secure api-key generation, dns-record as well as ssl-certificate deletion, logo uploading, frame-inclusion and user/email enumeration via 'forgot password'

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

api_keys.php

@@ -70,7 +70,7 @@ if ($action == 'delete') {
 			), $id);
 		}
 	}
-} elseif ($action == 'add') {
+} elseif ($action == 'add' && isset($_POST['send']) && $_POST['send'] == 'send') {
 	$ins_stmt = Database::prepare("
 		INSERT INTO `" . TABLE_API_KEYS . "` SET
 		`apikey` = :key, `secret` = :secret, `adminid` = :aid, `customerid` = :cid, `valid_until` = '-1', `allowed_from` = ''
@@ -92,6 +92,10 @@ if ($action == 'delete') {
 	$success_message = $lng['apikeys']['apikey_added'];
 } elseif ($action == 'jqEditApiKey') {
 	$keyid = isset($_POST['id']) ? (int) $_POST['id'] : 0;
+	if (empty($keyid)) {
+		echo json_encode(false);
+		exit;
+	}
 	$allowed_from = isset($_POST['allowed_from']) ? $_POST['allowed_from'] : "";
 	$valid_until = isset($_POST['valid_until']) ? (int) $_POST['valid_until'] : -1;
 

dns_editor.php

@@ -58,6 +58,7 @@ if ($action == 'add_record' && ! empty($_POST)) {
 	// remove entry
 	$entry_id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
 	if ($entry_id > 0) {
+		if (isset($_POST['send']) && $_POST['send'] == 'send') {
 			try {
 				DomainZones::getLocal($userinfo, array(
 					'entry_id' => $entry_id,
@@ -68,6 +69,13 @@ if ($action == 'add_record' && ! empty($_POST)) {
 			} catch (Exception $e) {
 				$errors = str_replace("\n", "<br>", $e->getMessage());
 			}
+		} else {
+			\Froxlor\UI\HTML::askYesNo('dnsentry_reallydelete', $filename, array(
+				'page' => $page,
+				'action' => $action,
+				'id' => $id
+			), $id);
+		}
 	}
 }
 

index.php

@@ -425,6 +425,19 @@ if ($action == 'forgotpwd') {
 			}
 		}
 
+		$no_action = false;
+		if ($adminchecked) {
+			if (Settings::Get('panel.allow_preset_admin') != '1') {
+				$message = $lng['pwdreminder']['notallowed'];
+				unset($adminchecked);
+			}
+		} else {
+			if (Settings::Get('panel.allow_preset') != '1') {
+				$message = $lng['pwdreminder']['notallowed'];
+			}
+		}
+
+		if (empty($message)) {
 			if ($result_stmt !== null) {
 				$user = $result_stmt->fetch(PDO::FETCH_ASSOC);
 
@@ -569,16 +582,6 @@ if ($action == 'forgotpwd') {
 				$message = $lng['login']['usernotfound'];
 			}
 		}
-
-	if ($adminchecked) {
-		if (Settings::Get('panel.allow_preset_admin') != '1') {
-			$message = $lng['pwdreminder']['notallowed'];
-			unset($adminchecked);
-		}
-	} else {
-		if (Settings::Get('panel.allow_preset') != '1') {
-			$message = $lng['pwdreminder']['notallowed'];
-		}
 	}
 
 	eval("echo \"" . \Froxlor\UI\Template::getTemplate('fpwd') . "\";");

lib/Froxlor/Settings/Store.php

@@ -1,4 +1,5 @@
 <?php
+
 namespace Froxlor\Settings;
 
 use Froxlor\Database\Database;
@@ -63,9 +64,9 @@ class Store
 		if (count($ids) > 0) {
 			$defaultips_new = explode(',', $newfieldvalue);
 
-			if (! empty($defaultips_old) && ! empty($newfieldvalue)) {
+			if (!empty($defaultips_old) && !empty($newfieldvalue)) {
 				$in_value = $defaultips_old . ", " . $newfieldvalue;
-			} elseif (! empty($defaultips_old) && empty($newfieldvalue)) {
+			} elseif (!empty($defaultips_old) && empty($newfieldvalue)) {
 				$in_value = $defaultips_old;
 			} else {
 				$in_value = $newfieldvalue;
@@ -280,11 +281,11 @@ class Store
 		if ($returnvalue !== false && is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] == 'system' && isset($fielddata['varname']) && $fielddata['varname'] == 'mysql_access_host') {
 			$mysql_access_host_array = array_map('trim', explode(',', $newfieldvalue));
 
-			if (in_array('127.0.0.1', $mysql_access_host_array) && ! in_array('localhost', $mysql_access_host_array)) {
+			if (in_array('127.0.0.1', $mysql_access_host_array) && !in_array('localhost', $mysql_access_host_array)) {
 				$mysql_access_host_array[] = 'localhost';
 			}
 
-			if (! in_array('127.0.0.1', $mysql_access_host_array) && in_array('localhost', $mysql_access_host_array)) {
+			if (!in_array('127.0.0.1', $mysql_access_host_array) && in_array('localhost', $mysql_access_host_array)) {
 				$mysql_access_host_array[] = '127.0.0.1';
 			}
 
