From 614b23b18053c58c3f85db5ceaa982484175d276 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Mon, 25 Aug 2014 10:35:53 -0400
Subject: [PATCH] Added apache directives check agains regex blacklist in security settings.
---
interface/web/sites/lib/lang/ar_web_domain.lng | 1
interface/web/sites/lib/lang/id_web_domain.lng | 1
interface/web/sites/lib/lang/tr_web_domain.lng | 1
interface/web/sites/lib/lang/bg_web_domain.lng | 1
interface/web/sites/lib/lang/se_web_domain.lng | 1
interface/web/sites/lib/lang/sk_web_domain.lng | 1
interface/lib/classes/IDS/Monitor.php | 4 +-
interface/lib/classes/validate_domain.inc.php | 40 ++++++++++++++++++++
interface/web/sites/lib/lang/ja_web_domain.lng | 1
interface/web/sites/lib/lang/it_web_domain.lng | 1
interface/web/sites/lib/lang/el_web_domain.lng | 1
interface/web/sites/lib/lang/hu_web_domain.lng | 1
interface/web/sites/form/web_domain.tform.php | 7 +++
interface/web/sites/lib/lang/nl_web_domain.lng | 1
interface/web/sites/form/web_vhost_subdomain.tform.php | 7 +++
interface/web/sites/lib/lang/de_web_domain.lng | 1
interface/web/sites/lib/lang/ro_web_domain.lng | 1
interface/web/sites/lib/lang/en_web_domain.lng | 1
interface/web/sites/lib/lang/br_web_domain.lng | 1
interface/web/sites/lib/lang/hr_web_domain.lng | 1
interface/web/sites/lib/lang/ru_web_domain.lng | 1
interface/web/sites/lib/lang/fr_web_domain.lng | 1
interface/web/sites/lib/lang/pt_web_domain.lng | 1
interface/web/sites/lib/lang/pl_web_domain.lng | 1
interface/web/sites/lib/lang/fi_web_domain.lng | 1
interface/web/sites/lib/lang/cz_web_domain.lng | 1
interface/web/sites/lib/lang/es_web_domain.lng | 1
27 files changed, 79 insertions(+), 2 deletions(-)
diff --git a/interface/lib/classes/IDS/Monitor.php b/interface/lib/classes/IDS/Monitor.php
index f93e748..90c8958 100644
--- a/interface/lib/classes/IDS/Monitor.php
+++ b/interface/lib/classes/IDS/Monitor.php
@@ -250,7 +250,7 @@
$filterSet = $this->storage->getFilterSet();
if ($tags = $this->tags) {
- $filterSet = array_filter(
+ $filterSet = @array_filter(
$filterSet,
function (Filter $filter) use ($tags) {
return (bool) array_intersect($tags, $filter->getTags());
@@ -259,7 +259,7 @@
}
$scanKeys = $this->scanKeys;
- $filterSet = array_filter(
+ $filterSet = @array_filter(
$filterSet,
function (Filter $filter) use ($key, $value, $scanKeys) {
return $filter->match($value) || $scanKeys && $filter->match($key);
diff --git a/interface/lib/classes/validate_domain.inc.php b/interface/lib/classes/validate_domain.inc.php
index d92de9b..8df0d2f 100644
--- a/interface/lib/classes/validate_domain.inc.php
+++ b/interface/lib/classes/validate_domain.inc.php
@@ -97,6 +97,45 @@
$result = $this->_check_unique($field_value . '.' . $check_domain, true);
if(!$result) return $this->get_error('domain_error_autosub');
}
+
+ /* Check apache directives */
+ function web_apache_directives($field_name, $field_value, $validator) {
+ global $app;
+
+ if(trim($field_value) != '') {
+ $security_config = $app->getconf->get_security_config('ids');
+
+ if($security_config['apache_directives_scan_enabled'] == 'yes') {
+
+ // Get blacklist
+ $blacklist_path = '/usr/local/ispconfig/security/apache_directives.blacklist';
+ if(is_file('/usr/local/ispconfig/security/apache_directives.blacklist.custom')) $blacklist_path = '/usr/local/ispconfig/security/apache_directives.blacklist.custom';
+ if(!is_file($blacklist_path)) $blacklist_path = realpath(ISPC_ROOT_PATH.'/../security/apache_directives.blacklist');
+
+ $directives = explode("\n",$field_value);
+ $regex = explode("\n",file_get_contents($blacklist_path));
+ $blocked = false;
+ $blocked_line = '';
+
+ if(is_array($directives) && is_array($regex)) {
+ foreach($directives as $directive) {
+ $directive = trim($directive);
+ foreach($regex as $r) {
+ if(preg_match(trim($r),$directive)) {
+ $blocked = true;
+ $blocked_line = $directive;
+ };
+ }
+ }
+ }
+ }
+ }
+
+ if($blocked === true) {
