From 63f6d221cd33c96f3266673a199176903c521100 Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Fri, 2 Dec 2022 09:24:08 +0100
Subject: [PATCH] secure logo uploading, avoid frame-inclusion, adjustments to
 SECURITY.md and minor changes in UI for domain import and darkmode

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 SECURITY.md                                   | 49 ++++++++++++++++---
 lib/Froxlor/Settings/Store.php                | 28 ++++++++---
 lib/Froxlor/UI/Panel/UI.php                   |  2 +-
 .../domains/formfield.domains_import.php      |  5 ++
 lng/de.lng.php                                |  2 +-
 lng/en.lng.php                                |  2 +-
 .../Froxlor/src/scss/variables/_dark.scss     |  4 ++
 7 files changed, 74 insertions(+), 18 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 2465b905..8f3af67b 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,14 +1,47 @@
-# Security Policy
+# froxlor's Security Policy
 
-## Supported Versions
+Welcome and thanks for taking interest in [froxlor](https://www.froxlor.org)!
 
-Our main and active version is currently 0.10.x. It will receive maintenance and security updates periodically. The older version 0.9.x will not receive any kind of updates. Please update to [0.10.x](https://github.com/Froxlor/Froxlor/wiki/Updating-Froxlor)
+We are mostly interested in reports by actual froxlor users but all high quality contributions are welcome.
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 0.10.x  | :white_check_mark: |
-|  0.9.x  | :x:                |
+Please try your best to describe a clear and realistic impact for your report and please don't open any public issues on GitHub or social media, we're doing our best to respond through huntr as quickly as we can.
+
+With that, good luck hacking us ;)
+
+## Supported versions
+
+- ️✅ **2.x**  (`main` git-branch)
+- ❌ 0.10.x (`0.10.x` git-branch)
+- ❌ 0.9.x (`0.9.x`git-branch)
+
+## Qualifying Vulnerabilities
+
+### Vulnerabilities we really care about
+- SQL injection bugs
+- server-side code execution bugs
+- cross-site scripting vulnerabilities
+- cross-site request forgery vulnerabilities
+- authentication and authorization flaws
+- sensitive information disclosure
+
+### Vulnerabilities we accept
+
+Only reproducable issues on a default/clean setup from the latest stable release of a supported version will be accepted.
+
+## Non-Qualifying Vulnerabilities
+
+- Reports from automated tools or scanners
+- Theoretical attacks without proof of exploitability
+- Attacks that are the result of a third party library should be reported to the library maintainers
+- Social engineering
+- Reflected file download
+- Physical attacks
+- Weak SSL/TLS/SSH algorithms or protocols
+- Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (eg man-in-the-middle).
+- The user attacks themselves
+- anything in `/doc`
+- anything in `/tests`
 
 ## Reporting a Vulnerability
 
-If you think you have found a vulnerability in froxlor, please send an email to [team@froxlor.org](mailto:team@froxlor.org) with as many information as possible. Also, please give us appropriate time to fix the issue and build update-packages before publishing anything into the wild.
+If you think you have found a vulnerability in froxlor, please head over to [https://huntr.dev/repos/froxlor/froxlor](https://huntr.dev/repos/froxlor/froxlor) and use the reporting possibilities there as we are funding the prize-pot for froxlor on this platform. Also, please give us appropriate time to fix the issue and build update-packages before publishing anything into the wild. Alternatively you can send us an email to [team@froxlor.org](team@froxlor.org).
diff --git a/lib/Froxlor/Settings/Store.php b/lib/Froxlor/Settings/Store.php
index 4c5cd008..451df1aa 100644
--- a/lib/Froxlor/Settings/Store.php
+++ b/lib/Froxlor/Settings/Store.php
@@ -415,13 +415,18 @@ class Store
 				}
 
 				// Make sure mime-type matches an image
-				if (!in_array(mime_content_type($_FILES[$fieldname]['tmp_name']), [
-					'image/jpeg',
-					'image/jpg',
-					'image/png',
-					'image/gif'
-				])) {
-					throw new Exception("Uploaded file not a valid image");
+				if (function_exists('finfo_open')) {
+					$finfo = finfo_open(FILEINFO_MIME_TYPE);
+					$mimetype = finfo_file($finfo, $_FILES[$fieldname]['tmp_name']);
+					finfo_close($finfo);
+				} else {
+					$mimetype = mime_content_type($_FILES[$fieldname]['tmp_name']);
+				}
+				if (empty($mimetype)) {
+					$mimetype = 'application/octet-stream';
+				}
+				if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
+					throw new \Exception("Uploaded file is not a valid image");
 				}
 
 				// Determine file extension
@@ -429,6 +434,15 @@ class Store
 				$file_extension = strtolower(array_pop($spl));
 				unset($spl);
 
