From a7d37da5e11c9343350bece68bf532726d5a73c6 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <machniak@kolabsys.com>
Date: Wed, 7 Jun 2017 10:19:51 +0200
Subject: [PATCH] Improvements in kolab_auth::log_login_error()

- Use "no-session" identifier when there's no session (e.g. syncroton, iRony)
- truncate username input if exceedingly long
---
 plugins/kolab_auth/kolab_auth.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/plugins/kolab_auth/kolab_auth.php b/plugins/kolab_auth/kolab_auth.php
index f49d108c..12e08169 100644
--- a/plugins/kolab_auth/kolab_auth.php
+++ b/plugins/kolab_auth/kolab_auth.php
@@ -778,6 +778,15 @@ class kolab_auth extends rcube_plugin
         $config = rcube::get_instance()->config;
 
         if ($config->get('log_logins')) {
+            // don't fill the log with complete input, which could
+            // have been prepared by a hacker
+            if (strlen($username) > 256) {
+                $username = substr($username, 0, 256) . '...';
+            }
+            if (strlen($login_as) > 256) {
+                $login_as = substr($login_as, 0, 256) . '...';
+            }
+
             if ($login_as) {
                 $username = sprintf('%s (as user %s)', $username, $login_as);
             }
@@ -786,7 +795,7 @@ class kolab_auth extends rcube_plugin
                 "Failed login for %s from %s in session %s %s",
                 $username,
                 rcube_utils::remote_ip(),
-                session_id(),
+                session_id() ?: 'no-session',
                 $message ? "($message)" : ''
             );