maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

secure api-key generation, dns-record as well as ssl-certificate deletion, logo uploading, frame-inclusion and user/email enumeration via 'forgot password'

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2022-12-02 09:22:08 +01:00
parent 0e703a4199
commit 4d454a3903
8 changed files with 257 additions and 210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
api_keys.php
View File

@@ -70,7 +70,7 @@ if ($action == 'delete') {
), $id); ), $id);
} }
} }
} elseif ($action == 'add') { } elseif ($action == 'add' && isset($_POST['send']) && $_POST['send'] == 'send') {
$ins_stmt = Database::prepare(" $ins_stmt = Database::prepare("
INSERT INTO `" . TABLE_API_KEYS . "` SET INSERT INTO `" . TABLE_API_KEYS . "` SET
`apikey` = :key, `secret` = :secret, `adminid` = :aid, `customerid` = :cid, `valid_until` = '-1', `allowed_from` = '' `apikey` = :key, `secret` = :secret, `adminid` = :aid, `customerid` = :cid, `valid_until` = '-1', `allowed_from` = ''
@@ -92,6 +92,10 @@ if ($action == 'delete') {
$success_message = $lng['apikeys']['apikey_added']; $success_message = $lng['apikeys']['apikey_added'];
} elseif ($action == 'jqEditApiKey') { } elseif ($action == 'jqEditApiKey') {
$keyid = isset($_POST['id']) ? (int) $_POST['id'] : 0; $keyid = isset($_POST['id']) ? (int) $_POST['id'] : 0;
if (empty($keyid)) {
echo json_encode(false);
exit;
}
$allowed_from = isset($_POST['allowed_from']) ? $_POST['allowed_from'] : ""; $allowed_from = isset($_POST['allowed_from']) ? $_POST['allowed_from'] : "";
$valid_until = isset($_POST['valid_until']) ? (int) $_POST['valid_until'] : -1; $valid_until = isset($_POST['valid_until']) ? (int) $_POST['valid_until'] : -1;

26
dns_editor.php
View File

@@ -58,15 +58,23 @@ if ($action == 'add_record' && ! empty($_POST)) {
// remove entry // remove entry
$entry_id = isset($_GET['id']) ? (int) $_GET['id'] : 0; $entry_id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
if ($entry_id > 0) { if ($entry_id > 0) {
try { if (isset($_POST['send']) && $_POST['send'] == 'send') {
DomainZones::getLocal($userinfo, array( try {
'entry_id' => $entry_id, DomainZones::getLocal($userinfo, array(
'id' => $domain_id 'entry_id' => $entry_id,
))->delete(); 'id' => $domain_id
// success message (inline) ))->delete();
$success_message = $lng['success']['dns_record_deleted']; // success message (inline)
} catch (Exception $e) { $success_message = $lng['success']['dns_record_deleted'];
$errors = str_replace("\n", "<br>", $e->getMessage()); } catch (Exception $e) {
$errors = str_replace("\n", "<br>", $e->getMessage());
}
} else {
\Froxlor\UI\HTML::askYesNo('dnsentry_reallydelete', $filename, array(
'page' => $page,
'action' => $action,
'id' => $id
), $id);
} }
} }
} }

