maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

add persistent db storage to goaccess-traffictool to have more data in the output index.html; add security questions when deleting certificates as we do for apikeys and dns-entries

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2022-11-06 10:11:40 +01:00
parent 8eedf87ac3
commit 78945768ec
7 changed files with 173 additions and 153 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
api_keys.php
View File

@@ -61,7 +61,7 @@ if ($action == 'delete' && $id > 0) {
'section' => 'index', 'section' => 'index',
'page' => $page 'page' => $page
]); ]);
} elseif ($action == 'deletesure' && $id > 0) { } elseif (isset($_POST['send']) && $_POST['send'] == 'send' && $action == 'deletesure' && $id > 0) {
$chk = (AREA == 'admin' && $userinfo['customers_see_all'] == '1') ? true : false; $chk = (AREA == 'admin' && $userinfo['customers_see_all'] == '1') ? true : false;
if (AREA == 'customer') { if (AREA == 'customer') {
$chk_stmt = Database::prepare(" $chk_stmt = Database::prepare("

2
dns_editor.php
View File

@@ -82,7 +82,7 @@ if ($action == 'add_record' && !empty($_POST)) {
'page' => $page, 'page' => $page,
'domain_id' => $domain_id 'domain_id' => $domain_id
]); ]);
} elseif ($action == 'deletesure' && !empty($_POST)) { } elseif (isset($_POST['send']) && $_POST['send'] == 'send' && $action == 'deletesure' && !empty($_POST)) {
$entry_id = isset($_POST['id']) ? (int)$_POST['id'] : 0; $entry_id = isset($_POST['id']) ? (int)$_POST['id'] : 0;
$domain_id = isset($_POST['domain_id']) ? (int)$_POST['domain_id'] : 0; $domain_id = isset($_POST['domain_id']) ? (int)$_POST['domain_id'] : 0;
// remove entry // remove entry

