Skip to content

Dev #268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 57 commits into from
May 13, 2017
Merged

Dev #268

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
57 commits
Select commit Hold shift + click to select a range
a790c2b
Add phpredis
andryyy May 5, 2017
1501df6
Use Redis for DKIM keys, define any selector, auto-merge old keys to …
andryyy May 5, 2017
b3a161f
Keep format
andryyy May 6, 2017
026d2f1
Merge lang files from dev
andryyy May 6, 2017
f02b47a
Enable local IPv6
mkuron Apr 17, 2017
f1571c0
Add ipv6nat container
mkuron May 5, 2017
ecda4fb
Change whitelist for forwarding hosts
andryyy May 6, 2017
fa3a47f
Log to syslog
andryyy May 6, 2017
d614aaf
Add Json logger
andryyy May 6, 2017
8c8bfc0
Add Json log parser for Dovecot and Postfix containers
andryyy May 6, 2017
ae6d7d6
Optionally enable spam filter for forwarding hosts
mkuron May 7, 2017
3c937f7
Add OWASP CSRF Protector, add more secure session handling
andryyy May 7, 2017
a52f15e
Remove submodule, add as common directory
andryyy May 7, 2017
2dd9e1b
Fix hostname detection
andryyy May 7, 2017
2444cd1
Remove duplicated SQL
mkuron May 7, 2017
aa98d86
Sieve rule for tags changed
andryyy May 7, 2017
3b80a1a
Change admin layout, add Postfix logs
andryyy May 7, 2017
7efc720
Merge remote-tracking branch 'origin/dev' into forwardinghosts
mkuron May 8, 2017
519be0d
Merge branch 'forwardinghosts' of github.com:mkuron/mailcow-dockerize…
mkuron May 8, 2017
7931b00
Fix column width
mkuron May 8, 2017
a267a4a
Use DKIM selector from Redis
andryyy May 8, 2017
653d23a
Migrate some settings and DKIM keys to Redis when starting
andryyy May 8, 2017
a18bcce
Minor style changes
andryyy May 8, 2017
cdf7c87
Deleted two http maps, replaced by redis multimaps, much better tag s…
andryyy May 8, 2017
2e6fdba
PHP should depend on Redis
andryyy May 8, 2017
f77c40a
Better log table, some MySQL to Redis migrations, API changes, other …
andryyy May 8, 2017
97dc8d9
Fix modal in admin
andryyy May 8, 2017
5861bec
Merge pull request #256 from mkuron/forwardinghosts
andryyy May 8, 2017
d64ed65
Add multimap and forced actions for forwarded_hosts, removed from set…
andryyy May 8, 2017
74359f6
Use Redis for forwarded_hosts, some fixes
andryyy May 8, 2017
759f21a
Consistent symbol names for forwarding hosts
mkuron May 9, 2017
6ebcac5
Merge pull request #259 from mkuron/patch-1
andryyy May 9, 2017
bbff045
Use API for forwarding hosts
andryyy May 9, 2017
4099b6e
Merge branch 'dev' of https://github.com/mailcow/mailcow-dockerized i…
andryyy May 9, 2017
93046de
Fixes #261
andryyy May 9, 2017
a8e5502
Remove DKIM keys with api
andryyy May 9, 2017
4cb8596
Remove unused and unnamed volume
andryyy May 9, 2017
f582f0f
Various fixes, update u2flib
andryyy May 9, 2017
14a9a1c
A lot of changes... still not finished, use with caution.
andryyy May 11, 2017
a478c50
Change to tabstops
andryyy May 11, 2017
b1d0776
Fix selection in filter field
andryyy May 11, 2017
6cd97c4
Used tabs for indentation in Dockerfiles
michael-k May 12, 2017
15853df
JS changes and fixes
andryyy May 13, 2017
66634b1
Use more alpine images, thanks to K2rool
andryyy May 13, 2017
42445be
Merge pull request #265 from michael-k/indentation
andryyy May 13, 2017
0950985
Merge pull request #203 from mkuron/patch-2
andryyy May 13, 2017
0a90bdc
Fixes #264
andryyy May 13, 2017
d0d0961
[Dockerfiles] Replaced deprecated MAINTAINER with LABEL
michael-k May 13, 2017
9ab9d76
[Dockerfiles] Used best practices for apt-get
michael-k May 13, 2017
85be7aa
[Dockerfiles] Sorted list of packages
michael-k May 13, 2017
559d9dd
[Dockerfiles] Run rm as early as possible
michael-k May 13, 2017
e081a84
[Dockerfiles] Do not keep curl installed
michael-k May 13, 2017
7fd982f
[Dockerfiles] Do not persist DEBIAN_FRONTEND=noninteractive in images
michael-k May 13, 2017
766a986
[Dockerfiles] Do not install both curl and wget
michael-k May 13, 2017
5e53782
Merge pull request #267 from michael-k/dockerfiles
andryyy May 13, 2017
980acb5
Log to redis and file
andryyy May 13, 2017
2291b4e
Added SOGo logs
andryyy May 13, 2017
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add OWASP CSRF Protector, add more secure session handling
  • Loading branch information
andryyy committed May 7, 2017
commit 3c937f75ba5853ada175542d5c4849fb95eb64cd
3 changes: 2 additions & 1 deletion data/web/inc/lib/composer.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{
"require": {
"robthree/twofactorauth": "^1.6",
"yubico/u2flib-server": "^1.0"
"yubico/u2flib-server": "^1.0",
"owasp/csrf-protector-php": "dev-master"
}
}
42 changes: 40 additions & 2 deletions data/web/inc/lib/composer.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions data/web/inc/lib/vendor/composer/autoload_classmap.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,14 @@
$baseDir = dirname($vendorDir);

return array(
'alreadyInitializedException' => $vendorDir . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'baseJSFileNotFoundExceptio' => $vendorDir . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'configFileNotFoundException' => $vendorDir . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'csrfProtector' => $vendorDir . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'incompleteConfigurationException' => $vendorDir . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'jsFileNotFoundException' => $vendorDir . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'logDirectoryNotFoundException' => $vendorDir . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'logFileWriteError' => $vendorDir . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'u2flib_server\\Error' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
'u2flib_server\\RegisterRequest' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
'u2flib_server\\Registration' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
Expand Down
8 changes: 8 additions & 0 deletions data/web/inc/lib/vendor/composer/autoload_static.php
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,14 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
);

public static $classMap = array (
'alreadyInitializedException' => __DIR__ . '/..' . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'baseJSFileNotFoundExceptio' => __DIR__ . '/..' . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'configFileNotFoundException' => __DIR__ . '/..' . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'csrfProtector' => __DIR__ . '/..' . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'incompleteConfigurationException' => __DIR__ . '/..' . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'jsFileNotFoundException' => __DIR__ . '/..' . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'logDirectoryNotFoundException' => __DIR__ . '/..' . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'logFileWriteError' => __DIR__ . '/..' . '/owasp/csrf-protector-php/libs/csrf/csrfprotector.php',
'u2flib_server\\Error' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
'u2flib_server\\RegisterRequest' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
'u2flib_server\\Registration' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
Expand Down
38 changes: 38 additions & 0 deletions data/web/inc/lib/vendor/composer/installed.json
Original file line number Diff line number Diff line change
Expand Up @@ -84,5 +84,43 @@
],
"description": "Library for U2F implementation",
"homepage": "https://developers.yubico.com/php-u2flib-server"
},
{
"name": "owasp/csrf-protector-php",
"version": "dev-master",
"version_normalized": "9999999-dev",
"source": {
"type": "git",
"url": "https://github.com/mebjas/CSRF-Protector-PHP.git",
"reference": "aec0d6966992363a7192b2ae9fb0a9643e8fa26b"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/mebjas/CSRF-Protector-PHP/zipball/aec0d6966992363a7192b2ae9fb0a9643e8fa26b",
"reference": "aec0d6966992363a7192b2ae9fb0a9643e8fa26b",
"shasum": ""
},
"require-dev": {
"satooshi/php-coveralls": "~1.0"
},
"time": "2017-04-12T05:47:07+00:00",
"type": "library",
"installation-source": "source",
"autoload": {
"classmap": [
"libs/csrf/"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"APACHE"
],
"description": "CSRF protector php, a standalone php library for csrf mitigation in web applications. Easy to integrate in any php web app.",
"homepage": "https://github.com/mebjas/CSRF-Protector-PHP",
"keywords": [
"csrf",
"owasp",
"security"
]
}
]
1 change: 1 addition & 0 deletions data/web/inc/lib/vendor/owasp/csrf-protector-php
Submodule csrf-protector-php added at aec0d6
35 changes: 17 additions & 18 deletions data/web/inc/prerequisites.inc.php
Original file line number Diff line number Diff line change
@@ -1,20 +1,5 @@
<?php
//ini_set("session.cookie_secure", 1);
//ini_set("session.cookie_httponly", 1);
session_start();
if (isset($_POST["logout"])) {
if (isset($_SESSION["dual-login"])) {
$_SESSION["mailcow_cc_username"] = $_SESSION["dual-login"]["username"];
$_SESSION["mailcow_cc_role"] = $_SESSION["dual-login"]["role"];
unset($_SESSION["dual-login"]);
}
else {
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
}
}
require_once 'inc/sessions.inc.php';