273
index.php
View File

@@ -425,159 +425,162 @@ if ($action == 'forgotpwd') {
} }
} }
if ($result_stmt !== null) { $no_action = false;
$user = $result_stmt->fetch(PDO::FETCH_ASSOC); if ($adminchecked) {
if (Settings::Get('panel.allow_preset_admin') != '1') {
/* Check whether user is banned */ $message = $lng['pwdreminder']['notallowed'];
if ($user['deactivated']) { unset($adminchecked);
\Froxlor\UI\Response::redirectTo('index.php', array(
'showmessage' => '8'
));
exit();
} }
} else {
if (Settings::Get('panel.allow_preset') != '1') {
$message = $lng['pwdreminder']['notallowed'];
}
}
if (($adminchecked && Settings::Get('panel.allow_preset_admin') == '1') || $adminchecked == false) { if (empty($message)) {
if ($user !== false) { if ($result_stmt !== null) {
// build a activation code $user = $result_stmt->fetch(PDO::FETCH_ASSOC);
$timestamp = time();
$first = substr(md5($user['loginname'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), 0, 15);
$third = substr(md5($user['email'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), - 15);
$activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10);
// Drop all existing activation codes for this user /* Check whether user is banned */
$stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "` if ($user['deactivated']) {
WHERE `userid` = :userid \Froxlor\UI\Response::redirectTo('index.php', array(
AND `admin` = :admin"); 'showmessage' => '8'
$params = array(
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
"admin" => $adminchecked ? 1 : 0
);
Database::pexecute($stmt, $params);
// Add new activation code to database
$stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_ACTIVATION . "`
(userid, admin, creation, activationcode)
VALUES (:userid, :admin, :creation, :activationcode)");
$params = array(
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
"admin" => $adminchecked ? 1 : 0,
"creation" => $timestamp,
"activationcode" => $activationcode
);
Database::pexecute($stmt, $params);
$rstlog = FroxlorLogger::getInstanceOf(array(
'loginname' => 'password_reset'
)); ));
$rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $user['loginname'] . "' requested a link for setting a new password."); exit();
}
// Set together our activation link if (($adminchecked && Settings::Get('panel.allow_preset_admin') == '1') || $adminchecked == false) {
$protocol = empty($_SERVER['HTTPS']) ? 'http' : 'https'; if ($user !== false) {
// this can be a fixed value to avoid potential exploiting by modifying headers // build a activation code
$host = Settings::Get('system.hostname'); // $_SERVER['HTTP_HOST']; $timestamp = time();
$port = $_SERVER['SERVER_PORT'] != 80 ? ':' . $_SERVER['SERVER_PORT'] : ''; $first = substr(md5($user['loginname'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), 0, 15);
// don't add :443 when https is used, as it is default (and just looks weird!) $third = substr(md5($user['email'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), - 15);
if ($protocol == 'https' && $_SERVER['SERVER_PORT'] == '443') { $activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10);
$port = '';
}
// there can be only one script to handle this so we can use a fixed value here
$script = "/index.php"; // $_SERVER['SCRIPT_NAME'];
if (Settings::Get('system.froxlordirectlyviahostname') == 0) {
$script = \Froxlor\FileDir::makeCorrectFile("/" . basename(__DIR__) . "/" . $script);
}
$activationlink = $protocol . '://' . $host . $port . $script . '?action=resetpwd&resetcode=' . $activationcode;
$replace_arr = array( // Drop all existing activation codes for this user
'SALUTATION' => \Froxlor\User::getCorrectUserSalutation($user), $stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`
'NAME' => $user['name'], WHERE `userid` = :userid
'FIRSTNAME' => $user['firstname'] ?? "", AND `admin` = :admin");
'COMPANY' => $user['company'] ?? "", $params = array(
'CUSTOMER_NO' => $user['customernumber'] ?? 0, "userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
'USERNAME' => $loginname, "admin" => $adminchecked ? 1 : 0
'LINK' => $activationlink );
); Database::pexecute($stmt, $params);
$def_language = ($user['def_language'] != '') ? $user['def_language'] : Settings::Get('panel.standardlanguage'); // Add new activation code to database
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '` $stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_ACTIVATION . "`
WHERE `adminid`= :adminid (userid, admin, creation, activationcode)
AND `language`= :lang VALUES (:userid, :admin, :creation, :activationcode)");
AND `templategroup`=\'mails\' $params = array(
AND `varname`=\'password_reset_subject\''); "userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
Database::pexecute($result_stmt, array( "admin" => $adminchecked ? 1 : 0,
"adminid" => $user['adminid'], "creation" => $timestamp,
"lang" => $def_language "activationcode" => $activationcode
)); );
$result = $result_stmt->fetch(PDO::FETCH_ASSOC); Database::pexecute($stmt, $params);
$mail_subject = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['subject']), $replace_arr));
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
WHERE `adminid`= :adminid
AND `language`= :lang
AND `templategroup`=\'mails\'