@@ -306,8 +307,8 @@ class Store
 
 	private static function cleanMySQLAccessHost($value)
 	{
-		if (substr($value, 0, 1) == '[' && substr($value, - 1) == ']') {
-			return substr($value, 1, - 1);
+		if (substr($value, 0, 1) == '[' && substr($value, -1) == ']') {
+			return substr($value, 1, -1);
 		}
 		return $value;
 	}
@@ -373,7 +374,7 @@ class Store
 	{
 		if (isset($fielddata['settinggroup'], $fielddata['varname']) && is_array($fielddata) && $fielddata['settinggroup'] !== '' && $fielddata['varname'] !== '') {
 			$save_to = null;
-            $path = \Froxlor\Froxlor::getInstallDir().'/img/';
+			$path = \Froxlor\Froxlor::getInstallDir() . '/img/';
 			$path = \Froxlor\FileDir::makeCorrectDir($path);
 
 			// New file?
@@ -391,8 +392,18 @@ class Store
 				}
 
 				// Make sure mime-type matches an image
-                if (!in_array(mime_content_type($_FILES[$fieldname]['tmp_name']), ['image/jpeg','image/jpg','image/png','image/gif'])) {
-                    throw new \Exception("Uploaded file not a valid image");
+				if (function_exists('finfo_open')) {
+					$finfo = finfo_open(FILEINFO_MIME_TYPE);
+					$mimetype = finfo_file($finfo, $_FILES[$fieldname]['tmp_name']);
+					finfo_close($finfo);
+				} else {
+					$mimetype = mime_content_type($_FILES[$fieldname]['tmp_name']);
+				}
+				if (empty($mimetype)) {
+					$mimetype = 'application/octet-stream';
+				}
+				if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
+					throw new \Exception("Uploaded file is not a valid image");
 				}
 
 				// Determine file extension
@@ -400,16 +411,25 @@ class Store
 				$file_extension = strtolower(array_pop($spl));
 				unset($spl);
 
+				if (!in_array($file_extension, [
+					'jpeg',
+					'jpg',
+					'png',
+					'gif'
+				])) {
+					throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
+				}
+
 				// Move file
-                if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path.$fielddata['image_name'].'.'.$file_extension)) {
+				if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path . $fielddata['image_name'] . '.' . $file_extension)) {
 					throw new \Exception("Unable to save image to img folder");
 				}
 
-                $save_to = 'img/'.$fielddata['image_name'].'.'.$file_extension.'?v='.time();
+				$save_to = 'img/' . $fielddata['image_name'] . '.' . $file_extension . '?v=' . time();
 			}
 
 			// Delete file?
-            if ($fielddata['value'] !== "" && array_key_exists($fieldname.'_delete', $_POST) && $_POST[$fieldname.'_delete']) {
+			if ($fielddata['value'] !== "" && array_key_exists($fieldname . '_delete', $_POST) && $_POST[$fieldname . '_delete']) {
 				@unlink(\Froxlor\Froxlor::getInstallDir() . '/' . explode('?', $fielddata['value'], 2)[0]);
 				$save_to = '';
 			}

lib/init.php

@@ -59,7 +59,7 @@ header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time()));
 // Inline-JS is no longer allowed and used
 // See: http://people.mozilla.org/~bsterne/content-security-policy/index.html
 // New stuff see: https://www.owasp.org/index.php/List_of_useful_HTTP_headers and https://www.owasp.org/index.php/Content_Security_Policy
-$csp_content = "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self';";
+$csp_content = "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; object-src 'self'; frame-src 'self'; frame-ancestors 'self';";
 header("Content-Security-Policy: " . $csp_content);
 header("X-Content-Security-Policy: " . $csp_content);
 header("X-WebKit-CSP: " . $csp_content);

lng/english.lng.php

@@ -2141,3 +2141,5 @@ $lng['serversettings']['acmeshpath']['title'] = 'Path to acme.sh';
 $lng['serversettings']['acmeshpath']['description'] = 'Set this to where acme.sh is installed to, including the acme.sh script<br>Default is <b>/root/.acme.sh/acme.sh</b>';
 
 $lng['question']['api_reallydelete'] = 'Do you really want to delete the api-key #%d?';
+$lng['question']['dnsentry_reallydelete'] = 'Do you really want to delete the dns entry #%d?';
+$lng['question']['certificate_reallydelete'] = 'Do you really want to delete the certificate #%d?';

lng/german.lng.php

@@ -1787,3 +1787,5 @@ $lng['serversettings']['acmeshpath']['title'] = 'Pfad zu acme.sh';
 $lng['serversettings']['acmeshpath']['description'] = 'Installationspfad zu acme.sh, inklusive acme.sh Script<br>Standard ist <b>/root/.acme.sh/acme.sh</b>';
 
 $lng['question']['api_reallydelete'] = 'Api-Key #%d wirklich löschen?';
+$lng['question']['dnsentry_reallydelete'] = 'Zonen-Eintrag #%d wirklich löschen?';
+$lng['question']['certificate_reallydelete'] = 'Zertifikat #%d wirklich löschen?';

ssl_certificates.php

@@ -31,6 +31,7 @@ $success_message = "";
 if ($action == 'delete') {
 	$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
 	if ($id > 0) {
+		if (isset($_POST['send']) && $_POST['send'] == 'send') {
 			try {
 				$json_result = Certificates::getLocal($userinfo, array(
 					'id' => $id
@@ -39,6 +40,13 @@ if ($action == 'delete') {
 			} catch (Exception $e) {
 				\Froxlor\UI\Response::dynamic_error($e->getMessage());
 			}
+		} else {
+			\Froxlor\UI\HTML::askYesNo('certificate_reallydelete', $filename, array(
+				'page' => $page,
+				'action' => $action,
+				'id' => $id
+			), $id);
+		}
 	}
 }