gitlabFork/ISPConfig3.git - Solinfo Gitblit

parent: 6448a70e | patch | commit | ignore whitespace

- Fixed FS#3175 - SSL Key File insecure after replacement. - Fixed FS#3159 ...

ftimme

2013-10-09 407c0051c65199159502901af4e8792481d86370

- Fixed FS#3175 - SSL Key File insecure after replacement.
- Fixed FS#3159 - SSL key and cert for *.domain.com doesnt show in SSL tab.

3 files modified

	server/lib/classes/system.inc.php	3 ●●●●● patch \| view \| raw \| blame \| history
	server/plugins-available/apache2_plugin.inc.php	8 ●●●●● patch \| view \| raw \| blame \| history
	server/plugins-available/nginx_plugin.inc.php	8 ●●●●● patch \| view \| raw \| blame \| history

 server/lib/classes/system.inc.php

@@ -780,7 +780,8 @@
        if(substr($path,0,1) != '/') return false;
        
        //* We allow only some characters in the path
        if(!preg_match('/^\/[a-zA-Z0-9_\/\.\-]{1,}$/',$path)) return false;
        // * is allowed, for example it is part of wildcard certificates/keys: *.example.com.crt
        if(!preg_match('@^/[-a-zA-Z0-9_/.*~]{1,}$@',$path)) return false;
        
        //* Check path for symlinks
        $path_parts = explode('/',$path);

 server/plugins-available/apache2_plugin.inc.php

@@ -171,15 +171,15 @@

            $rand_file = escapeshellcmd($rand_file);
            $key_file = escapeshellcmd($key_file);
            if(substr($domain, 0, 2) == '*.' && strpos($key_file, '/ssl/\*.') != false) $key_file = str_replace('/ssl/\*.', '/ssl/*.', $key_file); // wildcard certificate
            if(substr($domain, 0, 2) == '*.' && strpos($key_file, '/ssl/\*.') !== false) $key_file = str_replace('/ssl/\*.', '/ssl/*.', $key_file); // wildcard certificate
            $key_file2 = escapeshellcmd($key_file2);
            if(substr($domain, 0, 2) == '*.' && strpos($key_file2, '/ssl/\*.') != false) $key_file2 = str_replace('/ssl/\*.', '/ssl/*.', $key_file2); // wildcard certificate
            if(substr($domain, 0, 2) == '*.' && strpos($key_file2, '/ssl/\*.') !== false) $key_file2 = str_replace('/ssl/\*.', '/ssl/*.', $key_file2); // wildcard certificate
            $ssl_days = 3650;
            $csr_file = escapeshellcmd($csr_file);
            if(substr($domain, 0, 2) == '*.' && strpos($csr_file, '/ssl/\*.') != false) $csr_file = str_replace('/ssl/\*.', '/ssl/*.', $csr_file); // wildcard certificate
            if(substr($domain, 0, 2) == '*.' && strpos($csr_file, '/ssl/\*.') !== false) $csr_file = str_replace('/ssl/\*.', '/ssl/*.', $csr_file); // wildcard certificate
            $config_file = escapeshellcmd($ssl_cnf_file);
            $crt_file = escapeshellcmd($crt_file);
            if(substr($domain, 0, 2) == '*.' && strpos($crt_file, '/ssl/\*.') != false) $crt_file = str_replace('/ssl/\*.', '/ssl/*.', $crt_file); // wildcard certificate
            if(substr($domain, 0, 2) == '*.' && strpos($crt_file, '/ssl/\*.') !== false) $crt_file = str_replace('/ssl/\*.', '/ssl/*.', $crt_file); // wildcard certificate

            if(is_file($ssl_cnf_file) && !is_link($ssl_cnf_file)) {
                

 server/plugins-available/nginx_plugin.inc.php

@@ -170,15 +170,15 @@

            $rand_file = escapeshellcmd($rand_file);
            $key_file = escapeshellcmd($key_file);
            if(substr($domain, 0, 2) == '*.' && strpos($key_file, '/ssl/\*.') != false) $key_file = str_replace('/ssl/\*.', '/ssl/*.', $key_file); // wildcard certificate
            if(substr($domain, 0, 2) == '*.' && strpos($key_file, '/ssl/\*.') !== false) $key_file = str_replace('/ssl/\*.', '/ssl/*.', $key_file); // wildcard certificate
            $key_file2 = escapeshellcmd($key_file2);
            if(substr($domain, 0, 2) == '*.' && strpos($key_file2, '/ssl/\*.') != false) $key_file2 = str_replace('/ssl/\*.', '/ssl/*.', $key_file2); // wildcard certificate
            if(substr($domain, 0, 2) == '*.' && strpos($key_file2, '/ssl/\*.') !== false) $key_file2 = str_replace('/ssl/\*.', '/ssl/*.', $key_file2); // wildcard certificate
            $ssl_days = 3650;
            $csr_file = escapeshellcmd($csr_file);
            if(substr($domain, 0, 2) == '*.' && strpos($csr_file, '/ssl/\*.') != false) $csr_file = str_replace('/ssl/\*.', '/ssl/*.', $csr_file); // wildcard certificate
            if(substr($domain, 0, 2) == '*.' && strpos($csr_file, '/ssl/\*.') !== false) $csr_file = str_replace('/ssl/\*.', '/ssl/*.', $csr_file); // wildcard certificate
            $config_file = escapeshellcmd($ssl_cnf_file);
            $crt_file = escapeshellcmd($crt_file);
            if(substr($domain, 0, 2) == '*.' && strpos($crt_file, '/ssl/\*.') != false) $crt_file = str_replace('/ssl/\*.', '/ssl/*.', $crt_file); // wildcard certificate
            if(substr($domain, 0, 2) == '*.' && strpos($crt_file, '/ssl/\*.') !== false) $crt_file = str_replace('/ssl/\*.', '/ssl/*.', $crt_file); // wildcard certificate

            if(is_file($ssl_cnf_file) && !is_link($ssl_cnf_file)) {

			@@ -780,7 +780,8 @@
			if(substr($path,0,1) != '/') return false;