AND `varname`=\'password_reset_mailbody\'');
Database::pexecute($result_stmt, array(
"adminid" => $user['adminid'],
"lang" => $def_language
));
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
$mail_body = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['mailbody']), $replace_arr));
$_mailerror = false;
$mailerr_msg = "";
try {
$mail->Subject = $mail_subject;
$mail->AltBody = $mail_body;
$mail->MsgHTML(str_replace("\n", "<br />", $mail_body));
$mail->AddAddress($user['email'], \Froxlor\User::getCorrectUserSalutation($user));
$mail->Send();
} catch (\PHPMailer\PHPMailer\Exception $e) {
$mailerr_msg = $e->errorMessage();
$_mailerror = true;
} catch (Exception $e) {
$mailerr_msg = $e->getMessage();
$_mailerror = true;
}
if ($_mailerror) {
$rstlog = FroxlorLogger::getInstanceOf(array( $rstlog = FroxlorLogger::getInstanceOf(array(
'loginname' => 'password_reset' 'loginname' => 'password_reset'
)); ));
$rstlog->logAction(\Froxlor\FroxlorLogger::ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg); $rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $user['loginname'] . "' requested a link for setting a new password.");
// Set together our activation link
$protocol = empty($_SERVER['HTTPS']) ? 'http' : 'https';
// this can be a fixed value to avoid potential exploiting by modifying headers
$host = Settings::Get('system.hostname'); // $_SERVER['HTTP_HOST'];
$port = $_SERVER['SERVER_PORT'] != 80 ? ':' . $_SERVER['SERVER_PORT'] : '';
// don't add :443 when https is used, as it is default (and just looks weird!)
if ($protocol == 'https' && $_SERVER['SERVER_PORT'] == '443') {
$port = '';
}
// there can be only one script to handle this so we can use a fixed value here
$script = "/index.php"; // $_SERVER['SCRIPT_NAME'];
if (Settings::Get('system.froxlordirectlyviahostname') == 0) {
$script = \Froxlor\FileDir::makeCorrectFile("/" . basename(__DIR__) . "/" . $script);
}
$activationlink = $protocol . '://' . $host . $port . $script . '?action=resetpwd&resetcode=' . $activationcode;
$replace_arr = array(
'SALUTATION' => \Froxlor\User::getCorrectUserSalutation($user),
'NAME' => $user['name'],
'FIRSTNAME' => $user['firstname'] ?? "",
'COMPANY' => $user['company'] ?? "",
'CUSTOMER_NO' => $user['customernumber'] ?? 0,
'USERNAME' => $loginname,
'LINK' => $activationlink
);
$def_language = ($user['def_language'] != '') ? $user['def_language'] : Settings::Get('panel.standardlanguage');
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
WHERE `adminid`= :adminid
AND `language`= :lang
AND `templategroup`=\'mails\'
AND `varname`=\'password_reset_subject\'');
Database::pexecute($result_stmt, array(
"adminid" => $user['adminid'],
"lang" => $def_language
));
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
$mail_subject = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['subject']), $replace_arr));
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
WHERE `adminid`= :adminid
AND `language`= :lang
AND `templategroup`=\'mails\'
AND `varname`=\'password_reset_mailbody\'');
Database::pexecute($result_stmt, array(
"adminid" => $user['adminid'],
"lang" => $def_language
));
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
$mail_body = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['mailbody']), $replace_arr));
$_mailerror = false;
$mailerr_msg = "";
try {
$mail->Subject = $mail_subject;
$mail->AltBody = $mail_body;
$mail->MsgHTML(str_replace("\n", "<br />", $mail_body));
$mail->AddAddress($user['email'], \Froxlor\User::getCorrectUserSalutation($user));
$mail->Send();
} catch (\PHPMailer\PHPMailer\Exception $e) {
$mailerr_msg = $e->errorMessage();
$_mailerror = true;
} catch (Exception $e) {
$mailerr_msg = $e->getMessage();
$_mailerror = true;
}
if ($_mailerror) {
$rstlog = FroxlorLogger::getInstanceOf(array(
'loginname' => 'password_reset'
));
$rstlog->logAction(\Froxlor\FroxlorLogger::ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
\Froxlor\UI\Response::redirectTo('index.php', array(
'showmessage' => '4',
'customermail' => $user['email']
));
exit();
}
$mail->ClearAddresses();
\Froxlor\UI\Response::redirectTo('index.php', array( \Froxlor\UI\Response::redirectTo('index.php', array(
'showmessage' => '4', 'showmessage' => '1'
'customermail' => $user['email']
)); ));
exit(); exit();
} else {
$rstlog = FroxlorLogger::getInstanceOf(array(
'loginname' => 'password_reset'
));
$rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!");
$message = $lng['login']['combination_not_found'];
} }
$mail->ClearAddresses(); unset($user);
\Froxlor\UI\Response::redirectTo('index.php', array(
'showmessage' => '1'
));
exit();
} else {
$rstlog = FroxlorLogger::getInstanceOf(array(
'loginname' => 'password_reset'
));
$rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!");
$message = $lng['login']['combination_not_found'];
} }
} else {
unset($user); $message = $lng['login']['usernotfound'];
} }
} else {
$message = $lng['login']['usernotfound'];
}
}
if ($adminchecked) {
if (Settings::Get('panel.allow_preset_admin') != '1') {
$message = $lng['pwdreminder']['notallowed'];
unset($adminchecked);
}
} else {
if (Settings::Get('panel.allow_preset') != '1') {
$message = $lng['pwdreminder']['notallowed'];
} }
} }