+ return $this->get_error('apache_directive_blocked_error').' '.$blocked_line;
+ }
+ }
+
/* internal validator function to match regexp */
function _regex_validate($domain_name, $allow_wildcard = false) {
@@ -175,5 +214,6 @@
}
return true; // admin may always add wildcard domain
}
+
}
diff --git a/interface/web/sites/form/web_domain.tform.php b/interface/web/sites/form/web_domain.tform.php
index efaea89..16a0c85 100644
--- a/interface/web/sites/form/web_domain.tform.php
+++ b/interface/web/sites/form/web_domain.tform.php
@@ -730,6 +730,13 @@
'apache_directives' => array (
'datatype' => 'TEXT',
'formtype' => 'TEXT',
+ 'validators' => array ( 0 => array(
+ 'type' => 'CUSTOM',
+ 'class' => 'validate_domain',
+ 'function' => 'web_apache_directives',
+ 'errmsg' => 'apache_directive_blockd_error'
+ ),
+ ),
'default' => '',
'value' => '',
'width' => '30',
diff --git a/interface/web/sites/form/web_vhost_subdomain.tform.php b/interface/web/sites/form/web_vhost_subdomain.tform.php
index 3aa2276..55dd261 100644
--- a/interface/web/sites/form/web_vhost_subdomain.tform.php
+++ b/interface/web/sites/form/web_vhost_subdomain.tform.php
@@ -706,6 +706,13 @@
'apache_directives' => array (
'datatype' => 'TEXT',
'formtype' => 'TEXT',
+ 'validators' => array ( 0 => array(
+ 'type' => 'CUSTOM',
+ 'class' => 'validate_domain',
+ 'function' => 'web_apache_directives',
+ 'errmsg' => 'apache_directive_blockd_error'
+ ),
+ ),
'default' => '',
'value' => '',
'width' => '30',
diff --git a/interface/web/sites/lib/lang/ar_web_domain.lng b/interface/web/sites/lib/lang/ar_web_domain.lng
index 539d3b7..1714b64 100644
--- a/interface/web/sites/lib/lang/ar_web_domain.lng
+++ b/interface/web/sites/lib/lang/ar_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/bg_web_domain.lng b/interface/web/sites/lib/lang/bg_web_domain.lng
index 3af58cd..594b6f2 100644
--- a/interface/web/sites/lib/lang/bg_web_domain.lng
+++ b/interface/web/sites/lib/lang/bg_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/br_web_domain.lng b/interface/web/sites/lib/lang/br_web_domain.lng
index 8b4484e..21525c5 100644
--- a/interface/web/sites/lib/lang/br_web_domain.lng
+++ b/interface/web/sites/lib/lang/br_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/cz_web_domain.lng b/interface/web/sites/lib/lang/cz_web_domain.lng
index 99c9e10..db8f37f 100644
--- a/interface/web/sites/lib/lang/cz_web_domain.lng
+++ b/interface/web/sites/lib/lang/cz_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'Vyloučené adresáře obsahují neplatné znaky.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Neplatné nastavení php.ini';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/de_web_domain.lng b/interface/web/sites/lib/lang/de_web_domain.lng
index c005f90..b90ff9a 100644
--- a/interface/web/sites/lib/lang/de_web_domain.lng
+++ b/interface/web/sites/lib/lang/de_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'Die auszuschließenden Verzeichnisse enthalten ungültige Zeichen.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Unzulässige php.ini-Einstellungen';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Die Apache Direktive wurde durch die Sicherheitsrichtline blockiert:';
?>
diff --git a/interface/web/sites/lib/lang/el_web_domain.lng b/interface/web/sites/lib/lang/el_web_domain.lng
index bc9a835..b2792ce 100644
--- a/interface/web/sites/lib/lang/el_web_domain.lng
+++ b/interface/web/sites/lib/lang/el_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/en_web_domain.lng b/interface/web/sites/lib/lang/en_web_domain.lng
index 0478e99..14b3d52 100644
--- a/interface/web/sites/lib/lang/en_web_domain.lng
+++ b/interface/web/sites/lib/lang/en_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
\ No newline at end of file
diff --git a/interface/web/sites/lib/lang/es_web_domain.lng b/interface/web/sites/lib/lang/es_web_domain.lng
index f56e895..48c37ff 100644
--- a/interface/web/sites/lib/lang/es_web_domain.lng
