From 2fa6c5cd9735b82206ef952ae2b23bedce32c765 Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Mon, 9 Dec 2013 10:57:54 +0100 Subject: [PATCH 1/7] generate more secure password suggestions and respect password-min-length setting Signed-off-by: Michael Kaufmann (d00p) --- lib/functions/froxlor/function.generatePassword.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/functions/froxlor/function.generatePassword.php b/lib/functions/froxlor/function.generatePassword.php index 132e24c7..d4db872f 100644 --- a/lib/functions/froxlor/function.generatePassword.php +++ b/lib/functions/froxlor/function.generatePassword.php @@ -19,5 +19,9 @@ * Generates a random password */ function generatePassword() { - return substr(md5(uniqid(microtime(), 1)), 24, 10); + global $settings; + return substr( + base64_encode(sha1(md5(uniqid(microtime(), 1))).md5(uniqid(microtime(), 1)).sha1(md5(uniqid(microtime(), 1)))), + rand(5, 50), $settings['panel']['password_min_length'] + ); } From 904f41249546070a0d4846662f5119e91afac864 Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Mon, 9 Dec 2013 11:52:09 +0100 Subject: [PATCH 2/7] set correct postmaster_address (using -variable) for dovecot config-templates Signed-off-by: Michael Kaufmann (d00p) --- .../debian_squeeze/dovecot/etc_dovecot_dovecot.conf | 6 +++--- .../debian_wheezy/dovecot/etc_dovecot_conf.d_15-lda.conf | 2 +- .../freebsd/dovecot2/usr_local_etc_dovecot_dovecot.conf | 2 +- .../configfiles/gentoo/dovecot/etc_dovecot_dovecot.conf | 2 +- .../opensuse_11_x/dovecot/etc_dovecot_dovecot.conf | 4 ++-- .../dovecot/etc_dovecot_conf.d_01-dovecot-postfix.conf | 2 +- .../dovecot/etc_dovecot_conf.d_01_mail_stack_delivery.conf | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/templates/misc/configfiles/debian_squeeze/dovecot/etc_dovecot_dovecot.conf b/templates/misc/configfiles/debian_squeeze/dovecot/etc_dovecot_dovecot.conf index 1f92f664..249b9280 100644 --- a/templates/misc/configfiles/debian_squeeze/dovecot/etc_dovecot_dovecot.conf +++ b/templates/misc/configfiles/debian_squeeze/dovecot/etc_dovecot_dovecot.conf @@ -1,4 +1,4 @@ -protocols = imap pop3 +#protocols = imap pop3 listen = * mail_access_groups = vmail mail_debug = no @@ -25,8 +25,8 @@ protocol pop3 { } protocol lda { - # postmaster is the one in charge of the mail system. MUST be set to a valid address! - postmaster_address = + # postmaster is the one in charge of the mail system. MUST be set to a valid address! + postmaster_address = postmaster@ auth_socket_path = /var/run/dovecot/auth-master mail_plugins = quota sendmail_path = /usr/sbin/sendmail diff --git a/templates/misc/configfiles/debian_wheezy/dovecot/etc_dovecot_conf.d_15-lda.conf b/templates/misc/configfiles/debian_wheezy/dovecot/etc_dovecot_conf.d_15-lda.conf index 6bae51a6..056da607 100644 --- a/templates/misc/configfiles/debian_wheezy/dovecot/etc_dovecot_conf.d_15-lda.conf +++ b/templates/misc/configfiles/debian_wheezy/dovecot/etc_dovecot_conf.d_15-lda.conf @@ -4,7 +4,7 @@ # Address to use when sending rejection mails. # Default is postmaster@. -#postmaster_address = +#postmaster_address = postmaster@ # Hostname to use in various parts of sent mails, eg. in Message-Id. # Default is the system's real hostname. diff --git a/templates/misc/configfiles/freebsd/dovecot2/usr_local_etc_dovecot_dovecot.conf b/templates/misc/configfiles/freebsd/dovecot2/usr_local_etc_dovecot_dovecot.conf index f9f14e9d..c1f8975f 100644 --- a/templates/misc/configfiles/freebsd/dovecot2/usr_local_etc_dovecot_dovecot.conf +++ b/templates/misc/configfiles/freebsd/dovecot2/usr_local_etc_dovecot_dovecot.conf @@ -133,6 +133,6 @@ protocol imap { protocol lmtp { mail_plugins = $mail_plugins - postmaster_address = postmaster@example.net + postmaster_address = postmaster@ } diff --git a/templates/misc/configfiles/gentoo/dovecot/etc_dovecot_dovecot.conf b/templates/misc/configfiles/gentoo/dovecot/etc_dovecot_dovecot.conf index 971b2628..b17f14e4 100644 --- a/templates/misc/configfiles/gentoo/dovecot/etc_dovecot_dovecot.conf +++ b/templates/misc/configfiles/gentoo/dovecot/etc_dovecot_dovecot.conf @@ -59,7 +59,7 @@ protocol lda { auth_socket_path = /var/run/dovecot/auth-master mail_plugins = quota # postmaster is the one in charge of the mail system. MUST be set to a valid address! - postmaster_address = admin@ + postmaster_address = postmaster@ sendmail_path = /usr/sbin/sendmail lda_mailbox_autocreate = 1 } diff --git a/templates/misc/configfiles/opensuse_11_x/dovecot/etc_dovecot_dovecot.conf b/templates/misc/configfiles/opensuse_11_x/dovecot/etc_dovecot_dovecot.conf index 39c87b06..8d05a371 100644 --- a/templates/misc/configfiles/opensuse_11_x/dovecot/etc_dovecot_dovecot.conf +++ b/templates/misc/configfiles/opensuse_11_x/dovecot/etc_dovecot_dovecot.conf @@ -25,8 +25,8 @@ protocol pop3 { } protocol lda { - # postmaster is the one in charge of the mail system. MUST be set to a valid address! - postmaster_address = + # postmaster is the one in charge of the mail system. MUST be set to a valid address! + postmaster_address = postmaster@ auth_socket_path = /var/run/dovecot/auth-master mail_plugins = quota sendmail_path = /usr/sbin/sendmail diff --git a/templates/misc/configfiles/ubuntu_lucid/dovecot/etc_dovecot_conf.d_01-dovecot-postfix.conf b/templates/misc/configfiles/ubuntu_lucid/dovecot/etc_dovecot_conf.d_01-dovecot-postfix.conf index 508402f9..0565b2c4 100644 --- a/templates/misc/configfiles/ubuntu_lucid/dovecot/etc_dovecot_conf.d_01-dovecot-postfix.conf +++ b/templates/misc/configfiles/ubuntu_lucid/dovecot/etc_dovecot_conf.d_01-dovecot-postfix.conf @@ -28,7 +28,7 @@ protocol pop3 { # LDA configuration protocol lda { # postmaster is the one in charge of the mail system. MUST be set to a valid address! - postmaster_address = + postmaster_address = postmaster@ mail_plugins = quota deliver_log_format = msgid=%m: %$ rejection_reason = Your message to <%t> was automatically rejected:%n%r diff --git a/templates/misc/configfiles/ubuntu_precise/dovecot/etc_dovecot_conf.d_01_mail_stack_delivery.conf b/templates/misc/configfiles/ubuntu_precise/dovecot/etc_dovecot_conf.d_01_mail_stack_delivery.conf index af58c910..1d812fb5 100644 --- a/templates/misc/configfiles/ubuntu_precise/dovecot/etc_dovecot_conf.d_01_mail_stack_delivery.conf +++ b/templates/misc/configfiles/ubuntu_precise/dovecot/etc_dovecot_conf.d_01_mail_stack_delivery.conf @@ -25,7 +25,7 @@ protocol pop3 { # LDA configuration protocol lda { - postmaster_address = postmaster + postmaster_address = postmaster@ mail_plugins = sieve quota quota_full_tempfail = yes deliver_log_format = msgid=%m: %$ From a5b10651955fc56781db841912211ddf7079d5c3 Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Mon, 9 Dec 2013 13:57:03 +0100 Subject: [PATCH 3/7] generate spf-entry also for 'mail'-record when no mxservers are specified, fixes #1314 Signed-off-by: Michael Kaufmann (d00p) --- scripts/jobs/cron_tasks.inc.dns.10.bind.