134
lib/Froxlor/Settings/Store.php
View File

@@ -1,4 +1,5 @@
<?php <?php
namespace Froxlor\Settings; namespace Froxlor\Settings;
use Froxlor\Database\Database; use Froxlor\Database\Database;
@@ -63,9 +64,9 @@ class Store
if (count($ids) > 0) { if (count($ids) > 0) {
$defaultips_new = explode(',', $newfieldvalue); $defaultips_new = explode(',', $newfieldvalue);
if (! empty($defaultips_old) && ! empty($newfieldvalue)) { if (!empty($defaultips_old) && !empty($newfieldvalue)) {
$in_value = $defaultips_old . ", " . $newfieldvalue; $in_value = $defaultips_old . ", " . $newfieldvalue;
} elseif (! empty($defaultips_old) && empty($newfieldvalue)) { } elseif (!empty($defaultips_old) && empty($newfieldvalue)) {
$in_value = $defaultips_old; $in_value = $defaultips_old;
} else { } else {
$in_value = $newfieldvalue; $in_value = $newfieldvalue;
@@ -280,11 +281,11 @@ class Store
if ($returnvalue !== false && is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] == 'system' && isset($fielddata['varname']) && $fielddata['varname'] == 'mysql_access_host') { if ($returnvalue !== false && is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] == 'system' && isset($fielddata['varname']) && $fielddata['varname'] == 'mysql_access_host') {
$mysql_access_host_array = array_map('trim', explode(',', $newfieldvalue)); $mysql_access_host_array = array_map('trim', explode(',', $newfieldvalue));
if (in_array('127.0.0.1', $mysql_access_host_array) && ! in_array('localhost', $mysql_access_host_array)) { if (in_array('127.0.0.1', $mysql_access_host_array) && !in_array('localhost', $mysql_access_host_array)) {
$mysql_access_host_array[] = 'localhost'; $mysql_access_host_array[] = 'localhost';
} }
if (! in_array('127.0.0.1', $mysql_access_host_array) && in_array('localhost', $mysql_access_host_array)) { if (!in_array('127.0.0.1', $mysql_access_host_array) && in_array('localhost', $mysql_access_host_array)) {
$mysql_access_host_array[] = '127.0.0.1'; $mysql_access_host_array[] = '127.0.0.1';
} }
@@ -306,8 +307,8 @@ class Store
private static function cleanMySQLAccessHost($value) private static function cleanMySQLAccessHost($value)
{ {
if (substr($value, 0, 1) == '[' && substr($value, - 1) == ']') { if (substr($value, 0, 1) == '[' && substr($value, -1) == ']') {
return substr($value, 1, - 1); return substr($value, 1, -1);
} }
return $value; return $value;
} }
@@ -370,66 +371,85 @@ class Store
} }
public static function storeSettingImage($fieldname, $fielddata) public static function storeSettingImage($fieldname, $fielddata)
{ {
if (isset($fielddata['settinggroup'], $fielddata['varname']) && is_array($fielddata) && $fielddata['settinggroup'] !== '' && $fielddata['varname'] !== '') { if (isset($fielddata['settinggroup'], $fielddata['varname']) && is_array($fielddata) && $fielddata['settinggroup'] !== '' && $fielddata['varname'] !== '') {
$save_to = null; $save_to = null;
$path = \Froxlor\Froxlor::getInstallDir().'/img/'; $path = \Froxlor\Froxlor::getInstallDir() . '/img/';
$path = \Froxlor\FileDir::makeCorrectDir($path); $path = \Froxlor\FileDir::makeCorrectDir($path);
// New file? // New file?
if (isset($_FILES[$fieldname]) && $_FILES[$fieldname]['tmp_name']) { if (isset($_FILES[$fieldname]) && $_FILES[$fieldname]['tmp_name']) {
// Make sure upload directory exists // Make sure upload directory exists
