Escape generated password in mobileconfig

Escape ampersand, less than, greater than to avoid generating invalid XML. Fixes #7171
2026-05-11 14:35:24 +00:00 · 2026-05-02 16:24:01 +02:00
10 changed files with 4 additions and 29 deletions
@@ -1035,14 +1035,6 @@ function edit_user_account($_data) {
  // edit password
  $is_forced_pw_update = !empty($_SESSION['pending_pw_update']);
  if (((!empty($password_old) || $is_forced_pw_update) && !empty($_data['user_new_pass']) && !empty($_data['user_new_pass2']))) {
-    if (!$is_forced_pw_update && (!isset($_SESSION['acl']['pw_change']) || $_SESSION['acl']['pw_change'] != "1")) {
-      $_SESSION['return'][] = array(
-        'type' => 'danger',
-        'log' => array(__FUNCTION__, $_data_log),
-        'msg' => 'access_denied'
-      );
-      return false;
-    }
    // Only verify old password if this is NOT a forced password update
    if (!$is_forced_pw_update) {
      $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
@@ -1331,7 +1331,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            $_data['quarantine_notification'] = (in_array('quarantine_notification', $_data['acl'])) ? 1 : 0;
            $_data['quarantine_category'] = (in_array('quarantine_category', $_data['acl'])) ? 1 : 0;
            $_data['app_passwds'] = (in_array('app_passwds', $_data['acl'])) ? 1 : 0;
-            $_data['pw_change'] = (in_array('pw_change', $_data['acl'])) ? 1 : 0;
            $_data['pw_reset'] = (in_array('pw_reset', $_data['acl'])) ? 1 : 0;
          } else {
            $_data['spam_alias'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_spam_alias']);
@@ -1348,16 +1347,15 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            $_data['quarantine_notification'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_quarantine_notification']);
            $_data['quarantine_category'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_quarantine_category']);
            $_data['app_passwds'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_app_passwds']);
-            $_data['pw_change'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_pw_change']);
            $_data['pw_reset'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_pw_reset']);
          }

          try {
            $stmt = $pdo->prepare("INSERT INTO `user_acl`
              (`username`, `spam_alias`, `tls_policy`, `spam_score`, `spam_policy`, `delimiter_action`, `syncjobs`, `eas_reset`, `sogo_profile_reset`,
-                `pushover`, `quarantine`, `quarantine_attachments`, `quarantine_notification`, `quarantine_category`, `app_passwds`, `pw_change`, `pw_reset`)
+                `pushover`, `quarantine`, `quarantine_attachments`, `quarantine_notification`, `quarantine_category`, `app_passwds`, `pw_reset`)
              VALUES (:username, :spam_alias, :tls_policy, :spam_score, :spam_policy, :delimiter_action, :syncjobs, :eas_reset, :sogo_profile_reset,
-                :pushover, :quarantine, :quarantine_attachments, :quarantine_notification, :quarantine_category, :app_passwds, :pw_change, :pw_reset) ");
+                :pushover, :quarantine, :quarantine_attachments, :quarantine_notification, :quarantine_category, :app_passwds, :pw_reset) ");
            $stmt->execute(array(
              ':username' => $username,
              ':spam_alias' => $_data['spam_alias'],
@@ -1374,7 +1372,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              ':quarantine_notification' => $_data['quarantine_notification'],
              ':quarantine_category' => $_data['quarantine_category'],
              ':app_passwds' => $_data['app_passwds'],
-              ':pw_change' => $_data['pw_change'],
              ':pw_reset' => $_data['pw_reset']
            ));
          }
@@ -1795,7 +1792,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            $attr['acl_quarantine_notification'] = (in_array('quarantine_notification', $_data['acl'])) ? 1 : 0;
            $attr['acl_quarantine_category'] = (in_array('quarantine_category', $_data['acl'])) ? 1 : 0;
            $attr['acl_app_passwds'] = (in_array('app_passwds', $_data['acl'])) ? 1 : 0;
-            $attr['acl_pw_change'] = (in_array('pw_change', $_data['acl'])) ? 1 : 0;
            $attr['acl_pw_reset'] = (in_array('pw_reset', $_data['acl'])) ? 1 : 0;
          } else {
            $_data['acl'] = (array)$_data['acl'];
@@ -1813,7 +1809,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            $attr['acl_quarantine_notification'] = 0;
            $attr['acl_quarantine_category'] = 0;
            $attr['acl_app_passwds'] = 0;
-            $attr['acl_pw_change'] = 0;
          }


