secure api-key generation, dns-record as well as ssl-certificate deletion, logo uploading, frame-inclusion and user/email enumeration via 'forgot password'
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
@@ -70,7 +70,7 @@ if ($action == 'delete') {
|
||||
), $id);
|
||||
}
|
||||
}
|
||||
} elseif ($action == 'add') {
|
||||
} elseif ($action == 'add' && isset($_POST['send']) && $_POST['send'] == 'send') {
|
||||
$ins_stmt = Database::prepare("
|
||||
INSERT INTO `" . TABLE_API_KEYS . "` SET
|
||||
`apikey` = :key, `secret` = :secret, `adminid` = :aid, `customerid` = :cid, `valid_until` = '-1', `allowed_from` = ''
|
||||
@@ -92,6 +92,10 @@ if ($action == 'delete') {
|
||||
$success_message = $lng['apikeys']['apikey_added'];
|
||||
} elseif ($action == 'jqEditApiKey') {
|
||||
$keyid = isset($_POST['id']) ? (int) $_POST['id'] : 0;
|
||||
if (empty($keyid)) {
|
||||
echo json_encode(false);
|
||||
exit;
|
||||
}
|
||||
$allowed_from = isset($_POST['allowed_from']) ? $_POST['allowed_from'] : "";
|
||||
$valid_until = isset($_POST['valid_until']) ? (int) $_POST['valid_until'] : -1;
|
||||
|
||||
|
||||
@@ -58,6 +58,7 @@ if ($action == 'add_record' && ! empty($_POST)) {
|
||||
// remove entry
|
||||
$entry_id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
|
||||
if ($entry_id > 0) {
|
||||
if (isset($_POST['send']) && $_POST['send'] == 'send') {
|
||||
try {
|
||||
DomainZones::getLocal($userinfo, array(
|
||||
'entry_id' => $entry_id,
|
||||
@@ -68,6 +69,13 @@ if ($action == 'add_record' && ! empty($_POST)) {
|
||||
} catch (Exception $e) {
|
||||
$errors = str_replace("\n", "<br>", $e->getMessage());
|
||||
}
|
||||
} else {
|
||||
\Froxlor\UI\HTML::askYesNo('dnsentry_reallydelete', $filename, array(
|
||||
'page' => $page,
|
||||
'action' => $action,
|
||||
'id' => $id
|
||||
), $id);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
23
index.php
23
index.php
@@ -425,6 +425,19 @@ if ($action == 'forgotpwd') {
|
||||
}
|
||||
}
|
||||
|
||||
$no_action = false;
|
||||
if ($adminchecked) {
|
||||
if (Settings::Get('panel.allow_preset_admin') != '1') {
|
||||
$message = $lng['pwdreminder']['notallowed'];
|
||||
unset($adminchecked);
|
||||
}
|
||||
} else {
|
||||
if (Settings::Get('panel.allow_preset') != '1') {
|
||||
$message = $lng['pwdreminder']['notallowed'];
|
||||
}
|
||||
}
|
||||
|
||||
if (empty($message)) {
|
||||
if ($result_stmt !== null) {
|
||||
$user = $result_stmt->fetch(PDO::FETCH_ASSOC);
|
||||
|
||||
@@ -569,16 +582,6 @@ if ($action == 'forgotpwd') {
|
||||
$message = $lng['login']['usernotfound'];
|
||||
}
|
||||
}
|
||||
|
||||
if ($adminchecked) {
|
||||
if (Settings::Get('panel.allow_preset_admin') != '1') {
|
||||
$message = $lng['pwdreminder']['notallowed'];
|
||||
unset($adminchecked);
|
||||
}
|
||||
} else {
|
||||
if (Settings::Get('panel.allow_preset') != '1') {
|
||||
$message = $lng['pwdreminder']['notallowed'];
|
||||
}
|
||||
}
|
||||
|
||||
eval("echo \"" . \Froxlor\UI\Template::getTemplate('fpwd') . "\";");
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
<?php
|
||||
|
||||
namespace Froxlor\Settings;
|
||||
|
||||
use Froxlor\Database\Database;
|
||||
@@ -391,8 +392,18 @@ class Store
|
||||
}
|
||||
|
||||
// Make sure mime-type matches an image
|
||||
if (!in_array(mime_content_type($_FILES[$fieldname]['tmp_name']), ['image/jpeg','image/jpg','image/png','image/gif'])) {
|
||||
throw new \Exception("Uploaded file not a valid image");
|
||||
if (function_exists('finfo_open')) {
|
||||
$finfo = finfo_open(FILEINFO_MIME_TYPE);
|
||||
$mimetype = finfo_file($finfo, $_FILES[$fieldname]['tmp_name']);
|
||||
finfo_close($finfo);
|
||||
} else {
|
||||
$mimetype = mime_content_type($_FILES[$fieldname]['tmp_name']);
|
||||
}
|
||||
if (empty($mimetype)) {
|
||||
$mimetype = 'application/octet-stream';
|
||||
}
|
||||
if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
|
||||
throw new \Exception("Uploaded file is not a valid image");
|
||||
}
|
||||
|
||||
// Determine file extension
|
||||
@@ -400,6 +411,15 @@ class Store
|
||||
$file_extension = strtolower(array_pop($spl));
|
||||
unset($spl);
|
||||
|
||||
if (!in_array($file_extension, [
|
||||
'jpeg',
|
||||
'jpg',
|
||||
'png',
|
||||
'gif'
|
||||
])) {
|
||||
throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
|
||||
}
|
||||
|
||||
// Move file
|
||||
if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path . $fielddata['image_name'] . '.' . $file_extension)) {
|
||||
throw new \Exception("Unable to save image to img folder");
|
||||
|
||||
@@ -59,7 +59,7 @@ header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time()));
|
||||
// Inline-JS is no longer allowed and used
|
||||
// See: http://people.mozilla.org/~bsterne/content-security-policy/index.html
|
||||
// New stuff see: https://www.owasp.org/index.php/List_of_useful_HTTP_headers and https://www.owasp.org/index.php/Content_Security_Policy
|
||||
$csp_content = "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self';";
|
||||
$csp_content = "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; object-src 'self'; frame-src 'self'; frame-ancestors 'self';";
|
||||
header("Content-Security-Policy: " . $csp_content);
|
||||
header("X-Content-Security-Policy: " . $csp_content);
|
||||
header("X-WebKit-CSP: " . $csp_content);
|
||||
|
||||
@@ -2141,3 +2141,5 @@ $lng['serversettings']['acmeshpath']['title'] = 'Path to acme.sh';
|
||||
$lng['serversettings']['acmeshpath']['description'] = 'Set this to where acme.sh is installed to, including the acme.sh script<br>Default is <b>/root/.acme.sh/acme.sh</b>';
|
||||
|
||||
$lng['question']['api_reallydelete'] = 'Do you really want to delete the api-key #%d?';
|
||||
$lng['question']['dnsentry_reallydelete'] = 'Do you really want to delete the dns entry #%d?';
|
||||
$lng['question']['certificate_reallydelete'] = 'Do you really want to delete the certificate #%d?';
|
||||
|
||||
@@ -1787,3 +1787,5 @@ $lng['serversettings']['acmeshpath']['title'] = 'Pfad zu acme.sh';
|
||||
$lng['serversettings']['acmeshpath']['description'] = 'Installationspfad zu acme.sh, inklusive acme.sh Script<br>Standard ist <b>/root/.acme.sh/acme.sh</b>';
|
||||
|
||||
$lng['question']['api_reallydelete'] = 'Api-Key #%d wirklich löschen?';
|
||||
$lng['question']['dnsentry_reallydelete'] = 'Zonen-Eintrag #%d wirklich löschen?';
|
||||
$lng['question']['certificate_reallydelete'] = 'Zertifikat #%d wirklich löschen?';
|
||||
|
||||
@@ -31,6 +31,7 @@ $success_message = "";
|
||||
if ($action == 'delete') {
|
||||
$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
|
||||
if ($id > 0) {
|
||||
if (isset($_POST['send']) && $_POST['send'] == 'send') {
|
||||
try {
|
||||
$json_result = Certificates::getLocal($userinfo, array(
|
||||
'id' => $id
|
||||
@@ -39,6 +40,13 @@ if ($action == 'delete') {
|
||||
} catch (Exception $e) {
|
||||
\Froxlor\UI\Response::dynamic_error($e->getMessage());
|
||||
}
|
||||
} else {
|
||||
\Froxlor\UI\HTML::askYesNo('certificate_reallydelete', $filename, array(
|
||||
'page' => $page,
|
||||
'action' => $action,
|
||||
'id' => $id
|
||||
), $id);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user