if (!is_dir($path) && !mkdir($path, 0775)) { if (!is_dir($path) && !mkdir($path, 0775)) {
throw new \Exception("img directory does not exist and cannot be created"); throw new \Exception("img directory does not exist and cannot be created");
} }
// Make sure we can write to the upload directory // Make sure we can write to the upload directory
if (!is_writable($path)) { if (!is_writable($path)) {
if (!chmod($path, 0775)) { if (!chmod($path, 0775)) {
throw new \Exception("Cannot write to img directory"); throw new \Exception("Cannot write to img directory");
} }
} }
// Make sure mime-type matches an image // Make sure mime-type matches an image
if (!in_array(mime_content_type($_FILES[$fieldname]['tmp_name']), ['image/jpeg','image/jpg','image/png','image/gif'])) { if (function_exists('finfo_open')) {
throw new \Exception("Uploaded file not a valid image"); $finfo = finfo_open(FILEINFO_MIME_TYPE);
} $mimetype = finfo_file($finfo, $_FILES[$fieldname]['tmp_name']);
finfo_close($finfo);
} else {
$mimetype = mime_content_type($_FILES[$fieldname]['tmp_name']);
}
if (empty($mimetype)) {
$mimetype = 'application/octet-stream';
}
if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
throw new \Exception("Uploaded file is not a valid image");
}
// Determine file extension // Determine file extension
$spl = explode('.', $_FILES[$fieldname]['name']); $spl = explode('.', $_FILES[$fieldname]['name']);
$file_extension = strtolower(array_pop($spl)); $file_extension = strtolower(array_pop($spl));
unset($spl); unset($spl);
// Move file if (!in_array($file_extension, [
if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path.$fielddata['image_name'].'.'.$file_extension)) { 'jpeg',
throw new \Exception("Unable to save image to img folder"); 'jpg',
} 'png',
'gif'
])) {
throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
}
$save_to = 'img/'.$fielddata['image_name'].'.'.$file_extension.'?v='.time(); // Move file
} if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path . $fielddata['image_name'] . '.' . $file_extension)) {
throw new \Exception("Unable to save image to img folder");
}
// Delete file? $save_to = 'img/' . $fielddata['image_name'] . '.' . $file_extension . '?v=' . time();
if ($fielddata['value'] !== "" && array_key_exists($fieldname.'_delete', $_POST) && $_POST[$fieldname.'_delete']) { }
@unlink(\Froxlor\Froxlor::getInstallDir() . '/' . explode('?', $fielddata['value'], 2)[0]);
$save_to = '';
}
// Nothing changed // Delete file?
if ($save_to === null) { if ($fielddata['value'] !== "" && array_key_exists($fieldname . '_delete', $_POST) && $_POST[$fieldname . '_delete']) {
return array( @unlink(\Froxlor\Froxlor::getInstallDir() . '/' . explode('?', $fielddata['value'], 2)[0]);
$fielddata['settinggroup'] . '.' . $fielddata['varname'] => $fielddata['value'] $save_to = '';
); }
}
if (Settings::Set($fielddata['settinggroup'] . '.' . $fielddata['varname'], $save_to) === false) { // Nothing changed
return false; if ($save_to === null) {
} return array(
$fielddata['settinggroup'] . '.' . $fielddata['varname'] => $fielddata['value']
);
}
return array( if (Settings::Set($fielddata['settinggroup'] . '.' . $fielddata['varname'], $save_to) === false) {
$fielddata['settinggroup'] . '.' . $fielddata['varname'] => $save_to return false;
); }
}
return false; return array(
} $fielddata['settinggroup'] . '.' . $fielddata['varname'] => $save_to
);
}
return false;
}
} }