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/jobs/cron_tasks.inc.dns.10.bind.php b/scripts/jobs/cron_tasks.inc.dns.10.bind.php index f79649ca..18b3d208 100644 --- a/scripts/jobs/cron_tasks.inc.dns.10.bind.php +++ b/scripts/jobs/cron_tasks.inc.dns.10.bind.php @@ -257,6 +257,9 @@ class bind /*&& $domain['spf'] == '1' */ ) { $zonefile.= $this->settings['spf']['spf_entry'] . "\n"; + if (in_array('mail', $records)) { + $zonefile.= str_replace('@', 'mail', $this->settings['spf']['spf_entry']) . "\n"; + } } /** From 882206731128080aac22f6c2aa43ffdb3b9f77a7 Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Mon, 9 Dec 2013 17:24:11 +0100 Subject: [PATCH 4/7] fix search for webspace and traffic related values, also, for integer fields (like diskspace) you can now use the following operators when searching: >, < and =; fixes #772 Signed-off-by: Michael Kaufmann (d00p) --- lib/classes/output/class.paging.php | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/lib/classes/output/class.paging.php b/lib/classes/output/class.paging.php index 5bdf4d8b..ba3033ee 100644 --- a/lib/classes/output/class.paging.php +++ b/lib/classes/output/class.paging.php @@ -175,7 +175,7 @@ class paging { && (preg_match('/[-_@\p{L}\p{N}*.]+$/u', $_REQUEST['searchtext']) || $_REQUEST['searchtext'] === '') ) { - $this->searchtext = $_REQUEST['searchtext']; + $this->searchtext = trim($_REQUEST['searchtext']); } else { if ($checklastpaging && isset($this->userinfo['lastpaging']['searchtext']) @@ -279,8 +279,27 @@ class paging { } $searchfield = implode('.', $searchfield); - $searchtext = str_replace('*', '%', $this->searchtext); - $condition.= $searchfield . " LIKE " . Database::quote($searchtext); + // check for logical operators and whether searchtext is a number + // in any other case the logical-operators would make no sense + $ops = array('<', '>', '='); + if (in_array(substr($this->searchtext, 0, 1), $ops) && is_numeric(substr($this->searchtext, 1))) { + // if we're checking on traffic or diskspace, we need to adjust the search-value + if (strpos($searchfield, 'diskspace') > 0) { + // anything with diskspace is *1024 + $searchtext = ((int)substr($this->searchtext, 1))*1024; + } elseif (strpos($searchfield, 'traffic') > 0) { + // anything with traffic is *1024*1024 + $searchtext = ((int)substr($this->searchtext, 1))*1024*1024; + } else { + // any other field + $searchtext = substr($this->searchtext, 1); + } + // now as we use >, < or = we use the given operator and not LIKE + $condition.= $searchfield . " ".substr($this->searchtext, 0, 1)." " . Database::quote($searchtext); + } else { + $searchtext = str_replace('*', '%', $this->searchtext); + $condition.= $searchfield . " LIKE " . Database::quote($searchtext); + } } else { $condition = ''; } From be6c8462f096a87642b59f600e5ad88b75313071 Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Mon, 9 Dec 2013 18:04:47 +0100 Subject: [PATCH 5/7] use default lenght of 10 characters if no password-minimum is specified Signed-off-by: Michael Kaufmann (d00p) --- lib/functions/froxlor/function.generatePassword.