			//* We allow only some characters in the path
			if(!preg_match('/^\/[a-zA-Z0-9_\/\.\-]{1,}$/',$path)) return false;
			// * is allowed, for example it is part of wildcard certificates/keys: *.example.com.crt
			if(!preg_match('@^/[-a-zA-Z0-9_/.*~]{1,}$@',$path)) return false;

			//* Check path for symlinks
			$path_parts = explode('/',$path);

			@@ -171,15 +171,15 @@

			$rand_file = escapeshellcmd($rand_file);
			$key_file = escapeshellcmd($key_file);
			if(substr($domain, 0, 2) == '.' && strpos($key_file, '/ssl/\.') != false) $key_file = str_replace('/ssl/\.', '/ssl/.', $key_file); // wildcard certificate
			if(substr($domain, 0, 2) == '.' && strpos($key_file, '/ssl/\.') !== false) $key_file = str_replace('/ssl/\.', '/ssl/.', $key_file); // wildcard certificate
			$key_file2 = escapeshellcmd($key_file2);
			if(substr($domain, 0, 2) == '.' && strpos($key_file2, '/ssl/\.') != false) $key_file2 = str_replace('/ssl/\.', '/ssl/.', $key_file2); // wildcard certificate
			if(substr($domain, 0, 2) == '.' && strpos($key_file2, '/ssl/\.') !== false) $key_file2 = str_replace('/ssl/\.', '/ssl/.', $key_file2); // wildcard certificate
			$ssl_days = 3650;
			$csr_file = escapeshellcmd($csr_file);
			if(substr($domain, 0, 2) == '.' && strpos($csr_file, '/ssl/\.') != false) $csr_file = str_replace('/ssl/\.', '/ssl/.', $csr_file); // wildcard certificate
			if(substr($domain, 0, 2) == '.' && strpos($csr_file, '/ssl/\.') !== false) $csr_file = str_replace('/ssl/\.', '/ssl/.', $csr_file); // wildcard certificate
			$config_file = escapeshellcmd($ssl_cnf_file);
			$crt_file = escapeshellcmd($crt_file);
			if(substr($domain, 0, 2) == '.' && strpos($crt_file, '/ssl/\.') != false) $crt_file = str_replace('/ssl/\.', '/ssl/.', $crt_file); // wildcard certificate
			if(substr($domain, 0, 2) == '.' && strpos($crt_file, '/ssl/\.') !== false) $crt_file = str_replace('/ssl/\.', '/ssl/.', $crt_file); // wildcard certificate

			if(is_file($ssl_cnf_file) && !is_link($ssl_cnf_file)) {

			@@ -170,15 +170,15 @@

			$rand_file = escapeshellcmd($rand_file);
			$key_file = escapeshellcmd($key_file);
			if(substr($domain, 0, 2) == '.' && strpos($key_file, '/ssl/\.') != false) $key_file = str_replace('/ssl/\.', '/ssl/.', $key_file); // wildcard certificate
			if(substr($domain, 0, 2) == '.' && strpos($key_file, '/ssl/\.') !== false) $key_file = str_replace('/ssl/\.', '/ssl/.', $key_file); // wildcard certificate
			$key_file2 = escapeshellcmd($key_file2);
			if(substr($domain, 0, 2) == '.' && strpos($key_file2, '/ssl/\.') != false) $key_file2 = str_replace('/ssl/\.', '/ssl/.', $key_file2); // wildcard certificate
			if(substr($domain, 0, 2) == '.' && strpos($key_file2, '/ssl/\.') !== false) $key_file2 = str_replace('/ssl/\.', '/ssl/.', $key_file2); // wildcard certificate
			$ssl_days = 3650;
			$csr_file = escapeshellcmd($csr_file);
			if(substr($domain, 0, 2) == '.' && strpos($csr_file, '/ssl/\.') != false) $csr_file = str_replace('/ssl/\.', '/ssl/.', $csr_file); // wildcard certificate
			if(substr($domain, 0, 2) == '.' && strpos($csr_file, '/ssl/\.') !== false) $csr_file = str_replace('/ssl/\.', '/ssl/.', $csr_file); // wildcard certificate
			$config_file = escapeshellcmd($ssl_cnf_file);
			$crt_file = escapeshellcmd($crt_file);
			if(substr($domain, 0, 2) == '.' && strpos($crt_file, '/ssl/\.') != false) $crt_file = str_replace('/ssl/\.', '/ssl/.', $crt_file); // wildcard certificate
			if(substr($domain, 0, 2) == '.' && strpos($crt_file, '/ssl/\.') !== false) $crt_file = str_replace('/ssl/\.', '/ssl/.', $crt_file); // wildcard certificate

			if(is_file($ssl_cnf_file) && !is_link($ssl_cnf_file)) {