From c97f5f1e29b0a5c311f9fa366b1d86b1659f03ef Mon Sep 17 00:00:00 2001 From: Michael Kaufmann Date: Tue, 18 Jan 2022 09:29:13 +0100 Subject: [PATCH] updated README; sanitize script parameter in index.php; sanitize description fields of entities (thx to zerody for pointing these out) Signed-off-by: Michael Kaufmann --- README.md | 12 ++++++------ index.php | 2 ++ lib/Froxlor/Api/Commands/FpmDaemons.php | 8 ++++---- lib/Froxlor/Api/Commands/Ftps.php | 4 ++-- lib/Froxlor/Api/Commands/HostingPlans.php | 4 ++-- lib/Froxlor/Api/Commands/Mysqls.php | 4 ++-- lib/Froxlor/Api/Commands/PhpSettings.php | 4 ++-- lib/Froxlor/Cli/Action/ConfigServicesAction.php | 4 ++-- lib/Froxlor/UI/HTML.php | 4 ++-- lib/Froxlor/Validate/Validate.php | 2 ++ 10 files changed, 26 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 24d65ad9..9407c022 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Developed by experienced server administrators, this panel simplifies the effort 9. Have fun! ### Detailed installation -https://github.com/Froxlor/Froxlor/wiki/Install-froxlor-from-tarball +https://docs.froxlor.org/general/installation/index.html ## Help @@ -42,12 +42,12 @@ The community is located on https://forum.froxlor.org/ ### Wiki -More documentation may be found in the froxlor - wiki: -https://github.com/Froxlor/Froxlor/wiki +More documentation may be found in the froxlor - documentation: +https://docs.froxlor.org/ ## License -May be found in COPYING +May be found in [COPYING](COPYING) ## Downloads @@ -56,7 +56,7 @@ https://files.froxlor.org/releases/froxlor-latest.tar.gz [MD5](https://files.fro ### Debian repository -[HowTo](https://github.com/Froxlor/Froxlor/wiki/Install-froxlor-on-debian) +[HowTo](https://docs.froxlor.org/general/installation/aptpackage.html) ``` apt-get -y install apt-transport-https lsb-release ca-certificates @@ -66,7 +66,7 @@ echo "deb https://deb.froxlor.org/debian $(lsb_release -sc) main" > /etc/apt/sou ### Ubuntu repository -[HowTo](https://github.com/Froxlor/Froxlor/wiki/Install-froxlor-on-ubuntu) +[HowTo](https://docs.froxlor.org/general/installation/aptpackage.html) ``` apt-get -y install apt-transport-https lsb-release ca-certificates diff --git a/index.php b/index.php index 83ab7a4b..07a96e82 100644 --- a/index.php +++ b/index.php @@ -378,6 +378,8 @@ if ($action == '2fa_entercode') { $lastscript = ""; if (isset($_REQUEST['script']) && $_REQUEST['script'] != "") { $lastscript = $_REQUEST['script']; + $lastscript = str_replace("..", "", $lastscript); + $lastscript = htmlspecialchars($lastscript, ENT_QUOTES); if (! file_exists(__DIR__ . "/" . $lastscript)) { $lastscript = ""; diff --git a/lib/Froxlor/Api/Commands/FpmDaemons.php b/lib/Froxlor/Api/Commands/FpmDaemons.php index 52192591..36fed4e0 100644 --- a/lib/Froxlor/Api/Commands/FpmDaemons.php +++ b/lib/Froxlor/Api/Commands/FpmDaemons.php @@ -178,9 +178,9 @@ class FpmDaemons extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc $custom_config = $this->getParam('custom_config', true, ''); // validation - $description = \Froxlor\Validate\Validate::validate($description, 'description', '', '', array(), true); + $description = \Froxlor\Validate\Validate::validate($description, 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); $reload_cmd = \Froxlor\Validate\Validate::validate($reload_cmd, 'reload_cmd', '', '', array(), true); - $config_dir = \Froxlor\Validate\Validate::validate($config_dir, 'config_dir', '', '', array(), true); + $config_dir = \Froxlor\Validate\Validate::validate($config_dir, 'config_dir', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true); if (! in_array($pmanager, array( 'static', 'dynamic', @@ -299,9 +299,9 @@ class FpmDaemons extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc $custom_config = $this->getParam('custom_config', true, $result['custom_config']); // validation - $description = \Froxlor\Validate\Validate::validate($description, 