Skip to content
Advertisement

How to get user’s plain password in PDO class of Sabre DAV?

How can I get hold of the current logged-in user’s plaintext password in the following file of Sabre DAV library?

https://github.com/sabre-io/dav/tree/master/lib/CardDAV/Backend

in Baikal, this file is at:
baikalvendorsabredavlibCardDAVBackendPDO.php

<?php

declare(strict_types=1);

namespace SabreCardDAVBackend;

use SabreCardDAV;
use SabreDAV;
use SabreDAVPropPatch;

/**
 * PDO CardDAV backend.
 *
 * This CardDAV backend uses PDO to store addressbooks
 *
 * @copyright Copyright (C) fruux GmbH (https://fruux.com/)
 * @author Evert Pot (http://evertpot.com/)
 * @license http://sabre.io/license/ Modified BSD License
 */
class PDO extends AbstractBackend implements SyncSupport
...
...
}

Advertisement

Answer

For Basic Authentication, the file is this:

baikalCoreFrameworksBaikalCorePDOBasicAuth.php

plain password is at the validateUserPass function and it can be stored at a global var (or in the session as mentioned in the comments of the question):

function validateUserPass($username, $password) {
        
        global $ptp;
        
        $stmt = $this->pdo->prepare('SELECT username, digesta1 FROM ' . $this->tableName . ' WHERE username = ?');
        $stmt->execute([$username]);
        $result = $stmt->fetchAll();

        if (!count($result)) {
            return false;
        }

        $hash = md5($username . ':' . $this->authRealm . ':' . $password);
        if ($result[0]['digesta1'] === $hash) {
            $this->currentUser = $username;
            
            $ptp = $password;
                    
            return true;
        }

        return false;
    }
}

Then, at the baikalvendorsabredavlibCardDAVBackendPDO.php file, the value of the $ptp var can be retrieved using global $ptp;

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement