maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

updated README; sanitize script parameter in index.php; sanitize description fields of entities (thx to zerody for pointing these out)

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2022-01-18 09:29:13 +01:00
parent 4d289e2a7f
commit c97f5f1e29
10 changed files with 26 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@@ -21,7 +21,7 @@ Developed by experienced server administrators, this panel simplifies the effort
9. Have fun! 9. Have fun!
### Detailed installation ### Detailed installation
https://github.com/Froxlor/Froxlor/wiki/Install-froxlor-from-tarball https://docs.froxlor.org/general/installation/index.html
## Help ## Help
@@ -42,12 +42,12 @@ The community is located on https://forum.froxlor.org/
### Wiki ### Wiki
More documentation may be found in the froxlor - wiki: More documentation may be found in the froxlor - documentation:
https://github.com/Froxlor/Froxlor/wiki https://docs.froxlor.org/
## License ## License
May be found in COPYING May be found in [COPYING](COPYING)
## Downloads ## Downloads
@@ -56,7 +56,7 @@ https://files.froxlor.org/releases/froxlor-latest.tar.gz [MD5](https://files.fro
### Debian repository ### Debian repository
[HowTo](https://github.com/Froxlor/Froxlor/wiki/Install-froxlor-on-debian) [HowTo](https://docs.froxlor.org/general/installation/aptpackage.html)
``` ```
apt-get -y install apt-transport-https lsb-release ca-certificates apt-get -y install apt-transport-https lsb-release ca-certificates
@@ -66,7 +66,7 @@ echo "deb https://deb.froxlor.org/debian $(lsb_release -sc) main" > /etc/apt/sou
### Ubuntu repository ### Ubuntu repository
[HowTo](https://github.com/Froxlor/Froxlor/wiki/Install-froxlor-on-ubuntu) [HowTo](https://docs.froxlor.org/general/installation/aptpackage.html)
``` ```
apt-get -y install apt-transport-https lsb-release ca-certificates apt-get -y install apt-transport-https lsb-release ca-certificates

2
index.php
View File

@@ -378,6 +378,8 @@ if ($action == '2fa_entercode') {
$lastscript = ""; $lastscript = "";
if (isset($_REQUEST['script']) && $_REQUEST['script'] != "") { if (isset($_REQUEST['script']) && $_REQUEST['script'] != "") {
$lastscript = $_REQUEST['script']; $lastscript = $_REQUEST['script'];
$lastscript = str_replace("..", "", $lastscript);
$lastscript = htmlspecialchars($lastscript, ENT_QUOTES);
if (! file_exists(__DIR__ . "/" . $lastscript)) { if (! file_exists(__DIR__ . "/" . $lastscript)) {
$lastscript = ""; $lastscript = "";

8
lib/Froxlor/Api/Commands/FpmDaemons.php
View File

@@ -178,9 +178,9 @@ class FpmDaemons extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
$custom_config = $this->getParam('custom_config', true, ''); $custom_config = $this->getParam('custom_config', true, '');
// validation // validation
$description = \Froxlor\Validate\Validate::validate($description, 'description', '', '', array(), true); $description = \Froxlor\Validate\Validate::validate($description, 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
$reload_cmd = \Froxlor\Validate\Validate::validate($reload_cmd, 'reload_cmd', '', '', array(), true); $reload_cmd = \Froxlor\Validate\Validate::validate($reload_cmd, 'reload_cmd', '', '', array(), true);
$config_dir = \Froxlor\Validate\Validate::validate($config_dir, 'config_dir', '', '', array(), true); $config_dir = \Froxlor\Validate\Validate::validate($config_dir, 'config_dir', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true);
if (! in_array($pmanager, array( if (! in_array($pmanager, array(
'static', 'static',
'dynamic', 'dynamic',
@@ -299,9 +299,9 @@ class FpmDaemons extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
$custom_config = $this->getParam('custom_config', true, $result['custom_config']); $custom_config = $this->getParam('custom_config', true, $result['custom_config']);
// validation // validation
$description = \Froxlor\Validate\Validate::validate($description, 'description', '', '', array(), true); $description = \Froxlor\Validate\Validate::validate($description, 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
$reload_cmd = \Froxlor\Validate\Validate::validate($reload_cmd, 'reload_cmd', '', '', array(), true); $reload_cmd = \Froxlor\Validate\Validate::validate($reload_cmd, 'reload_cmd', '', '', array(), true);
$config_dir = \Froxlor\Validate\Validate::validate($config_dir, 'config_dir', '', '', array(), true); $config_dir = \Froxlor\Validate\Validate::validate($config_dir, 'config_dir', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true);
if (! in_array($pmanager, array( if (! in_array($pmanager, array(
'static', 'static',
'dynamic', 'dynamic',