+++ b/interface/web/sites/lib/lang/es_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/fi_web_domain.lng b/interface/web/sites/lib/lang/fi_web_domain.lng
index e5323b2..e13fb8f 100755
--- a/interface/web/sites/lib/lang/fi_web_domain.lng
+++ b/interface/web/sites/lib/lang/fi_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/fr_web_domain.lng b/interface/web/sites/lib/lang/fr_web_domain.lng
index 00c2dcf..7c01ca3 100644
--- a/interface/web/sites/lib/lang/fr_web_domain.lng
+++ b/interface/web/sites/lib/lang/fr_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/hr_web_domain.lng b/interface/web/sites/lib/lang/hr_web_domain.lng
index 51fcb92..a7927a3 100644
--- a/interface/web/sites/lib/lang/hr_web_domain.lng
+++ b/interface/web/sites/lib/lang/hr_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/hu_web_domain.lng b/interface/web/sites/lib/lang/hu_web_domain.lng
index e160449..3fc994e 100644
--- a/interface/web/sites/lib/lang/hu_web_domain.lng
+++ b/interface/web/sites/lib/lang/hu_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/id_web_domain.lng b/interface/web/sites/lib/lang/id_web_domain.lng
index ef3423e..8ed9ad9 100644
--- a/interface/web/sites/lib/lang/id_web_domain.lng
+++ b/interface/web/sites/lib/lang/id_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/it_web_domain.lng b/interface/web/sites/lib/lang/it_web_domain.lng
index c946023..5a2bdf5 100644
--- a/interface/web/sites/lib/lang/it_web_domain.lng
+++ b/interface/web/sites/lib/lang/it_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/ja_web_domain.lng b/interface/web/sites/lib/lang/ja_web_domain.lng
index d32a9d1..41ce471 100644
--- a/interface/web/sites/lib/lang/ja_web_domain.lng
+++ b/interface/web/sites/lib/lang/ja_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/nl_web_domain.lng b/interface/web/sites/lib/lang/nl_web_domain.lng
index 1efbbc6..aa3134b 100644
--- a/interface/web/sites/lib/lang/nl_web_domain.lng
+++ b/interface/web/sites/lib/lang/nl_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/pl_web_domain.lng b/interface/web/sites/lib/lang/pl_web_domain.lng
index ed28813..858b35c 100644
--- a/interface/web/sites/lib/lang/pl_web_domain.lng
+++ b/interface/web/sites/lib/lang/pl_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/pt_web_domain.lng b/interface/web/sites/lib/lang/pt_web_domain.lng
index 3d19779..ac0f7f7 100644
--- a/interface/web/sites/lib/lang/pt_web_domain.lng
+++ b/interface/web/sites/lib/lang/pt_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/ro_web_domain.lng b/interface/web/sites/lib/lang/ro_web_domain.lng
index e568b8c..d4667d0 100644
--- a/interface/web/sites/lib/lang/ro_web_domain.lng
+++ b/interface/web/sites/lib/lang/ro_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/ru_web_domain.lng b/interface/web/sites/lib/lang/ru_web_domain.lng
index c192656..06d82c1 100644
--- a/interface/web/sites/lib/lang/ru_web_domain.lng
+++ b/interface/web/sites/lib/lang/ru_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/se_web_domain.lng b/interface/web/sites/lib/lang/se_web_domain.lng
index 5156df1..d25c8b1 100644
--- a/interface/web/sites/lib/lang/se_web_domain.lng
+++ b/interface/web/sites/lib/lang/se_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Ogiltiga php.ini-inställningar';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/sk_web_domain.lng b/interface/web/sites/lib/lang/sk_web_domain.lng
index 5497f9f..e38610d 100644
--- a/interface/web/sites/lib/lang/sk_web_domain.lng
+++ b/interface/web/sites/lib/lang/sk_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
diff --git a/interface/web/sites/lib/lang/tr_web_domain.lng b/interface/web/sites/lib/lang/tr_web_domain.lng
index 59dc02a..557b69b 100644
--- a/interface/web/sites/lib/lang/tr_web_domain.lng
+++ b/interface/web/sites/lib/lang/tr_web_domain.lng
@@ -128,4 +128,5 @@
$wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
$wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
?>
--
Gitblit v1.9.1