Closed z-e-r-0-t closed 7 months ago
The API in EmailAccounts.add() uses the setting system.passwordcryptfunc
to determine the hash to be used. This setting, when opening the security settings, gets all available password-hashes (see https://github.com/Froxlor/Froxlor/blob/v2.1/actions/admin/settings/210.security.php#L53) , which uses Crypt::getAvailablePasswordHashes() (see https://github.com/Froxlor/Froxlor/blob/v2.1/lib/Froxlor/System/Crypt.php#L97) which only adds available hashes to the select for the setting
So, most likely a hash-algorithm is/was set which became unavailable.
Here's a more "systemwide"-safe solution:
diff --git a/lib/Froxlor/Settings.php b/lib/Froxlor/Settings.php
index dad81814..056ed8ed 100644
--- a/lib/Froxlor/Settings.php
+++ b/lib/Froxlor/Settings.php
@@ -26,6 +26,7 @@
namespace Froxlor;
use Froxlor\Database\Database;
+use Froxlor\System\Crypt;
use PDO;
use PDOStatement;
@@ -159,7 +160,17 @@ class Settings
$result = null;
if (isset(self::$data[$sstr[0]][$sstr[1]])) {
$result = self::$data[$sstr[0]][$sstr[1]];
+
+ // if password-crypt-func is requested, check whether it's (still) available
+ if ($sstr[0] == 'system' && $sstr[1] == 'passwordcryptfunc') {
+ $available_hashes = Crypt::getAvailablePasswordHashes();
+ if (!array_key_exists($result, $available_hashes)) {
+ $result = PASSWORD_DEFAULT;
+ self::Set('system.passwordcryptfunc', $result);
+ }
+ }
}
+
return $result;
}
system.passwordcryptfunc
is set to PASSWORD_BCRYPT
/2y
when the error occurs.
The problem is that the PHP version used doesn't support Argon2. If Argon2 is unsupported the constants PASSWORD_ARGON2I
and PASSWORD_ARGON2ID
aren't defined in PHP -> exception is triggered e.g at https://github.com/Froxlor/Froxlor/blob/dbf83c6f24b4dfdc6749eddc1b4c7e03878b5ae5/lib/Froxlor/Api/Commands/EmailAccounts.php#L160
Yes, you're right. Totally missed that part - your fix seems exactly what is needed
Description
Adding a new mail account on a system without PHP Argon2X support an exception will be triggered.
-> Check if Argon2X is supported in PHP (==constant is defined) before using it.
Type of change
How Has This Been Tested?
Adding a mail account on a system without PHP Argon2X support was possible after patch