297
index.php
View File

@@ -435,159 +435,158 @@ if ($action == 'forgotpwd') {
} }
} }
if ($result_stmt !== null) { if ($adminchecked) {
$user = $result_stmt->fetch(PDO::FETCH_ASSOC); if (Settings::Get('panel.allow_preset_admin') != '1') {
$message = lng('pwdreminder.notallowed');
/* Check whether user is banned */ unset($adminchecked);
if ($user['deactivated']) {
Response::redirectTo('index.php', [
'showmessage' => '8'
]);
exit();
}
if (($adminchecked && Settings::Get('panel.allow_preset_admin') == '1') || $adminchecked == false) {
if ($user !== false) {
// build a activation code
$timestamp = time();
$first = substr(md5($user['loginname'] . $timestamp . PhpHelper::randomStr(16)), 0, 15);
$third = substr(md5($user['email'] . $timestamp . PhpHelper::randomStr(16)), -15);
$activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10);
// Drop all existing activation codes for this user
$stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`
WHERE `userid` = :userid
AND `admin` = :admin");
$params = [
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
"admin" => $adminchecked ? 1 : 0
];
Database::pexecute($stmt, $params);
// Add new activation code to database
$stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_ACTIVATION . "`
(userid, admin, creation, activationcode)
VALUES (:userid, :admin, :creation, :activationcode)");
$params = [
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
"admin" => $adminchecked ? 1 : 0,
"creation" => $timestamp,
"activationcode" => $activationcode
];
Database::pexecute($stmt, $params);
$rstlog = FroxlorLogger::getInstanceOf([
'loginname' => 'password_reset'
]);
$rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $user['loginname'] . "' requested a link for setting a new password.");
// Set together our activation link
$protocol = empty($_SERVER['HTTPS']) ? 'http' : 'https';
// this can be a fixed value to avoid potential exploiting by modifying headers
$host = Settings::Get('system.hostname'); // $_SERVER['HTTP_HOST'];
$port = $_SERVER['SERVER_PORT'] != 80 ? ':' . $_SERVER['SERVER_PORT'] : '';
// don't add :443 when https is used, as it is default (and just looks weird!)
if ($protocol == 'https' && $_SERVER['SERVER_PORT'] == '443') {
$port = '';
}
// there can be only one script to handle this so we can use a fixed value here
$script = "/index.php"; // $_SERVER['SCRIPT_NAME'];
if (Settings::Get('system.froxlordirectlyviahostname') == 0) {
$script = FileDir::makeCorrectFile("/" . basename(__DIR__) . "/" . $script);
}
$activationlink = $protocol . '://' . $host . $port . $script . '?action=resetpwd&resetcode=' . $activationcode;
$replace_arr = [
'SALUTATION' => User::getCorrectUserSalutation($user),
'NAME' => $user['name'],
'FIRSTNAME' => $user['firstname'] ?? "",
'COMPANY' => $user['company'] ?? "",
'CUSTOMER_NO' => $user['customernumber'] ?? 0,
'USERNAME' => $loginname,
'LINK' => $activationlink
];
$def_language = ($user['def_language'] != '') ? $user['def_language'] : Settings::Get('panel.standardlanguage');
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
WHERE `adminid`= :adminid
AND `language`= :lang
AND `templategroup`=\'mails\'
AND `varname`=\'password_reset_subject\'');
Database::pexecute($result_stmt, [
"adminid" => $user['adminid'],
"lang" => $def_language
]);
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
$mail_subject = html_entity_decode(PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : lng('mails.password_reset.subject')), $replace_arr));
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
WHERE `adminid`= :adminid
AND `language`= :lang
AND `templategroup`=\'mails\'
AND `varname`=\'password_reset_mailbody\'');
Database::pexecute($result_stmt, [
"adminid" => $user['adminid'],
"lang" => $def_language
]);
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
$mail_body = html_entity_decode(PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : lng('mails.password_reset.mailbody')), $replace_arr));
$_mailerror = false;
$mailerr_msg = "";
try {
$mail->Subject = $mail_subject;
$mail->AltBody = $mail_body;
$mail->MsgHTML(str_replace("\n", "<br />", $mail_body));
$mail->AddAddress($user['email'], User::getCorrectUserSalutation($user));
$mail->Send();
} catch (\PHPMailer\PHPMailer\Exception $e) {
$mailerr_msg = $e->errorMessage();
$_mailerror = true;
} catch (Exception $e) {
$mailerr_msg = $e->getMessage();
$_mailerror = true;
}
if ($_mailerror) {
$rstlog = FroxlorLogger::getInstanceOf([
'loginname' => 'password_reset'
]);
$rstlog->logAction(FroxlorLogger::ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
Response::redirectTo('index.php', [
'showmessage' => '4',
'customermail' => $user['email']
]);
exit();
}
$mail->ClearAddresses();
Response::redirectTo('index.php', [
'showmessage' => '1'
]);
exit();
} else {
$rstlog = FroxlorLogger::getInstanceOf([
'loginname' => 'password_reset'
]);
$rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!");
$message = lng('login.combination_not_found');
}
unset($user);
} }
} else { } else {
$message = lng('login.usernotfound'); if (Settings::Get('panel.allow_preset') != '1') {
