', $this->gettext('successfullysaved'), 'confirmation');
+
+ // Reset session password
+ $_SESSION['password'] = $rcmail->encrypt($newpwd);
+
+ // Log password change
+ if ($rcmail->config->get('password_log')) {
+ write_log('password', sprintf('Password changed for user %s (ID: %d) from %s',
+ $rcmail->user->get_username(), $rcmail->user->ID, rcmail_remote_ip()));
+ }
+ }
+ else {
+ $rcmail->output->command('display_message', $res, 'error');
+ }
+ }
+
+ rcmail_overwrite_action('plugin.password');
+ $rcmail->output->send('plugin');
+ }