@@ -3867,7 +3862,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              $attr['acl_quarantine_notification'] = (in_array('quarantine_notification', $_data['acl'])) ? 1 : 0;
              $attr['acl_quarantine_category'] = (in_array('quarantine_category', $_data['acl'])) ? 1 : 0;
              $attr['acl_app_passwds'] = (in_array('app_passwds', $_data['acl'])) ? 1 : 0;
-              $attr['acl_pw_change'] = (in_array('pw_change', $_data['acl'])) ? 1 : 0;
              $attr['acl_pw_reset'] = (in_array('pw_reset', $_data['acl'])) ? 1 : 0;
            } else {
              foreach ($is_now as $key => $value){
@@ -4,7 +4,7 @@ function init_db_schema()
  try {
    global $pdo;

-    $db_version = "16042026_1402";
+    $db_version = "19022026_1220";

    $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
    $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -513,7 +513,6 @@ function init_db_schema()
          "quarantine_notification" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "quarantine_category" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "app_passwds" => "TINYINT(1) NOT NULL DEFAULT '1'",
-          "pw_change" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "pw_reset" => "TINYINT(1) NOT NULL DEFAULT '1'",
        ),
        "keys" => array(
@@ -1479,7 +1478,6 @@ function init_db_schema()
        "acl_quarantine_notification" => 1,
        "acl_quarantine_category" => 1,
        "acl_app_passwds" => 1,
-        "acl_pw_change" => 1,
      )
    );
    $stmt = $pdo->prepare("SELECT id FROM `templates` WHERE `type` = :type AND `template` = :template");
@@ -403,9 +403,6 @@ $(document).ready(function() {
    if (template.acl_app_passwds == 1){
      acl.push("app_passwds");
    }
-    if (template.acl_pw_change == 1){
-      acl.push("pw_change");
-    }
    if (template.acl_pw_reset == 1){
      acl.push("pw_reset");
    }
@@ -14,7 +14,6 @@
        "prohibited": "Untersagt durch Richtlinie",
        "protocol_access": "Ändern der erlaubten Protokolle",
        "pushover": "Pushover",
-        "pw_change": "Passwortänderung erlauben",
        "pw_reset": "Verwalten der E-Mail zur Passwortwiederherstellung erlauben",
        "quarantine": "Quarantäne-Aktionen",
        "quarantine_attachments": "Anhänge aus Quarantäne",
@@ -14,7 +14,6 @@
        "prohibited": "Prohibited by ACL",
        "protocol_access": "Change protocol access",
        "pushover": "Pushover",
-        "pw_change": "Allow password change",
        "pw_reset": "Allow to reset mailcow user password",
        "quarantine": "Quarantine actions",
        "quarantine_attachments": "Quarantine attachments",
@@ -52,7 +52,7 @@ if (isset($_GET['app_password'])) {
  else
      $platform = $_SERVER['HTTP_USER_AGENT'];

-  $password = password_generate();
+  $password = htmlspecialchars(password_generate(), ENT_NOQUOTES);

  $attr = array(
      'app_name' => $platform,
@@ -131,7 +131,6 @@
          <option value="quarantine_notification" {% if template.attributes.acl_quarantine_notification == '1' %} selected{% endif %}>{{ lang.acl["quarantine_notification"] }}</option>
          <option value="quarantine_category" {% if template.attributes.acl_quarantine_category == '1' %} selected{% endif %}>{{ lang.acl["quarantine_category"] }}</option>
          <option value="app_passwds" {% if template.attributes.acl_app_passwds == '1' %} selected{% endif %}>{{ lang.acl["app_passwds"] }}</option>
-          <option value="pw_change" {% if template.attributes.acl_pw_change == '1' %} selected{% endif %}>{{ lang.acl["pw_change"] }}</option>
          <option value="pw_reset" {% if template.attributes.acl_pw_reset == '1' %} selected{% endif %}>{{ lang.acl["pw_reset"] }}</option>
        </select>
      </div>
@@ -172,7 +172,6 @@
                  <option value="quarantine_notification" selected>{{ lang.acl["quarantine_notification"] }}</option>
                  <option value="quarantine_category" selected>{{ lang.acl["quarantine_category"] }}</option>
                  <option value="app_passwds" selected>{{ lang.acl["app_passwds"] }}</option>
-                  <option value="pw_change" selected>{{ lang.acl["pw_change"] }}</option>
                  <option value="pw_reset" selected>{{ lang.acl["pw_reset"] }}</option>
              </select>
            </div>
@@ -108,9 +108,7 @@
          <div class="row">
            <div class="col-12 col-md-3 d-flex"></div>
            <div class="col-12 col-md-9 d-flex flex-wrap">
-              {% if acl.pw_change == 1 %}
              <a class="btn btn-secondary" href="#pwChangeModal" data-bs-toggle="modal"><i class="bi bi-pencil-fill"></i> {{ lang.user.change_password }}</a>
-              {% endif %}
              {% if acl.pw_reset == 1 %}
              <a class="btn btn-secondary ms-4" href="#pwRecoveryEmailModal" data-bs-toggle="modal"><i class="bi bi-pencil-fill"></i> {{ lang.user.pw_recovery_email }}</a></p>
              {% endif %}