Improve authentication failure detection with word boundaries in regex

Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>
Fix sync-jobs with legacy-encoded passwords by implementing UTF-8/Latin-1 retry logic
2026-06-18 20:40:38 +00:00 · 2025-12-15 08:16:49 +00:00 · 2025-12-15 08:15:52 +00:00 · 2025-12-15 08:11:12 +00:00
5 changed files with 58 additions and 49 deletions
@@ -117,51 +117,77 @@ while ($row = $sth->fetchrow_arrayref()) {
  if ($enc1 eq "TLS") { $enc1 = "--tls1"; } elsif ($enc1 eq "SSL") { $enc1 = "--ssl1"; } else { undef $enc1; }
  my $template = $run_dir . '/imapsync.XXXXXXX';
  my $passfile1 = File::Temp->new(TEMPLATE => $template);
  my $passfile2 = File::Temp->new(TEMPLATE => $template);
  binmode( $passfile1, ":utf8" );
  print $passfile1 "$password1\n";
  print $passfile2 trim($master_pass) . "\n";
  my @custom_params_a = qqw($custom_params);
  my $custom_params_ref = \@custom_params_a;
-  my $generated_cmds = [ "/usr/local/bin/imapsync",
+  # Helper function to run imapsync with a specific encoding for password1
-  "--tmpdir", "/tmp",
+  my $run_imapsync = sub {
-  "--nofoldersizes",
+    my ($encoding) = @_;
-  "--addheader",
+    
-  ($timeout1 le "0" ? () : ('--timeout1', $timeout1)),
+    my $passfile1 = File::Temp->new(TEMPLATE => $template);
-  ($timeout2 le "0" ? () : ('--timeout2', $timeout2)),
+    
-  ($exclude eq "" ? () : ("--exclude", $exclude)),
+    if ($encoding eq 'utf8') {
-  ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
+      binmode( $passfile1, ":utf8" );
-  ($maxage eq "0" ? () : ('--maxage', $maxage)),
+    } elsif ($encoding eq 'latin1') {
-  ($maxbytespersecond eq "0" ? () : ('--maxbytespersecond', $maxbytespersecond)),
+      binmode( $passfile1, ":encoding(iso-8859-1)" );
-  ($delete2duplicates ne "1" ? () : ('--delete2duplicates')),
+    }
-  ($subscribeall  ne "1" ? () : ('--subscribeall')),
+    
-  ($delete1 ne "1" ? () : ('--delete')),
+    print $passfile1 "$password1\n";
-  ($delete2 ne "1" ? () : ('--delete2')),
+    $passfile1->flush();
-  ($automap ne "1" ? () : ('--automap')),
+
-  ($skipcrossduplicates ne "1" ? () : ('--skipcrossduplicates')),
+    my $generated_cmds = [ "/usr/local/bin/imapsync",
-  (!defined($enc1) ? () : ($enc1)),
+    "--tmpdir", "/tmp",
-  "--host1", $host1,
+    "--nofoldersizes",
-  "--user1", $user1,
+    "--addheader",
-  "--passfile1", $passfile1->filename,
+    ($timeout1 le "0" ? () : ('--timeout1', $timeout1)),
-  "--port1", $port1,
+    ($timeout2 le "0" ? () : ('--timeout2', $timeout2)),
-  "--host2", "localhost",
+    ($exclude eq "" ? () : ("--exclude", $exclude)),
-  "--user2", $user2 . '*' . trim($master_user),
+    ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
-  "--passfile2", $passfile2->filename,
+    ($maxage eq "0" ? () : ('--maxage', $maxage)),
-  ($dry eq "1" ? ('--dry') : ()),
+    ($maxbytespersecond eq "0" ? () : ('--maxbytespersecond', $maxbytespersecond)),
-  '--no-modulesversion',
+    ($delete2duplicates ne "1" ? () : ('--delete2duplicates')),
-  '--noreleasecheck'];
+    ($subscribeall  ne "1" ? () : ('--subscribeall')),
    ($delete1 ne "1" ? () : ('--delete')),
    ($delete2 ne "1" ? () : ('--delete2')),
    ($automap ne "1" ? () : ('--automap')),
    ($skipcrossduplicates ne "1" ? () : ('--skipcrossduplicates')),
    (!defined($enc1) ? () : ($enc1)),
    "--host1", $host1,
    "--user1", $user1,
    "--passfile1", $passfile1->filename,
    "--port1", $port1,
    "--host2", "localhost",
    "--user2", $user2 . '*' . trim($master_user),
    "--passfile2", $passfile2->filename,
    ($dry eq "1" ? ('--dry') : ()),
    '--no-modulesversion',
    '--noreleasecheck'];
    my $stdout;
    run [@$generated_cmds, @$custom_params_ref], '&>', \$stdout;
    return $stdout;
  };
  try {