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/functions/froxlor/function.generatePassword.php b/lib/functions/froxlor/function.generatePassword.php index d4db872f..3653cffb 100644 --- a/lib/functions/froxlor/function.generatePassword.php +++ b/lib/functions/froxlor/function.generatePassword.php @@ -22,6 +22,6 @@ function generatePassword() { global $settings; return substr( base64_encode(sha1(md5(uniqid(microtime(), 1))).md5(uniqid(microtime(), 1)).sha1(md5(uniqid(microtime(), 1)))), - rand(5, 50), $settings['panel']['password_min_length'] + rand(5, 50), ($settings['panel']['password_min_length'] > 0 ? $settings['panel']['password_min_length'] : 10) ); } From 220fb17824f2f319ad028ec64e4d5732c3ea79c3 Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Mon, 9 Dec 2013 18:16:47 +0100 Subject: [PATCH 6/7] add traffic-used when adding a customer; fix sql-error when removing a customer Signed-off-by: Michael Kaufmann (d00p) --- admin_customers.php | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/admin_customers.php b/admin_customers.php index a8d37e08..6b57410a 100644 --- a/admin_customers.php +++ b/admin_customers.php @@ -273,7 +273,7 @@ if ($page == 'customers' Database::pexecute($stmt, array('id' => $id)); $stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_HTACCESS . "` WHERE `customerid` = :id"); Database::pexecute($stmt, array('id' => $id)); - $stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_SESSIONS . "` WHERE `customerid` = :id AND `adminsession` = '0'"); + $stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_SESSIONS . "` WHERE `userid` = :id AND `adminsession` = '0'"); Database::pexecute($stmt, array('id' => $id)); $stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_TRAFFIC . "` WHERE `customerid` = :id"); Database::pexecute($stmt, array('id' => $id)); @@ -808,6 +808,10 @@ if ($page == 'customers' $admin_update_query.= ", `diskspace_used` = `diskspace_used` + 0" . (int)$diskspace; } + if (($traffic / 1024 / 1024) != '-1') { + $admin_update_query.= ", `traffic_used` = `traffic_used` + 0" . (int)$traffic; + } + if ($number_of_aps_packages != '-1') { $admin_update_query.= ", `aps_packages_used` = `aps_packages_used` + 0" . (int)$number_of_aps_packages; } @@ -1214,6 +1218,7 @@ if ($page == 'customers' $traffic = $traffic * 1024 * 1024; if (((($userinfo['diskspace_used'] + $diskspace - $result['diskspace']) > $userinfo['diskspace']) && ($userinfo['diskspace'] / 1024) != '-1') + || ((($userinfo['traffic_used'] + $traffic - $result['traffic']) > $userinfo['traffic']) && ($userinfo['traffic'] / 1024 / 1024) != '-1') || ((($userinfo['mysqls_used'] + $mysqls - $result['mysqls']) > $userinfo['mysqls']) && $userinfo['mysqls'] != '-1') || ((($userinfo['emails_used'] + $emails - $result['emails']) > $userinfo['emails']) && $userinfo['emails'] != '-1') || ((($userinfo['email_accounts_used'] + $email_accounts - $result['email_accounts']) > $userinfo['email_accounts']) && $userinfo['email_accounts'] != '-1') @@ -1224,6 +1229,7 @@ if ($page == 'customers' || ((($userinfo['tickets_used'] + $tickets - $result['tickets']) > $userinfo['tickets']) && $userinfo['tickets'] != '-1') || ((($userinfo['subdomains_used'] + $subdomains - $result['subdomains']) > $userinfo['subdomains']) && $userinfo['subdomains'] != '-1') || (($diskspace / 1024) == '-1' && ($userinfo['diskspace'] / 1024) != '-1') + || (($traffic / 1024 / 1024) == '-1' && ($userinfo['traffic'] / 1024 / 1024) != '-1') || ((($userinfo['aps_packages'] + $number_of_aps_packages - $result['aps_packages']) > $userinfo['aps_packages']) && $userinfo['aps_packages'] != '-1' && $settings['aps']['aps_active'] == '1') || ($mysqls == '-1' && $userinfo['mysqls'] != '-1') || ($emails == '-1' && $userinfo['emails'] != '-1') @@ -1609,6 +1615,17 @@ if ($page == 'customers' } } + if (($traffic / 1024 / 1024) != '-1' || ($result['traffic'] / 1024 / 1024) != '-1') { + $admin_update_query.