Merge branch 'stable-3.0.5'
Conflicts:
install/sql/ispconfig3.sql
install/tpl/config.inc.php.master
interface/lib/classes/tform.inc.php
interface/lib/config.inc.php
interface/web/admin/server_config_edit.php
interface/web/themes/blue/ispconfig_version
interface/web/tools/import_plesk.php
interface/web/tools/resync.php
interface/web/vm/openvz_action.php
| | |
| | | $salt.="$"; |
| | | return crypt($cleartext_password, $salt); |
| | | } |
| | | |
| | | public function csrf_token_get($form_name) { |
| | | /* CSRF PROTECTION */ |
| | | // generate csrf protection id and key |
| | | $_csrf_id = uniqid($form_name . '_'); // form id |
| | | $_csrf_key = sha1(uniqid(microtime(true), true)); // the key |
| | | if(!isset($_SESSION['_csrf'])) $_SESSION['_csrf'] = array(); |
| | | if(!isset($_SESSION['_csrf_timeout'])) $_SESSION['_csrf_timeout'] = array(); |
| | | $_SESSION['_csrf'][$_csrf_id] = $_csrf_key; |
| | | $_SESSION['_csrf_timeout'][$_csrf_id] = time() + 3600; // timeout hash in 1 hour |
| | | |
| | | return array('csrf_id' => $_csrf_id,'csrf_key' => $_csrf_key); |
| | | } |
| | | |
| | | public function csrf_token_check() { |
| | | global $app; |
| | | |
| | | if(isset($_POST) && is_array($_POST)) { |
| | | $_csrf_valid = false; |
| | | if(isset($_POST['_csrf_id']) && isset($_POST['_csrf_key'])) { |
| | | $_csrf_id = trim($_POST['_csrf_id']); |
| | | $_csrf_key = trim($_POST['_csrf_key']); |
| | | if(isset($_SESSION['_csrf']) && isset($_SESSION['_csrf'][$_csrf_id]) && isset($_SESSION['_csrf_timeout']) && isset($_SESSION['_csrf_timeout'][$_csrf_id])) { |
| | | if($_SESSION['_csrf'][$_csrf_id] === $_csrf_key && $_SESSION['_csrf_timeout'] >= time()) $_csrf_valid = true; |
| | | } |
| | | } |
| | | if($_csrf_valid !== true) { |
| | | $app->log('CSRF attempt blocked. Referer: ' . (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'unknown'), LOGLEVEL_WARN); |
| | | $app->error($app->lng('err_csrf_attempt_blocked')); |
| | | } |
| | | $_SESSION['_csrf'][$_csrf_id] = null; |
| | | $_SESSION['_csrf_timeout'][$_csrf_id] = null; |
| | | unset($_SESSION['_csrf'][$_csrf_id]); |
| | | unset($_SESSION['_csrf_timeout'][$_csrf_id]); |
| | | |
| | | if(isset($_SESSION['_csrf_timeout']) && is_array($_SESSION['_csrf_timeout'])) { |
| | | $to_unset = array(); |
| | | foreach($_SESSION['_csrf_timeout'] as $_csrf_id => $timeout) { |
| | | if($timeout < time()) $to_unset[] = $_csrf_id; |
| | | } |
| | | foreach($to_unset as $_csrf_id) { |
| | | $_SESSION['_csrf'][$_csrf_id] = null; |
| | | $_SESSION['_csrf_timeout'][$_csrf_id] = null; |
| | | unset($_SESSION['_csrf'][$_csrf_id]); |
| | | unset($_SESSION['_csrf_timeout'][$_csrf_id]); |
| | | } |
| | | unset($to_unset); |
| | | } |
| | | } |
| | | } |
| | | |
| | | } |
| | | |
| | |
| | | |
| | | /* CSRF PROTECTION */ |
| | | // generate csrf protection id and key |
| | | $_csrf_id = uniqid($this->formDef['name'] . '_'); |
| | | $_csrf_value = sha1(uniqid(microtime(true), true)); |
| | | if(!isset($_SESSION['_csrf'])) $_SESSION['_csrf'] = array(); |
| | | if(!isset($_SESSION['_csrf_timeout'])) $_SESSION['_csrf_timeout'] = array(); |
| | | $_SESSION['_csrf'][$_csrf_id] = $_csrf_value; |
| | | $_SESSION['_csrf_timeout'][$_csrf_id] = time() + 3600; // timeout hash in 1 hour |
| | | $csrf_token = $app->auth->csrf_token_get($this->formDef['name']); |
| | | $_csrf_id = $csrf_token['csrf_id']; |
| | | $_csrf_value = $csrf_token['csrf_key']; |
| | | |