require_once 'inc/vars.inc.php';
if (file_exists('./inc/vars.local.inc.php')) {
Expand All @@ -24,11 +9,25 @@
// Yubi OTP API
require_once 'inc/lib/Yubico.php';

// U2F API + T/HOTP API
// Autoload composer
require_once 'inc/lib/vendor/autoload.php';
$u2f = new u2flib_server\U2F('https://' . $_SERVER['SERVER_NAME']);

// U2F API + T/HOTP API
$u2f = new u2flib_server\U2F('https://' . $_SERVER['HTTP_HOST']);
$tfa = new RobThree\Auth\TwoFactorAuth('mailcow UI');

// OWASP CSRF Protector
$csrfProtector = new csrfProtector;
class mailcowCsrfProtector extends csrfprotector {
public static function logCSRFattack() {
$_SESSION['return'] = array(
'type' => 'danger',
'msg' => 'CSRF violation'
);
}
}
mailcowCsrfProtector::init();

// Redis
$redis = new Redis();
$redis->connect('redis-mailcow', 6379);
Expand Down
58 changes: 58 additions & 0 deletions data/web/inc/sessions.inc.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
<?php
// Start session
ini_set("session.cookie_httponly", 1);
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") {
ini_set("session.cookie_secure", 1);
$IS_HTTPS = true;
}
elseif (isset($_SERVER['HTTPS'])) {
ini_set("session.cookie_secure", 1);
$IS_HTTPS = true;
}
else {
$IS_HTTPS = false;
}
session_set_cookie_params($GLOBALS['SESSION_LIFETIME'], '/', $_SERVER['SERVER_NAME'], $IS_HTTPS, true);
session_start();

// Handle logouts
if (isset($_POST["logout"])) {
if (isset($_SESSION["dual-login"])) {
$_SESSION["mailcow_cc_username"] = $_SESSION["dual-login"]["username"];
$_SESSION["mailcow_cc_role"] = $_SESSION["dual-login"]["role"];
unset($_SESSION["dual-login"]);
}
else {
session_regenerate_id(true);
session_unset();
session_destroy();
session_write_close();
header("Location: /");
}
}

// Set session IP and UA
if (!isset($_SESSION['SESS_REMOTE_IP'])) {
$_SESSION['SESS_REMOTE_IP'] = $_SERVER['REMOTE_ADDR'];
}
if (!isset($_SESSION['SESS_REMOTE_UA'])) {
$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
}

// Check session
function session_check() {
if (!isset($_SESSION['SESS_REMOTE_IP']) || !isset($_SESSION['SESS_REMOTE_UA'])) {
return false;
}
if ($_SESSION['SESS_REMOTE_IP'] != $_SERVER['REMOTE_ADDR']) {
return false;
}
if ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT']) {
return false;
}
return true;
}
if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) {
exit("Invalid session");
}
2 changes: 2 additions & 0 deletions data/web/inc/vars.inc.php
Original file line number Diff line number Diff line change
Expand Up @@ -53,5 +53,7 @@
// Rows until pagination begins
$PAGINATION_SIZE = 10;

// Session lifetime in seconds
$SESSION_LIFETIME = 3600;

?>