'description', '', '', array(), true); + $description = \Froxlor\Validate\Validate::validate($description, 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); $reload_cmd = \Froxlor\Validate\Validate::validate($reload_cmd, 'reload_cmd', '', '', array(), true); - $config_dir = \Froxlor\Validate\Validate::validate($config_dir, 'config_dir', '', '', array(), true); + $config_dir = \Froxlor\Validate\Validate::validate($config_dir, 'config_dir', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true); if (! in_array($pmanager, array( 'static', 'dynamic', diff --git a/lib/Froxlor/Api/Commands/Ftps.php b/lib/Froxlor/Api/Commands/Ftps.php index 1e30bd4c..9d7664b4 100644 --- a/lib/Froxlor/Api/Commands/Ftps.php +++ b/lib/Froxlor/Api/Commands/Ftps.php @@ -79,7 +79,7 @@ class Ftps extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEntit // validation $password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true); $password = \Froxlor\System\Crypt::validatePassword($password, true); - $description = \Froxlor\Validate\Validate::validate(trim($description), 'description', '', '', array(), true); + $description = \Froxlor\Validate\Validate::validate(trim($description), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); if (Settings::Get('system.allow_customer_shell') == '1') { $shell = \Froxlor\Validate\Validate::validate(trim($shell), 'shell', '', '', array(), true); @@ -396,7 +396,7 @@ class Ftps extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEntit // validation $password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true); - $description = \Froxlor\Validate\Validate::validate(trim($description), 'description', '', '', array(), true); + $description = \Froxlor\Validate\Validate::validate(trim($description), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); if (Settings::Get('system.allow_customer_shell') == '1') { $shell = \Froxlor\Validate\Validate::validate(trim($shell), 'shell', '', '', array(), true); diff --git a/lib/Froxlor/Api/Commands/HostingPlans.php b/lib/Froxlor/Api/Commands/HostingPlans.php index 68373d52..dbaade04 100644 --- a/lib/Froxlor/Api/Commands/HostingPlans.php +++ b/lib/Froxlor/Api/Commands/HostingPlans.php @@ -216,7 +216,7 @@ class HostingPlans extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resou // validation $name = \Froxlor\Validate\Validate::validate(trim($name), 'name', '', '', array(), true); - $description = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $description), 'description', '/^[^\0]*$/'); + $description = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $description), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT); if (Settings::Get('system.mail_quota_enabled') != '1') { $value_arr['email_quota'] = - 1; @@ -361,7 +361,7 @@ class HostingPlans extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resou // validation $name = \Froxlor\Validate\Validate::validate(trim($name), 'name', '', '', array(), true); - $description = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $description), 'description', '/^[^\0]*$/'); + $description = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $description), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT); if (Settings::Get('system.mail_quota_enabled') != '1') { $value_arr['email_quota'] = - 1; diff --git a/lib/Froxlor/Api/Commands/Mysqls.php b/lib/Froxlor/Api/Commands/Mysqls.php index 5083efd5..b0b4b641 100644 --- a/lib/Froxlor/Api/Commands/Mysqls.php +++ b/lib/Froxlor/Api/Commands/Mysqls.php @@ -60,7 +60,7 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt // validation $password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true); $password = \Froxlor\System\Crypt::validatePassword($password, true); - $databasedescription = \Froxlor\Validate\Validate::validate(trim($databasedescription), 'description', '', '', array(), true); + $databasedescription = \Froxlor\Validate\Validate::validate(trim($databasedescription), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); if (!empty($databasename)) { $databasename = \Froxlor\Validate\Validate::validate(trim($databasename), 'database_name', '/^[A-Za-z0-9][A-Za-z0-9\-_]+$/i', '', array(), true); } @@ -322,7 +322,7 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt // validation $password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true); - $databasedescription = \Froxlor\Validate\Validate::validate(trim($databasedescription), 'description', '', '', array(), true); + $databasedescription = \Froxlor\Validate\Validate::validate(trim($databasedescription), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); if ($password != '') { // validate password diff --git a/lib/Froxlor/Api/Commands/PhpSettings.php b/lib/Froxlor/Api/Commands/PhpSettings.php index 26ef83eb..6689241a 100644 --- a/lib/Froxlor/Api/Commands/PhpSettings.php +++ b/lib/Froxlor/Api/Commands/PhpSettings.php @@ -266,7 +266,7 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour $allow_all_customers = $this->getBoolParam('allow_all_customers', true, 0); // validation - $description = \Froxlor\Validate\Validate::validate($description, 'description', '', '', array(), true); + $description = \Froxlor\Validate\Validate::validate($description, 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); $phpsettings = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $phpsettings), 'phpsettings', '/^[^\0]*$/', '', array(), true); if (Settings::Get('system.mod_fcgid') == 1) { $binary = \Froxlor\FileDir::makeCorrectFile(\Froxlor\Validate\Validate::validate($binary, 'binary', '', '', array(), true)); @@ -466,7 +466,7 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour $allow_all_customers = $this->getBoolParam('allow_all_customers', true, 0); // validation - $description = \Froxlor\Validate\Validate::validate($description, 'description', '', '', array(), true); + $description = \Froxlor\Validate\Validate::validate($description, 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); $phpsettings = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $phpsettings), 'phpsettings', '/^[^\0]*$/', '', array(), true); if (Settings::Get('system.mod_fcgid') == 1) { $binary = \Froxlor\FileDir::makeCorrectFile(\Froxlor\Validate\Validate::validate($binary, 'binary', '', '', array(), true)); diff --git a/lib/Froxlor/Cli/Action/ConfigServicesAction.php b/lib/Froxlor/Cli/Action/ConfigServicesAction.php index 8d6c5d68..1cd6a5d1 100644 --- a/lib/Froxlor/Cli/Action/ConfigServicesAction.php +++ b/lib/Froxlor/Cli/Action/ConfigServicesAction.php @@ -85,8 +85,8 @@ class ConfigServicesAction extends \Froxlor\Cli\Action $distributions_select_data = array(); //set default os. - $os_dist = array('ID' => 'buster'); - $os_version = array('0' => '10'); + $os_dist = array('ID' => 'bullseye'); + $os_version = array('0' => '11'); $os_default = $os_dist['ID']; //read os-release diff --git a/lib/Froxlor/UI/HTML.php b/lib/Froxlor/UI/HTML.php index 84caf1da..daffbc47 100644 --- a/lib/Froxlor/UI/HTML.php +++ b/lib/Froxlor/UI/HTML.php @@ -269,7 +269,7 @@ class HTML } $text = strtr($text, array( - '%s' => $targetname + '%s' => htmlspecialchars($targetname) )); eval("echo \"" . Template::getTemplate('misc/question_yesno', '1') . "\";"); exit(); @@ -302,7 +302,7 @@ class HTML } $text = strtr($text, array( - '%s' => $targetname + '%s' => htmlspecialchars($targetname) )); eval("echo \"" . Template::getTemplate('misc/question_yesno_checkbox', '1') . "\";"); exit(); diff --git a/lib/Froxlor/Validate/Validate.php b/lib/Froxlor/Validate/Validate.php index edd58587..e8632d06 100644 --- a/lib/Froxlor/Validate/Validate.php +++ b/lib/Froxlor/Validate/Validate.php @@ -10,6 +10,8 @@ class Validate const REGEX_CONF_TEXT = '/^[^\0]*$/'; + const REGEX_DESC_TEXT = '/^[^\0\r\n<>]*$/'; + /** * Validates the given string by matching against the pattern, prints an error on failure and exits *