Merge branch 'master' of git://github.com/Froxlor/Froxlor

2013-10-19 20:13:43 +02:00
parent 0e6aec2533 cb556093c1
commit 036bd61ded
13 changed files with 154 additions and 72 deletions
--- a/actions/admin/settings/130.webserver.php
+++ b/actions/admin/settings/130.webserver.php
@@ -81,7 +81,7 @@ return array(
 					'settinggroup' => 'system',
 					'varname' => 'apacheconf_htpasswddir',
 					'type' => 'string',
-					'string_type' => 'dir',
+					'string_type' => 'confdir',
 					'default' => '/etc/apache2/htpasswd/',
 					'save_method' => 'storeSettingField',
 					),
@@ -99,7 +99,7 @@ return array(
 					'settinggroup' => 'system',
 					'varname' => 'customer_ssl_path',
 					'type' => 'string',
-					'string_type' => 'dir',
+					'string_type' => 'confdir',
 					'default' => '/etc/ssl/froxlor-custom/',
 					'save_method' => 'storeSettingField',
 					),
--- a/actions/admin/settings/135.fcgid.php
+++ b/actions/admin/settings/135.fcgid.php
@@ -36,7 +36,7 @@ return array(
 					'settinggroup' => 'system',
 					'varname' => 'mod_fcgid_configdir',
 					'type' => 'string',
-					'string_type' => 'dir',
+					'string_type' => 'confdir',
 					'default' => '/var/www/php-fcgi-scripts/',
 					'plausibility_check_method' => 'checkPathConflicts',
 					'save_method' => 'storeSettingField',
--- a/actions/admin/settings/136.phpfpm.php
+++ b/actions/admin/settings/136.phpfpm.php
@@ -79,7 +79,7 @@ return array(
 					'settinggroup' => 'phpfpm',
 					'varname' => 'configdir',
 					'type' => 'string',
-					'string_type' => 'dir',
+					'string_type' => 'confdir',
 					'default' => '/etc/php-fpm.d/',
 					'save_method' => 'storeSettingField',
 					),
@@ -88,7 +88,7 @@ return array(
 					'settinggroup' => 'phpfpm',
 					'varname' => 'aliasconfigdir',
 					'type' => 'string',
-					'string_type' => 'dir',
+					'string_type' => 'confdir',
 					'default' => '/var/www/php-fpm/',
 					'save_method' => 'storeSettingField',
 					),
--- a/admin_domains.php
+++ b/admin_domains.php
@@ -1065,6 +1065,8 @@ if($page == 'domains'
 					if (isset($_POST['ssl_ipandport']) && is_array($_POST['ssl_ipandport'])) {
 						foreach ($_POST['ssl_ipandport'] as $ssl_ipandport) {
 							if (trim($ssl_ipandport) == "") continue;
+							// fix if ip/port got de-checked and it was the last one
+							if (trim($ssl_ipandport) < 1) continue;
 							$ssl_ipandport = intval($ssl_ipandport);
 							$ssl_ipandport_check = $db->query_first("SELECT `id`, `ip`, `port` FROM `" . TABLE_PANEL_IPSANDPORTS . "` WHERE `id` = '" . $db->escape($ssl_ipandport) . "' ");
 							if (!isset($ssl_ipandport_check['id'])
--- a/admin_index.php
+++ b/admin_index.php
@@ -148,18 +148,6 @@ if($page == 'overview')
 	$cron_last_runs = getCronjobsLastRun();
 	$outstanding_tasks = getOutstandingTasks();