| | | $this->formDef['tabs'][$tab]['fields']['_csrf_id'] = array( |
| | | 'datatype' => 'VARCHAR', |
| | | 'formtype' => 'TEXT', |
| | |
| | | unset($_POST); |
| | | unset($record); |
| | | } |
| | | $_SESSION['_csrf'][$_csrf_id] = null; |
| | | $_SESSION['_csrf_timeout'][$_csrf_id] = null; |
| | | unset($_SESSION['_csrf'][$_csrf_id]); |
| | | unset($_SESSION['_csrf_timeout'][$_csrf_id]); |
| | | |
| | | if(isset($_SESSION['_csrf_timeout']) && is_array($_SESSION['_csrf_timeout'])) { |
| | | $to_unset = array(); |
| | |
| | | $wb['latest_news_txt'] = 'Neuigkeiten'; |
| | | $wb['err_csrf_attempt_blocked'] = 'CSRF-Versuch blockiert.'; |
| | | $wb['top_menu_vm'] = 'vServer'; |
| | | $wb['err_csrf_attempt_blocked'] = 'CSRF-Versuch blockiert.'; |
| | | $wb['daynamesmin_su'] = 'So'; |
| | | $wb['daynamesmin_mo'] = 'Mo'; |
| | | $wb['daynamesmin_tu'] = 'Di'; |
| | |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | | if(isset($_POST['lng_new']) && strlen($_POST['lng_new']) == 2 && $error == '') { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $lng_new = $_POST['lng_new']; |
| | | if(!preg_match("/^[a-z]{2}$/i", $lng_new)) die('unallowed characters in language name.'); |
| | | |
| | |
| | | |
| | | $app->tpl->setVar('msg', $msg); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('language_add'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | //* load language file |
| | | $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_add.lng'; |
| | | include $lng_file; |
| | |
| | | // Export the language file |
| | | if(isset($_POST['lng_select']) && $error == '') { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | // complete the global langauge file |
| | | merge_langfile(ISPC_LIB_PATH."/lang/".$selected_language.".lng", ISPC_LIB_PATH."/lang/en.lng"); |
| | | |
| | |
| | | |
| | | $app->tpl->setVar('msg', $msg); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('language_merge'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | //* load language file |
| | | $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_complete.lng'; |
| | | include $lng_file; |
| | |
| | | |
| | | //* Save data |
| | | if(isset($_POST['records']) && is_array($_POST['records'])) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $file_content = "<?php\n"; |
| | | foreach($_POST['records'] as $key => $val) { |
| | | $val = stripslashes($val); |
| | |
| | | unset($wb); |
| | | } |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('language_edit'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | |
| | | //* load language file |
| | | $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_edit.lng'; |
| | |
| | | |
| | | // Export the language file |
| | | if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'])) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $lines = file($_FILES['file']['tmp_name']); |
| | | // initial check |
| | | $parts = explode('|', $lines[0]); |
| | |
| | | $app->tpl->setVar('msg', $msg); |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('language_import'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | //* load language file |
| | | $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_import.lng'; |
| | | include $lng_file; |
| | |
| | | |
| | | //* Note: Disabled post action |
| | | if (1 == 0 && isset($_POST['server_select'])) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $server = $_POST['server_select']; |
| | | $servers = array(); |
| | | if ($server == '*') { |
| | |
| | | |