$message = lng('pwdreminder.notallowed');
}
} }
}
if ($adminchecked) { if (empty($message)) {
if (Settings::Get('panel.allow_preset_admin') != '1') { if ($result_stmt !== null) {
$message = lng('pwdreminder.notallowed'); $user = $result_stmt->fetch(PDO::FETCH_ASSOC);
unset($adminchecked);
} /* Check whether user is banned */
} else { if ($user['deactivated']) {
if (Settings::Get('panel.allow_preset') != '1') { $message = lng('pwdreminder.notallowed');
$message = lng('pwdreminder.notallowed'); } else {
if (($adminchecked && Settings::Get('panel.allow_preset_admin') == '1') || $adminchecked == false) {
if ($user !== false) {
// build a activation code
$timestamp = time();
$first = substr(md5($user['loginname'] . $timestamp . PhpHelper::randomStr(16)), 0, 15);
$third = substr(md5($user['email'] . $timestamp . PhpHelper::randomStr(16)), -15);
$activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10);
// Drop all existing activation codes for this user
$stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`
WHERE `userid` = :userid
AND `admin` = :admin");
$params = [
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
"admin" => $adminchecked ? 1 : 0
];
Database::pexecute($stmt, $params);
// Add new activation code to database
$stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_ACTIVATION . "`
(userid, admin, creation, activationcode)
VALUES (:userid, :admin, :creation, :activationcode)");
$params = [
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
"admin" => $adminchecked ? 1 : 0,
"creation" => $timestamp,
"activationcode" => $activationcode
];
Database::pexecute($stmt, $params);
$rstlog = FroxlorLogger::getInstanceOf([
'loginname' => 'password_reset'
]);
$rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $user['loginname'] . "' requested a link for setting a new password.");
// Set together our activation link
$protocol = empty($_SERVER['HTTPS']) ? 'http' : 'https';
// this can be a fixed value to avoid potential exploiting by modifying headers
$host = Settings::Get('system.hostname'); // $_SERVER['HTTP_HOST'];
$port = $_SERVER['SERVER_PORT'] != 80 ? ':' . $_SERVER['SERVER_PORT'] : '';
// don't add :443 when https is used, as it is default (and just looks weird!)
if ($protocol == 'https' && $_SERVER['SERVER_PORT'] == '443') {
$port = '';
}
// there can be only one script to handle this so we can use a fixed value here
$script = "/index.php"; // $_SERVER['SCRIPT_NAME'];
if (Settings::Get('system.froxlordirectlyviahostname') == 0) {
$script = FileDir::makeCorrectFile("/" . basename(__DIR__) . "/" . $script);
}
$activationlink = $protocol . '://' . $host . $port . $script . '?action=resetpwd&resetcode=' . $activationcode;
$replace_arr = [
'SALUTATION' => User::getCorrectUserSalutation($user),
'NAME' => $user['name'],
'FIRSTNAME' => $user['firstname'] ?? "",
'COMPANY' => $user['company'] ?? "",
'CUSTOMER_NO' => $user['customernumber'] ?? 0,
'USERNAME' => $loginname,
'LINK' => $activationlink
];
$def_language = ($user['def_language'] != '') ? $user['def_language'] : Settings::Get('panel.standardlanguage');
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
WHERE `adminid`= :adminid
AND `language`= :lang
AND `templategroup`=\'mails\'
AND `varname`=\'password_reset_subject\'');
Database::pexecute($result_stmt, [
"adminid" => $user['adminid'],
"lang" => $def_language
]);
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
$mail_subject = html_entity_decode(PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : lng('mails.password_reset.subject')), $replace_arr));
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
WHERE `adminid`= :adminid
AND `language`= :lang
AND `templategroup`=\'mails\'
AND `varname`=\'password_reset_mailbody\'');
Database::pexecute($result_stmt, [
"adminid" => $user['adminid'],
"lang" => $def_language
]);
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
$mail_body = html_entity_decode(PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : lng('mails.password_reset.mailbody')), $replace_arr));
$_mailerror = false;
$mailerr_msg = "";
try {
$mail->Subject = $mail_subject;
$mail->AltBody = $mail_body;
$mail->MsgHTML(str_replace("\n", "<br />", $mail_body));
$mail->AddAddress($user['email'], User::getCorrectUserSalutation($user));
$mail->Send();
} catch (\PHPMailer\PHPMailer\Exception $e) {
$mailerr_msg = $e->errorMessage();
$_mailerror = true;
} catch (Exception $e) {
$mailerr_msg = $e->getMessage();
$_mailerror = true;
}
if ($_mailerror) {
$rstlog = FroxlorLogger::getInstanceOf([
'loginname' => 'password_reset'
]);
$rstlog->logAction(FroxlorLogger::ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
Response::redirectTo('index.php', [
'showmessage' => '4',
'customermail' => $user['email']
]);
exit();
}
$mail->ClearAddresses();
Response::redirectTo('index.php', [
'showmessage' => '1'
]);
exit();
} else {
$rstlog = FroxlorLogger::getInstanceOf([
'loginname' => 'password_reset'
]);
$rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!");
$message = lng('login.usernotfound');
}
unset($user);
}
}
} else {
$message = lng('login.usernotfound');
}
} }
} }