= ", `traffic_used` = `traffic_used` "; + + if (($traffic / 1024 / 1024) != '-1') { + $admin_update_query.= " + 0" . (int)$traffic . " "; + } + if (($result['traffic'] / 1024 / 1024) != '-1') { + $admin_update_query.= " - 0" . (int)$result['traffic'] . " "; + } + } + if ($number_of_aps_packages != '-1' || $result['aps_packages'] != '-1') { $admin_update_query.= ", `aps_packages_used` = `aps_packages_used` "; From 3e54fd765c390b013fa6ab791da573cb03923176 Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Mon, 9 Dec 2013 18:49:45 +0100 Subject: [PATCH 7/7] darn, traffic_used is being calculated in the traffic cron, need to re-check what the heck is wrong there (if after all) Signed-off-by: Michael Kaufmann (d00p) --- admin_customers.php | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/admin_customers.php b/admin_customers.php index 6b57410a..deff50eb 100644 --- a/admin_customers.php +++ b/admin_customers.php @@ -808,10 +808,6 @@ if ($page == 'customers' $admin_update_query.= ", `diskspace_used` = `diskspace_used` + 0" . (int)$diskspace; } - if (($traffic / 1024 / 1024) != '-1') { - $admin_update_query.= ", `traffic_used` = `traffic_used` + 0" . (int)$traffic; - } - if ($number_of_aps_packages != '-1') { $admin_update_query.= ", `aps_packages_used` = `aps_packages_used` + 0" . (int)$number_of_aps_packages; } @@ -1218,7 +1214,6 @@ if ($page == 'customers' $traffic = $traffic * 1024 * 1024; if (((($userinfo['diskspace_used'] + $diskspace - $result['diskspace']) > $userinfo['diskspace']) && ($userinfo['diskspace'] / 1024) != '-1') - || ((($userinfo['traffic_used'] + $traffic - $result['traffic']) > $userinfo['traffic']) && ($userinfo['traffic'] / 1024 / 1024) != '-1') || ((($userinfo['mysqls_used'] + $mysqls - $result['mysqls']) > $userinfo['mysqls']) && $userinfo['mysqls'] != '-1') || ((($userinfo['emails_used'] + $emails - $result['emails']) > $userinfo['emails']) && $userinfo['emails'] != '-1') || ((($userinfo['email_accounts_used'] + $email_accounts - $result['email_accounts']) > $userinfo['email_accounts']) && $userinfo['email_accounts'] != '-1') @@ -1229,7 +1224,6 @@ if ($page == 'customers' || ((($userinfo['tickets_used'] + $tickets - $result['tickets']) > $userinfo['tickets']) && $userinfo['tickets'] != '-1') || ((($userinfo['subdomains_used'] + $subdomains - $result['subdomains']) > $userinfo['subdomains']) && $userinfo['subdomains'] != '-1') || (($diskspace / 1024) == '-1' && ($userinfo['diskspace'] / 1024) != '-1') - || (($traffic / 1024 / 1024) == '-1' && ($userinfo['traffic'] / 1024 / 1024) != '-1') || ((($userinfo['aps_packages'] + $number_of_aps_packages - $result['aps_packages']) > $userinfo['aps_packages']) && $userinfo['aps_packages'] != '-1' && $settings['aps']['aps_active'] == '1') || ($mysqls == '-1' && $userinfo['mysqls'] != '-1') || ($emails == '-1' && $userinfo['emails'] != '-1') @@ -1615,17 +1609,6 @@ if ($page == 'customers' } } - if (($traffic / 1024 / 1024) != '-1' || ($result['traffic'] / 1024 / 1024) != '-1') { - $admin_update_query.= ", `traffic_used` = `traffic_used` "; - - if (($traffic / 1024 / 1024) != '-1') { - $admin_update_query.= " + 0" . (int)$traffic . " "; - } - if (($result['traffic'] / 1024 / 1024) != '-1') { - $admin_update_query.= " - 0" . (int)$result['traffic'] . " "; - } - } - if ($number_of_aps_packages != '-1' || $result['aps_packages'] != '-1') { $admin_update_query.= ", `aps_packages_used` = `aps_packages_used` ";