| | | $app->tpl->setVar('msg', $msg); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('ispupdate'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl->setVar($wb); |
| | | |
| | | $app->tpl_defaults(); |
| | |
| | | * If the user wants to do the action, write this to our db |
| | | */ |
| | | if (isset($_POST['server_select'])) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $server = $_POST['server_select']; |
| | | $servers = array(); |
| | | if ($server == '*') { |
| | |
| | | |
| | | $app->tpl->setVar('msg', $msg); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('osupdate'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl->setVar($wb); |
| | | |
| | | $app->tpl_defaults(); |
| | |
| | | } |
| | | } |
| | | |
| | | $server_config_array[$section] = $app->tform->encode($this->dataRecord, $section); |
| | | $server_config_str = $app->ini_parser->get_ini_string($server_config_array); |
| | | if($app->tform->errorMessage == '') { |
| | | $server_config_array[$section] = $app->tform->encode($this->dataRecord, $section); |
| | | $server_config_str = $app->ini_parser->get_ini_string($server_config_array); |
| | | |
| | | $app->db->datalogUpdate('server', array("config" => $server_config_str), 'server_id', $server_id); |
| | | $app->db->datalogUpdate('server', array("config" => $server_config_str), 'server_id', $server_id); |
| | | } else { |
| | | $app->error('Security breach!'); |
| | | } |
| | | } |
| | | } |
| | | |
| | |
| | | |
| | | //* Save data |
| | | if(isset($_POST) && count($_POST) > 1) { |
| | | |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | //* Check values |
| | | if(!preg_match("/^\w+[\w\.\-\+]*\w{0,}@\w+[\w.-]*\w+\.[a-zA-Z0-9\-]{2,30}$/i", $_POST['sender'])) $error .= $wb['sender_invalid_error'].'<br />'; |
| | | if(empty($_POST['subject'])) $error .= $wb['subject_invalid_error'].'<br />'; |
| | |
| | | } |
| | | $app->tpl->setVar('message_variables', trim($message_variables)); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('client_message'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl->setVar('okmsg', $msg); |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | |
| | | } |
| | | |
| | | if($_POST['create'] == 1) { |
| | | |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $error = ''; |
| | | |
| | | if ($post_server_id) |
| | |
| | | |
| | | $app->tpl->setVar("title", 'DNS Wizard'); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('dns_wizard'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_dns_wizard.lng'; |
| | | include $lng_file; |
| | | $app->tpl->setVar($wb); |
| | |
| | | <?php |
| | | $wb['shell_txt'] = 'Shell'; |
| | | $wb['dir_txt'] = 'Dir'; |
| | | $wb['dir_txt'] = 'Base Dir'; |
| | | $wb['server_id_txt'] = 'Server'; |
| | | $wb['parent_domain_id_txt'] = 'Site'; |
| | | $wb['username_txt'] = 'Username'; |
| | |
| | | <?php |
| | | $wb['shell_txt'] = 'Shell'; |
| | | $wb['dir_txt'] = 'Verzeichnis'; |
| | | $wb['dir_txt'] = 'Basis Verzeichnis'; |
| | | $wb['server_id_txt'] = 'Server'; |
| | | $wb['parent_domain_id_txt'] = 'Webseite'; |
| | | $wb['username_txt'] = 'Benutzername'; |
| | |
| | | $wb['puser_txt'] = "Web Username"; |
| | | $wb['pgroup_txt'] = "Web Group"; |
| | | $wb['shell_txt'] = "Shell"; |
| | | $wb['dir_txt'] = "Dir"; |
| | | $wb['dir_txt'] = "Base Dir"; |
| | | $wb['server_id_txt'] = "Server"; |
| | | $wb['parent_domain_id_txt'] = "Site"; |
| | | $wb['username_txt'] = "Username"; |
| | |
| | | <tmpl_dyninclude name="content_tpl"> |
