ISPConfig 2.2.24 | mailuser app bug?

[Hans]

I've installed ISPConfig 2.2.24 on Debian Etch and i've noticed that not all mailusers can change their password within the mailuser application at http://www.example.com:81/mailuser (Of course i enabled "Mailuser login" for the site).

The Administrator mailuser of the website can change the password indeed, but other mailusers which belong to the site can't change their password, while no error message appears!

I've checked this behaviour on two servers with ISPConfig 2.2.24.
Is this a bug? I mean it's really a must that every single mailuser can change their own password, not only the administrator user of the particular site.

If it's not a bug, at least an error message should appear, which informs the user that there is no permission to change the password.

[till]

I guess it must be a bug. There is no reason why non admin users shall not be able to change their password there. I added it to the bugtracker.

[Hans]

Thanks Till for your reply. I do hope it will be fixed soon.

[sonoracomm]

Sorry to be a pest, but I just wanted to find out the status of this issue.

I have (apparently) the same problem with ISPC 2.2.24 on a Centos 5.2 server (yum updated).

I couldn't find the bugtracker...maybe I wasn't supposed to...

Thanks again for this great system!

G

[Hans]

The bugtracker is here. And i do hope that this problem will be fixed indeed soon.

[bolero]

A client just informed me about this problem and I found this thread. This seems indeed to be a bug in 2.2.24 and doesn't depend on using Debian (we use CentOS). This is a really important functionality.
I hope this is really getting fixed soon and a patch made available (it can only be a small coding problem, I really do not want to apply a whole new ISPConfig via upgrade to my slightly customized installations just because of that tiny snippet).
If falko or till could point me to the files that are involved I would look myself and check if I can fix it. Thanks!

Btw, changing the users comment ("name") doesn't work either. It's saved to the db, but not to /etc/passwd. So, it seems that action is either skipped or fails. Should it appear in ispconfig.log if it is attempted?

[bolero]

Ok, here's the fix. It's a stupid confusion about a variable name. The bug is in mailuser/mail/table/user.table.php. "user_name" is actually *not* the "username" (that would be user_username), but the user's name/comment field. Thus it allows many more characters than this check:
"/^[0-9a-zA-Z_\-\.]{0,255}$/"
This check will fail with any normal name as a full name is guaranteed to contain a space. Quick fix:

Code:

$table['user_name'] = array(         'datatype'                 => "VARCHAR",
                                                                          'formtype'                 => "TEXT",
                                                                          'regex'                        => "/^[0-9a-zA-Z_\-\.\s]{0,255}$/",
                                                                          'errmsg'                => "Name contains invalid charcters.",
                                                                          'value'                 => "");

The \s was added by me. This will allow spaces and thus fix this issue for 99%of the situations. The check should be even more loose, though. Could somebody submit the check from version 2.2.23, please? user.table.php should be reverted to that version.

[Hans]

Hereby you receive the user.table.php file from ISPConfig 2.2.23 (mailuser module).

[bolero]

Thanks. The only difference between the two files is what I explained. I suggest not going back to the 2.2.23 version as it doesn't contain any sanity check. Use this check instead:

"/^[^:\r\n\t]{0,255}$/"

This allows almost any character except for colons, line-feeds etc. It should be safe to use that as I think any kind of character except for these should be allowed in /etc/passwd. If you want to be more strict use the check I posted first.

[Hans]

@Bolero,

Thanks for your work so far, but my opinion is that there must be an official bugfix soon, which comes with a patch or ISPConfig 2.2.25.
This bug is really not nice as it is a problem for clients and it is the reason that i've reported this.

In the mean time, problems according the mailuser module are added to the bugtracker:

http://bugtracker.ispconfig.org/inde...ls&task_id=147
http://bugtracker.ispconfig.org/inde...ls&task_id=146