Encrypt email_smtp_password (#854)

Fixes #853.
Email_smtp_password is saved encrypted and not as plain text.


Co-authored-by: Tim <TimZ99@users.noreply.github.com>

src/includes/functions.inc.php

@@ -604,7 +604,10 @@ namespace {
             $phpmailer->SMTPSecure = psm_get_conf('email_smtp_security');
 
             $smtp_user = psm_get_conf('email_smtp_username');
-            $smtp_pass = psm_get_conf('email_smtp_password');
+            $smtp_pass = psm_password_decrypt(
+                psm_get_conf('password_encrypt_key'),
+                psm_get_conf('email_smtp_password')
+            );
 
             if ($smtp_user != '' && $smtp_pass != '') {
                 $phpmailer->SMTPAuth = true;

src/includes/psmconfig.inc.php

@@ -30,7 +30,7 @@
 /**
  * Current PSM version
  */
-define('PSM_VERSION', '3.4.6-beta.1');
+define('PSM_VERSION', '3.4.6-beta.2');
 
 /**
  * URL to check for updates. Will not be checked if turned off on config page.

src/psm/Module/Config/Controller/ConfigController.php

@@ -67,7 +67,6 @@ class ConfigController extends AbstractController
         'email_smtp_host',
         'email_smtp_port',
         'email_smtp_username',
-        'email_smtp_password',
         'sms_gateway_username',
         'sms_gateway_password',
         'sms_from',
@@ -75,6 +74,14 @@ class ConfigController extends AbstractController
         'telegram_api_token',
     );
 
+    /**
+     * Fields for saving encrypted.
+     * @var array
+     */
+    protected $encryptedFields = [
+        'email_smtp_password'
+    ];
+
     private $default_tab = 'general';
 
     public function __construct(Database $db, \Twig_Environment $twig)
@@ -177,6 +184,10 @@ class ConfigController extends AbstractController
         foreach ($this->fields as $input_key) {
             $tpl_data[$input_key] = (isset($config[$input_key])) ? $config[$input_key] : '';
         }
+        // encrypted fields
+        foreach ($this->encryptedFields as $encryptedField) {
+            $tpl_data[$encryptedField] = '';
+        }
 
         $tpl_data[$this->default_tab . '_active'] = 'active';
 
@@ -224,6 +235,13 @@ class ConfigController extends AbstractController
                     $clean[$input_key] = $_POST[$input_key];
                 }
             }
+            foreach ($this->encryptedFields as $encryptedField) {
+                $value = filter_input(INPUT_POST, $encryptedField);
+                if ($value !== null && $value !== '') {
+                    $clean[$encryptedField] =  psm_password_encrypt(psm_get_conf('password_encrypt_key'), $value);
+                }
+                // else { leave as is }
+            }
             $language_refresh = ($clean['language'] != psm_get_conf('language'));
             foreach ($clean as $key => $value) {
                 psm_update_conf($key, $value);
@@ -451,6 +469,7 @@ class ConfigController extends AbstractController
             'label_log_retention_period_description' => psm_get_lang('config', 'log_retention_period_description'),
             'label_log_retention_days' => psm_get_lang('config', 'log_retention_days'),
             'label_days' => psm_get_lang('config', 'log_retention_days'),
+            'label_leave_blank' => psm_get_lang('users', 'password_leave_blank'),
 
         );
     }

src/psm/Util/Install/Installer.php

@@ -348,6 +348,9 @@ class Installer
         if (version_compare($version_from, '3.4.6-beta.1', '<')) {
             $this->upgrade346();
         }
+        if (version_compare($version_from, '3.4.6-beta.2', '<')) {
+            $this->upgrade346();
+        }
         psm_update_conf('version', $version_to);
     }
 
@@ -671,8 +674,22 @@ class Installer
         $queries = array();
         $queries[] = "ALTER TABLE `" . PSM_DB_PREFIX . "servers` 
             ADD `ssl_cert_expiry_days` MEDIUMINT(1) UNSIGNED NOT NULL DEFAULT '0' AFTER `warning_threshold_counter`";
-            $queries[] = "ALTER TABLE `" . PSM_DB_PREFIX . "servers` 
+        $queries[] = "ALTER TABLE `" . PSM_DB_PREFIX . "servers` 
             ADD `ssl_cert_expired_time` VARCHAR(255) NULL AFTER `ssl_cert_expiry_days`";
+            
+        if (
+            @psm_password_decrypt(
+                psm_get_conf('password_encrypt_key'),
+                psm_get_conf('email_smtp_password')
+            ) === false
+        ) {
+            // Prevents encrypting the password multiple times.
+            $queries[] = "UPDATE `" . PSM_DB_PREFIX . "config` 
+                SET `value` = '" .
+                psm_password_encrypt(psm_get_conf('password_encrypt_key'), psm_get_conf('email_smtp_password')) .
+                "' WHERE `key` = 'email_smtp_password'";
+            $this->log('SMTP password is now encrypted.');
+        }
         $this->execSQL($queries);
     }
 }

src/templates/default/module/config/config.tpl.html

@@ -99,7 +99,7 @@
                 <!-- email user -->
                 {{ macro.input_field("text", "email_smtp_username", null, "email_smtp_username", label_email_smtp_username, email_smtp_username, label_email_smtp_username, "255") }}
                 <!-- email password -->
-                {{ macro.input_field("password", "email_smtp_password", null, "email_smtp_password", label_email_smtp_password, email_smtp_password, label_email_smtp_password, "255", null, null, null, true) }}
+                {{ macro.input_field("password", "email_smtp_password", null, "email_smtp_password", label_email_smtp_password, email_smtp_password, label_leave_blank, "255", null, null, null, true) }}
                 {{ macro.button_test("testEmail", label_test) }}
                 {{ macro.input_hidden("test_email", "0") }}
                 {{ macro.button_save("email_submit",  label_save) }}