-	$opentickets = 0;
-	$opentickets = $db->query_first('SELECT COUNT(`id`) as `count` FROM `' . TABLE_PANEL_TICKETS . '`
-                                   WHERE `answerto` = "0" AND (`status` = "0" OR `status` = "1")
-                                   AND `lastreplier`="0" AND `adminid` = "' . $userinfo['adminid'] . '"');
-	$awaitingtickets = $opentickets['count'];
-	$awaitingtickets_text = '';
-
-	if($opentickets > 0)
-	{
-		$awaitingtickets_text = strtr($lng['ticket']['awaitingticketreply'], array('%s' => '<a href="admin_tickets.php?page=tickets&amp;s=' . $s . '">' . $opentickets['count'] . '</a>'));
-	}
-
 	if(function_exists('sys_getloadavg'))
 	{
 		$loadArray = sys_getloadavg();
--- a/customer_index.php
+++ b/customer_index.php
@@ -60,18 +60,6 @@ if ($page == 'overview') {
 	$userinfo['traffic'] = round($userinfo['traffic'] / (1024 * 1024), $settings['panel']['decimal_places']);
 	$userinfo['traffic_used'] = round($userinfo['traffic_used'] / (1024 * 1024), $settings['panel']['decimal_places']);
 	$userinfo = str_replace_array('-1', $lng['customer']['unlimited'], $userinfo, 'diskspace traffic mysqls emails email_accounts email_forwarders email_quota email_autoresponder ftps tickets subdomains aps_packages');
-	$opentickets = 0;
-	$opentickets = $db->query_first('SELECT COUNT(`id`) as `count` FROM `' . TABLE_PANEL_TICKETS . '`
-                                   WHERE `customerid` = "' . $userinfo['customerid'] . '"
-                                   AND `answerto` = "0"
-                                   AND (`status` = "0" OR `status` = "2")
-                                   AND `lastreplier`="1"');
-	$awaitingtickets = $opentickets['count'];
-	$awaitingtickets_text = '';
-
-	if ($opentickets > 0) {
-		$awaitingtickets_text = strtr($lng['ticket']['awaitingticketreply'], array('%s' => '<a href="customer_tickets.php?page=tickets&amp;s=' . $s . '">' . $opentickets['count'] . '</a>'));
-	}

 	eval("echo \"" . getTemplate('index/index') . "\";");
 } elseif ($page == 'change_password') {
--- a/lib/functions/formfields/string/function.validateFormFieldString.php
+++ b/lib/functions/formfields/string/function.validateFormFieldString.php
@@ -68,6 +68,26 @@ function validateFormFieldString($fieldname, $fielddata, $newfieldvalue)
 				$returnvalue = ($newfieldvalue == makeCorrectDir($newfieldvalue));
 			}
 		}
+		elseif (isset($fielddata['string_type']) && $fielddata['string_type'] == 'confdir') {
+			// check for empty value (it might be allowed)
+			if (trim($newfieldvalue) == '') {
+				$newfieldvalue = '';
+				$returnvalue = 'stringmustntbeempty';
+			} else {
+				// add trailing slash to validate path if needed
+				// refs #331
+				if (substr($newfieldvalue, -1) != '/') {
+					$newfieldvalue.= '/';
+				}
+				// if this is a configuration directory, check for stupidity of admins :p
+				if (checkDisallowedPaths($newfieldvalue) !== true) {
+					$newfieldvalue = '';
+					$returnvalue = 'givendirnotallowed';
+				} else {
+					$returnvalue = ($newfieldvalue == makeCorrectDir($newfieldvalue));
+				}
+			}
+		}
 		elseif (isset($fielddata['string_type']) && $fielddata['string_type'] == 'file') {
 			// check for empty value (it might be allowed)
 			if (trim($newfieldvalue) == '') {
--- a/lib/functions/settings/function.storeSettingField.php
+++ b/lib/functions/settings/function.storeSettingField.php
@@ -17,62 +17,58 @@
 *
 */

-function storeSettingField($fieldname, $fielddata, $newfieldvalue)
-{
-	if(is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] != '' && isset($fielddata['varname']) && $fielddata['varname'] != '')
-	{
+function storeSettingField($fieldname, $fielddata, $newfieldvalue) {

-		if(saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false)
-		{
+	if (is_array($fielddata)
+			&& isset($fielddata['settinggroup'])
+			&& $fielddata['settinggroup'] != ''
+			&& isset($fielddata['varname'])
+			&& $fielddata['varname'] != ''
+	) {
+		if (saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false) {
 			/*
 			 * when fielddata[cronmodule] is set, this means enable/disable a cronjob
-			 */
-			if(isset($fielddata['cronmodule']) && $fielddata['cronmodule'] != '')
-			{
+			*/
+			if (isset($fielddata['cronmodule'])
+					&& $fielddata['cronmodule'] != ''
+			) {
 				toggleCronStatus($fielddata['cronmodule'], $newfieldvalue);
 			}