| | | <tmpl_dyninclude name="content_tpl"> |
| | | <input type="hidden" name="_csrf_id" value="{tmpl_var name='_csrf_id'}" /> |
| | | <input type="hidden" name="_csrf_key" value="{tmpl_var name='_csrf_key'}" /> |
| | |
| | | |
| | | // Resyncing dns zones |
| | | if(isset($_POST['start']) && $_POST['start'] == 1) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | //* Set variable sin template |
| | | $app->tpl->setVar('dbhost', $_POST['dbhost']); |
| | |
| | | $app->tpl->setVar('msg', $msg); |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('dns_import'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl_defaults(); |
| | | $app->tpl->pparse(); |
| | |
| | | $app->tpl->setVar($wb); |
| | | |
| | | if(isset($_POST['connected'])) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $connected = $app->functions->intval($_POST['connected']); |
| | | if($connected == 0) { |
| | | |
| | |
| | | $app->tpl->setVar('msg', $msg); |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('ispconfig_import'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl_defaults(); |
| | | $app->tpl->pparse(); |
| | | |
| | |
| | | } |
| | | } |
| | | |
| | | $csrf_token = $app->auth->csrf_token_get('tools_resync'); |
| | | $app->tpl->setVar('_csrf_id', $csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key', $csrf_token['csrf_key']); |
| | | |
| | | parent::onShowEnd(); |
| | | } |
| | | |
| | |
| | | |
| | | function onSubmit() { |
| | | global $app; |
| | | |
| | | |
| | | if(isset($_POST) && count($_POST) > 1) { |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | } |
| | | |
| | | //* all services |
| | | if($this->dataRecord['resync_all'] == 1) { |
| | | $this->dataRecord['resync_sites'] = 1; |
| | |
| | | |
| | | if($vm_id == 0) die('Invalid VM ID'); |
| | | |
| | | if(isset($_POST) && count($_POST) > 1) { |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | } |
| | | $vm = $app->db->queryOneRecord("SELECT server_id, veid FROM openvz_vm WHERE vm_id = ?", $vm_id); |
| | | $veid = $app->functions->intval($vm['veid']); |
| | | $server_id = $app->functions->intval($vm['server_id']); |
| | |
| | | $app->tpl->setVar($options); |
| | | $app->tpl->setVar('error', $error_msg); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('openvz_action'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl_defaults(); |
| | | $app->tpl->pparse(); |
| | | |
| | |
| | | $app->system->chgrp(escapeshellcmd($data['new']['dir'].'/home'),escapeshellcmd($data['new']['pgroup'])); |
| | | } |
| | | $app->file->mkdirs(escapeshellcmd($homedir), '0750'); |
| | | $app->system->chown(escapeshellcmd($homedir),escapeshellcmd($data['new']['username'])); |
| | | $app->system->chown(escapeshellcmd($homedir),escapeshellcmd($data['new']['puser'])); |
| | | $app->system->chgrp(escapeshellcmd($homedir),escapeshellcmd($data['new']['pgroup'])); |
| | | $app->system->web_folder_protection($web['document_root'], true); |
| | | } else { |
| | |
| | | } |
| | | $sshrsa = trim($sshrsa); |
| | | $usrdir = escapeshellcmd($this->data['new']['dir']); |
| | | //* Home directory of the new shell user |
| | | if($this->data['new']['chroot'] == 'jailkit') { |
| | | $usrdir = escapeshellcmd($this->data['new']['dir']); |
| | | } else { |
| | | $usrdir = escapeshellcmd($this->data['new']['dir'].'/home/'.$this->data['new']['username']); |
| | | } |
| | | $sshdir = $usrdir.'/.ssh'; |
| | | $sshkeys= $usrdir.'/.ssh/authorized_keys'; |
| | | |