12
lib/Froxlor/Cron/Traffic/TrafficCron.php
View File

@@ -645,10 +645,20 @@ class TrafficCron extends FroxlorCron
@unlink($outputdir . '.tmp.json'); @unlink($outputdir . '.tmp.json');
} }
// goaccess <1.4
$keep_params = '--keep-db-files --load-from-disk';
$res = FileDir::safe_exec('goaccess --version');
$ver_str = array_shift($res);
$cGoVer = substr($ver_str, strrpos($ver_str, " ") + 1, -1);
if (version_compare($cGoVer, '1.4', '>=')) {
// at least 1.4
$keep_params = '--persist --restore';
}
$format = Settings::Get('system.logfiles_type') == '2' ? 'VCOMBINED' : 'COMBINED'; $format = Settings::Get('system.logfiles_type') == '2' ? 'VCOMBINED' : 'COMBINED';
$monthyear = $monthyear_arr['month'] . '/' . $monthyear_arr['year']; $monthyear = $monthyear_arr['month'] . '/' . $monthyear_arr['year'];
$return_value = false; $return_value = false;
FileDir::safe_exec("grep '" . $monthyear . "' " . escapeshellarg($logfile) . " | goaccess -o " . escapeshellarg($outputdir . '.tmp.json') . " -o " . escapeshellarg($outputdir . 'index.html') . " --html-report-title=" . escapeshellarg($caption) . " --log-format=" . $format . " - ", $return_value, ['|']); FileDir::safe_exec("grep '" . $monthyear . "' " . escapeshellarg($logfile) . " | goaccess " . $keep_params . " --db-path=" . escapeshellarg($outputdir) . " -o " . escapeshellarg($outputdir . '.tmp.json') . " -o " . escapeshellarg($outputdir . 'index.html') . " --html-report-title=" . escapeshellarg($caption) . " --log-format=" . $format . " - ", $return_value, ['|']);
if (file_exists($outputdir . '.tmp.json')) { if (file_exists($outputdir . '.tmp.json')) {
// need jq here because of potentially LARGE json files // need jq here because of potentially LARGE json files

1
lng/de.lng.php
View File

@@ -1267,6 +1267,7 @@ Vielen Dank, Ihr Administrator',
'plan_reallydelete' => 'Wollen Sie den Hostingplan %s wirklich löschen?', 'plan_reallydelete' => 'Wollen Sie den Hostingplan %s wirklich löschen?',
'apikey_reallydelete' => 'Wollen Sie den Api-Key wirklich löschen?', 'apikey_reallydelete' => 'Wollen Sie den Api-Key wirklich löschen?',
'dnsentry_reallydelete' => 'Wollen Sie den DNS-Eintrag wirklich löschen?', 'dnsentry_reallydelete' => 'Wollen Sie den DNS-Eintrag wirklich löschen?',
'certificate_reallydelete' => 'Wollen Sie diese Zertifikat wirklich löschen?',
], ],
'serversettings' => [ 'serversettings' => [
'session_timeout' => [ 'session_timeout' => [

1
lng/en.lng.php
View File

@@ -1377,6 +1377,7 @@ Yours sincerely, your administrator',
'plan_reallydelete' => 'Do you really want to delete the hosting plan %s?', 'plan_reallydelete' => 'Do you really want to delete the hosting plan %s?',
'apikey_reallydelete' => 'Do you really want to delete this api-key?', 'apikey_reallydelete' => 'Do you really want to delete this api-key?',
'dnsentry_reallydelete' => 'Do you really want to delete this zone entry?', 'dnsentry_reallydelete' => 'Do you really want to delete this zone entry?',
'certificate_reallydelete' => 'Do you really want to delete this certificate?',
], ],
'redirect_desc' => [ 'redirect_desc' => [
'rc_default' => 'default', 'rc_default' => 'default',

11
ssl_certificates.php
View File

@@ -41,10 +41,19 @@ use Froxlor\UI\Response;
// and therefore does not need to require lib/init.php // and therefore does not need to require lib/init.php
$success_message = ""; $success_message = "";
$id = (int)Request::get('id');
// do the delete and then just show a success-message and the certificates list again // do the delete and then just show a success-message and the certificates list again
if ($action == 'delete') { if ($action == 'delete') {
$id = isset($_GET['id']) ? (int)$_GET['id'] : 0; HTML::askYesNo('certificate_reallydelete', $filename, [
'id' => $id,
'page' => $page,
'action' => 'deletesure'
], '', [
'section' => 'index',
'page' => $page
]);
} elseif (isset($_POST['send']) && $_POST['send'] == 'send' && $action == 'deletesure' && $id > 0) {
if ($id > 0) { if ($id > 0) {
try { try {
$json_result = Certificates::getLocal($userinfo, [ $json_result = Certificates::getLocal($userinfo, [