2
lib/init.php
View File

@@ -59,7 +59,7 @@ header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time()));
// Inline-JS is no longer allowed and used // Inline-JS is no longer allowed and used
// See: http://people.mozilla.org/~bsterne/content-security-policy/index.html // See: http://people.mozilla.org/~bsterne/content-security-policy/index.html
// New stuff see: https://www.owasp.org/index.php/List_of_useful_HTTP_headers and https://www.owasp.org/index.php/Content_Security_Policy // New stuff see: https://www.owasp.org/index.php/List_of_useful_HTTP_headers and https://www.owasp.org/index.php/Content_Security_Policy
$csp_content = "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self';"; $csp_content = "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; object-src 'self'; frame-src 'self'; frame-ancestors 'self';";
header("Content-Security-Policy: " . $csp_content); header("Content-Security-Policy: " . $csp_content);
header("X-Content-Security-Policy: " . $csp_content); header("X-Content-Security-Policy: " . $csp_content);
header("X-WebKit-CSP: " . $csp_content); header("X-WebKit-CSP: " . $csp_content);

4
lng/english.lng.php
View File

@@ -2140,4 +2140,6 @@ $lng['error']['pathmustberelative'] = 'The user does not have the permission to
$lng['serversettings']['acmeshpath']['title'] = 'Path to acme.sh'; $lng['serversettings']['acmeshpath']['title'] = 'Path to acme.sh';
$lng['serversettings']['acmeshpath']['description'] = 'Set this to where acme.sh is installed to, including the acme.sh script<br>Default is <b>/root/.acme.sh/acme.sh</b>'; $lng['serversettings']['acmeshpath']['description'] = 'Set this to where acme.sh is installed to, including the acme.sh script<br>Default is <b>/root/.acme.sh/acme.sh</b>';
$lng['question']['api_reallydelete'] = 'Do you really want to delete the api-key #%d?'; $lng['question']['api_reallydelete'] = 'Do you really want to delete the api-key #%d?';
$lng['question']['dnsentry_reallydelete'] = 'Do you really want to delete the dns entry #%d?';
$lng['question']['certificate_reallydelete'] = 'Do you really want to delete the certificate #%d?';

2
lng/german.lng.php
View File

@@ -1787,3 +1787,5 @@ $lng['serversettings']['acmeshpath']['title'] = 'Pfad zu acme.sh';
$lng['serversettings']['acmeshpath']['description'] = 'Installationspfad zu acme.sh, inklusive acme.sh Script<br>Standard ist <b>/root/.acme.sh/acme.sh</b>'; $lng['serversettings']['acmeshpath']['description'] = 'Installationspfad zu acme.sh, inklusive acme.sh Script<br>Standard ist <b>/root/.acme.sh/acme.sh</b>';
$lng['question']['api_reallydelete'] = 'Api-Key #%d wirklich löschen?'; $lng['question']['api_reallydelete'] = 'Api-Key #%d wirklich löschen?';
$lng['question']['dnsentry_reallydelete'] = 'Zonen-Eintrag #%d wirklich löschen?';
$lng['question']['certificate_reallydelete'] = 'Zertifikat #%d wirklich löschen?';

20
ssl_certificates.php
View File

@@ -31,13 +31,21 @@ $success_message = "";
if ($action == 'delete') { if ($action == 'delete') {
$id = isset($_GET['id']) ? (int) $_GET['id'] : 0; $id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
if ($id > 0) { if ($id > 0) {
try { if (isset($_POST['send']) && $_POST['send'] == 'send') {
$json_result = Certificates::getLocal($userinfo, array( try {
$json_result = Certificates::getLocal($userinfo, array(
'id' => $id
))->delete();
$success_message = sprintf($lng['domains']['ssl_certificate_removed'], $id);
} catch (Exception $e) {
\Froxlor\UI\Response::dynamic_error($e->getMessage());
}
} else {
\Froxlor\UI\HTML::askYesNo('certificate_reallydelete', $filename, array(
'page' => $page,
'action' => $action,
'id' => $id 'id' => $id
))->delete(); ), $id);
$success_message = sprintf($lng['domains']['ssl_certificate_removed'], $id);
} catch (Exception $e) {
\Froxlor\UI\Response::dynamic_error($e->getMessage());
} }
} }
} }