+				if (!in_array($file_extension, [
+					'jpeg',
+					'jpg',
+					'png',
+					'gif'
+				])) {
+					throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
+				}
+
 				// Move file
 				if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path . $fielddata['image_name'] . '.' . $file_extension)) {
 					throw new Exception("Unable to save image to img folder");
diff --git a/lib/Froxlor/UI/Panel/UI.php b/lib/Froxlor/UI/Panel/UI.php
index 9e2c7ac5..8c25950b 100644
--- a/lib/Froxlor/UI/Panel/UI.php
+++ b/lib/Froxlor/UI/Panel/UI.php
@@ -114,7 +114,7 @@ class UI
 		// Inline-JS is no longer allowed and used
 		// See: http://people.mozilla.org/~bsterne/content-security-policy/index.html
 		// New stuff see: https://www.owasp.org/index.php/List_of_useful_HTTP_headers and https://www.owasp.org/index.php/Content_Security_Policy
-		$csp_content = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline';";
+		$csp_content = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'self'; frame-src 'self'; frame-ancestors 'self';";
 		header("Content-Security-Policy: " . $csp_content);
 		header("X-Content-Security-Policy: " . $csp_content);
 		header("X-WebKit-CSP: " . $csp_content);
diff --git a/lib/formfields/admin/domains/formfield.domains_import.php b/lib/formfields/admin/domains/formfield.domains_import.php
index 5002c02f..e2686add 100644
--- a/lib/formfields/admin/domains/formfield.domains_import.php
+++ b/lib/formfields/admin/domains/formfield.domains_import.php
@@ -55,6 +55,11 @@ return [
 					]
 				]
 			]
+		],
+		'buttons' => [
+			[
+				'label' => lng('domains.domain_import')
+			]
 		]
 	]
 ];
diff --git a/lng/de.lng.php b/lng/de.lng.php
index 8ec3dfc0..ab717b13 100644
--- a/lng/de.lng.php
+++ b/lng/de.lng.php
@@ -684,7 +684,7 @@ return [
 		'import_separator' => 'Trennzeichen',
 		'import_offset' => 'Versatz (offset)',
 		'import_file' => 'CSV-Datei',
-		'import_description' => 'Detaillierte Informationen über den Aufbau der Importdatei und einen erfolgreichen Import gibt es hier: <a href="https://docs.froxlor.org/latest/admin-guide/domain-import/" target="_blank">https://docs.froxlor.org/latest/admin-guide/domain-import/</a> (englisch)',
+		'import_description' => 'Detaillierte Informationen über den Aufbau der Importdatei und einen erfolgreichen Import gibt es hier: <a href="https://docs.froxlor.org/latest/admin-guide/domain-import/" target="_blank" class="alert-link">https://docs.froxlor.org/latest/admin-guide/domain-import/</a> (englisch)',
 		'ssl_redirect_temporarilydisabled' => '<br>Die SSL-Umleitung ist, während ein neues Let\'s Encrypt - Zertifikat erstellt wird, temporär deaktiviert. Die Umleitung wird nach der Zertifikatserstellung wieder aktiviert.',
 		'termination_date' => 'Kündigungsdatum',
 		'termination_date_overview' => 'gekündigt zum ',
diff --git a/lng/en.lng.php b/lng/en.lng.php
index 878b536a..d3885543 100644
--- a/lng/en.lng.php
+++ b/lng/en.lng.php
@@ -750,7 +750,7 @@ return [
 		'import_separator' => 'Separator',
 		'import_offset' => 'Offset',
 		'import_file' => 'CSV-File',
-		'import_description' => 'Detailed information about the structure of the import-file and how to import successfully, please visit <a href="https://docs.froxlor.org/latest/admin-guide/domain-import/" target="_blank">https://docs.froxlor.org/latest/admin-guide/domain-import/</a>',
+		'import_description' => 'Detailed information about the structure of the import-file and how to import successfully, please visit <a href="https://docs.froxlor.org/latest/admin-guide/domain-import/" target="_blank" class="alert-link">https://docs.froxlor.org/latest/admin-guide/domain-import/</a>',
 		'ssl_redirect_temporarilydisabled' => '<br>The SSL redirect is temporarily deactivated while a new Let\'s Encrypt certificate is generated. It will be activated again after the certificate was generated.',
 		'termination_date' => 'Date of termination',
 		'termination_date_overview' => 'terminated as of ',
diff --git a/templates/Froxlor/src/scss/variables/_dark.scss b/templates/Froxlor/src/scss/variables/_dark.scss
index de2fd249..0d303415 100644
--- a/templates/Froxlor/src/scss/variables/_dark.scss
+++ b/templates/Froxlor/src/scss/variables/_dark.scss
@@ -59,3 +59,7 @@ $progress-bg: $gray-900;
 
 // Search
 $search-bg: $gray-800;
+
+// Popover
+$popover-bg: $gray-800;
+$popover-body-color: $gray-100;