 			/*
 			 * satisfy dependencies
-			 */
-			if(isset($fielddata['dependency']) && is_array($fielddata['dependency']))
-			{
-				if((int)$fielddata['dependency']['onlyif'] == (int)$newfieldvalue)
-				{
+			*/
+			if (isset($fielddata['dependency'])
+					&& is_array($fielddata['dependency'])
+			) {
+				if ((int)$fielddata['dependency']['onlyif'] == (int)$newfieldvalue) {
 					storeSettingField($fielddata['dependency']['fieldname'], $fielddata['dependency']['fielddata'], $newfieldvalue);
 				}
 			}

 			return array($fielddata['settinggroup'] . '.' . $fielddata['varname'] => $newfieldvalue);
-		}
-		else
-		{
+		} else {
 			return false;
 		}
-	}
-	else
-	{
+	} else {
 		return false;
 	}
 }

-function storeSettingFieldInsertBindTask($fieldname, $fielddata, $newfieldvalue)
-{
-	if(is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] != '' && isset($fielddata['varname']) && $fielddata['varname'] != '')
-	{
-		if(saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false)
-		{
+function storeSettingFieldInsertBindTask($fieldname, $fielddata, $newfieldvalue) {
+
+	if (is_array($fielddata)
+			&& isset($fielddata['settinggroup'])
+			&& $fielddata['settinggroup'] != ''
+			&& isset($fielddata['varname'])
+			&& $fielddata['varname'] != ''
+	) {
+		if (saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false) {
 			return array($fielddata['settinggroup'] . '.' . $fielddata['varname'] => $newfieldvalue);
-		}
-		else
-		{
+		} else {
 			return false;
 		}
-	}
-	else
-	{
+	} else {
 		return false;
 	}
 }
-
-?>
--- a/lib/functions/validate/function.checkDisallowedPaths.php
+++ b/lib/functions/validate/function.checkDisallowedPaths.php
@@ -0,0 +1,48 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2013 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Michael Kaufmann <mkaufmann@nutime.de>
+ * @author     Froxlor team <team@froxlor.org> (2010-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Functions
+ *
+ * @since      0.9.30
+ *
+ */
+
+/**
+ * checks a directory against disallowed paths which could
+ * lead to a damaged system if you use them
+ *
+ * @param string $fieldname
+ * @param array $fielddata
+ * @param mixed $newfieldvalue
+ *
+ * @return boolean|array
+ */
+function checkDisallowedPaths($path = null) {
+
+	/*
+	 * disallow base-directories and /
+	 */
+	$disallowed_values = array(
+		"/", "/bin/", "/boot/", "/dev/", "/etc/", "/home/", "/lib/", "/lib32/", "/lib64/",
+		"/opt/", "/proc/", "/root/", "/run/", "/sbin/", "/sys/", "/tmp/", "/usr/", "/var/"	
+	);
+
+	$path = makeCorrectDir($path);
+
+	// check if it's a disallowed path
+	if (in_array($path, $disallowed_values)) {
+		return false;
+	}
+	return true;
+}
--- a/lib/init.php
+++ b/lib/init.php
@@ -431,6 +431,40 @@ if (AREA == 'admin' || AREA == 'customer') {
 	unset($navigation_data);
 }