    $is_running = $dbh->prepare("UPDATE imapsync SET is_running = 1, success = NULL, exit_status = NULL WHERE id = ?");
    $is_running->bind_param( 1, ${id} );
    $is_running->execute();
-    run [@$generated_cmds, @$custom_params_ref], '&>', \my $stdout;
+    # First attempt with UTF-8 encoding (default behavior)
    my $stdout = $run_imapsync->('utf8');
    # Check if authentication failed
    my $auth_failed = ($stdout =~ /\b(LOGIN failed|authentication failed|AUTHENTICATIONFAILED)\b/i);
    # If authentication failed with UTF-8, retry with Latin-1 encoding for legacy passwords
    if ($auth_failed) {
      $stdout = $run_imapsync->('latin1');
    }
    # check exit code and status
    ($exit_code, $exit_status) = ($stdout =~ m/Exiting\swith\sreturn\svalue\s(\d+)\s\(([^:)]+)/);
@@ -3397,8 +3397,6 @@ function set_user_loggedin_session($user) {
  session_regenerate_id(true);
  $_SESSION['mailcow_cc_username'] = $user;
  $_SESSION['mailcow_cc_role'] = 'user';
  // Update User-Agent after session regeneration to prevent validation errors
  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
  $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
  $_SESSION['sogo-sso-user-allowed'][] = $user;
  $_SESSION['sogo-sso-pass'] = $sogo_sso_pass;
@@ -43,9 +43,6 @@ if (!isset($_SESSION['SESS_REMOTE_UA'])) {
 if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $SESSION_LIFETIME)) {
  session_unset();
  session_destroy();
  session_start();
  // After destroying session, we need to reset the User-Agent for the new session
  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 }
 $_SESSION['LAST_ACTIVITY'] = time();
@@ -137,12 +134,6 @@ function session_check() {
    return true;
  }
  if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {
    // In development mode, allow User-Agent changes (e.g., for responsive testing in dev tools)
    // Validate UA is not empty and has reasonable length (most UAs are under 200 chars, 500 is safe upper limit)
    if (isset($GLOBALS['DEV_MODE']) && $GLOBALS['DEV_MODE'] && !empty($_SERVER['HTTP_USER_AGENT']) && strlen($_SERVER['HTTP_USER_AGENT']) < 500) {
      $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
      return true;
    }
    $_SESSION['return'][] = array(
      'type' => 'warning',
      'msg' => 'session_ua'
@@ -50,8 +50,6 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
    session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "admin";
 		// Update User-Agent after session regeneration to prevent validation errors
 		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /admin/dashboard");
    die();
 	}
@@ -7,8 +7,6 @@ if (!empty($_GET['sso_token'])) {
    session_regenerate_id(true);
    $_SESSION['mailcow_cc_username'] = $username;
    $_SESSION['mailcow_cc_role'] = 'domainadmin';
    // Update User-Agent after session regeneration to prevent validation errors
    $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
    header('Location: /domainadmin/mailbox');
  }
 }
@@ -63,8 +61,6 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
    session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "domainadmin";
 		// Update User-Agent after session regeneration to prevent validation errors
 		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /domainadmin/mailbox");
    die();
 	}
Author	SHA1	Message	Date
copilot-swe-agent[bot]	d5524689b4	Improve authentication failure detection with word boundaries in regex Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-15 08:16:49 +00:00
copilot-swe-agent[bot]	4e12ba99a0	Fix sync-jobs with legacy-encoded passwords by implementing UTF-8/Latin-1 retry logic Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-15 08:15:52 +00:00
copilot-swe-agent[bot]	9b1540697f	Initial plan	2025-12-15 08:11:12 +00:00