+/**
+ * header information about open tickets (only if used)
+ */
+if ($settings['ticket']['enabled'] == '1') {
+	$awaitingtickets = 0;
+	$awaitingtickets_text = '';
+	$opentickets = 0;
+
+	if (AREA == 'admin' && isset($userinfo['adminid'])) {
+		$opentickets = $db->query_first('
+			SELECT COUNT(`id`) as `count` FROM `' . TABLE_PANEL_TICKETS . '`
+			WHERE `answerto` = "0" AND (`status` = "0" OR `status` = "1")
+			AND `lastreplier`="0" AND `adminid` = "' . $userinfo['adminid'] . '"
+		');
+		$awaitingtickets = $opentickets['count'];
+
+		if ($opentickets > 0) {
+			$awaitingtickets_text = strtr($lng['ticket']['awaitingticketreply'], array('%s' => '<a href="admin_tickets.php?page=tickets&amp;s=' . $s . '">' . $opentickets['count'] . '</a>'));
+		}
+	}
+	elseif (AREA == 'customer' && isset($userinfo['customerid'])) {
+		$opentickets = $db->query_first('
+			SELECT COUNT(`id`) as `count` FROM `' . TABLE_PANEL_TICKETS . '`
+			WHERE `answerto` = "0" AND (`status` = "0" OR `status` = "2")
+			AND `lastreplier`="1" AND `customerid` = "' . $userinfo['customerid'] . '"
+		');
+		$awaitingtickets = $opentickets['count'];
+
+		if ($opentickets > 0) {
+			$awaitingtickets_text = strtr($lng['ticket']['awaitingticketreply'], array('%s' => '<a href="customer_tickets.php?page=tickets&amp;s=' . $s . '">' . $opentickets['count'] . '</a>'));
+		}
+	}
+}
+
 $webfont = str_replace('+', ' ', $settings['panel']['webfont']);
 eval("\$header = \"" . getTemplate('header', '1') . "\";");

--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -1971,3 +1971,4 @@ $lng['admin']['selectserveralias_desc'] = 'Chose whether froxlor should create a
 $lng['domains']['serveraliasoption_wildcard'] = 'Wildcard (*.domain.tld)';
 $lng['domains']['serveraliasoption_www'] = 'WWW (www.domain.tld)';
 $lng['domains']['serveraliasoption_none'] = 'No alias';
+$lng['error']['givendirnotallowed'] = 'The given directory in field %s is not allowed.';
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1691,3 +1691,4 @@ $lng['admin']['selectserveralias_desc'] = 'Wählen Sie hier, ob für diese Domai
 $lng['domains']['serveraliasoption_wildcard'] = 'Wildcard (*.domain.tld)';
 $lng['domains']['serveraliasoption_www'] = 'WWW (www.domain.tld)';
 $lng['domains']['serveraliasoption_none'] = 'Kein alias';
+$lng['error']['givendirnotallowed'] = 'Das angegebene Verzeichnis im Feld %s ist nicht erlaubt.';
--- a/scripts/jobs/cron_usage.inc.diskspace.php
+++ b/scripts/jobs/cron_usage.inc.diskspace.php
@@ -49,20 +49,24 @@ while($row = $db->fetch_array($result))
 			'MAX_PERCENT' => $settings['system']['report_webmax']
 		);

-		$lngfile = $db->query_first("SELECT `file` FROM `" . TABLE_PANEL_LANGUAGE . "`
-									WHERE `language` ='" . $row['def_language'] . "'");
+		$lngfile = $db->query_first("
+			SELECT `file` FROM `" . TABLE_PANEL_LANGUAGE . "`
+			WHERE `language` ='" . $row['def_language'] . "'
+		");

-		if($lngfile !== NULL)
-		{
+		if ($lngfile !== null) {
 			$langfile = $lngfile['file'];
-		}
-		else
-		{
-			$lngfile = $db->query_first("SELECT `file` FROM `" . TABLE_PANEL_LANGUAGE . "`
-										WHERE `language` ='" . $settings['panel']['standardlanguage'] . "'");
+		} else {
+			$lngfile = $db->query_first("
+				SELECT `file` FROM `" . TABLE_PANEL_LANGUAGE . "`
+				WHERE `language` ='" . $settings['panel']['standardlanguage'] . "'
+			");
 			$langfile = $lngfile['file'];
 		}

+		// include english language file (fallback)
+		include_once makeCorrectFile($pathtophpfiles . '/lng/english.lng.php');
+		// include admin/customer language file
 		include_once makeCorrectFile($pathtophpfiles . '/' . $langfile);

 		// Get mail templates from database; the ones from 'admin' are fetched for fallback