4
lib/Froxlor/Api/Commands/Ftps.php
View File

@@ -79,7 +79,7 @@ class Ftps extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEntit
// validation // validation
$password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true); $password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true);
$password = \Froxlor\System\Crypt::validatePassword($password, true); $password = \Froxlor\System\Crypt::validatePassword($password, true);
$description = \Froxlor\Validate\Validate::validate(trim($description), 'description', '', '', array(), true); $description = \Froxlor\Validate\Validate::validate(trim($description), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
if (Settings::Get('system.allow_customer_shell') == '1') { if (Settings::Get('system.allow_customer_shell') == '1') {
$shell = \Froxlor\Validate\Validate::validate(trim($shell), 'shell', '', '', array(), true); $shell = \Froxlor\Validate\Validate::validate(trim($shell), 'shell', '', '', array(), true);
@@ -396,7 +396,7 @@ class Ftps extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEntit
// validation // validation
$password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true); $password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true);
$description = \Froxlor\Validate\Validate::validate(trim($description), 'description', '', '', array(), true); $description = \Froxlor\Validate\Validate::validate(trim($description), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
if (Settings::Get('system.allow_customer_shell') == '1') { if (Settings::Get('system.allow_customer_shell') == '1') {
$shell = \Froxlor\Validate\Validate::validate(trim($shell), 'shell', '', '', array(), true); $shell = \Froxlor\Validate\Validate::validate(trim($shell), 'shell', '', '', array(), true);

4
lib/Froxlor/Api/Commands/HostingPlans.php
View File

@@ -216,7 +216,7 @@ class HostingPlans extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resou
// validation // validation
$name = \Froxlor\Validate\Validate::validate(trim($name), 'name', '', '', array(), true); $name = \Froxlor\Validate\Validate::validate(trim($name), 'name', '', '', array(), true);
$description = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $description), 'description', '/^[^\0]*$/'); $description = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $description), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT);
if (Settings::Get('system.mail_quota_enabled') != '1') { if (Settings::Get('system.mail_quota_enabled') != '1') {
$value_arr['email_quota'] = - 1; $value_arr['email_quota'] = - 1;
@@ -361,7 +361,7 @@ class HostingPlans extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resou
// validation // validation
$name = \Froxlor\Validate\Validate::validate(trim($name), 'name', '', '', array(), true); $name = \Froxlor\Validate\Validate::validate(trim($name), 'name', '', '', array(), true);
$description = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $description), 'description', '/^[^\0]*$/'); $description = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $description), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT);
if (Settings::Get('system.mail_quota_enabled') != '1') { if (Settings::Get('system.mail_quota_enabled') != '1') {
$value_arr['email_quota'] = - 1; $value_arr['email_quota'] = - 1;

4
lib/Froxlor/Api/Commands/Mysqls.php
View File

@@ -60,7 +60,7 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
// validation // validation
$password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true); $password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true);
$password = \Froxlor\System\Crypt::validatePassword($password, true); $password = \Froxlor\System\Crypt::validatePassword($password, true);
$databasedescription = \Froxlor\Validate\Validate::validate(trim($databasedescription), 'description', '', '', array(), true); $databasedescription = \Froxlor\Validate\Validate::validate(trim($databasedescription), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
if (!empty($databasename)) { if (!empty($databasename)) {
$databasename = \Froxlor\Validate\Validate::validate(trim($databasename), 'database_name', '/^[A-Za-z0-9][A-Za-z0-9\-_]+$/i', '', array(), true); $databasename = \Froxlor\Validate\Validate::validate(trim($databasename), 'database_name', '/^[A-Za-z0-9][A-Za-z0-9\-_]+$/i', '', array(), true);
} }
@@ -322,7 +322,7 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
// validation // validation
$password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true); $password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true);
$databasedescription = \Froxlor\Validate\Validate::validate(trim($databasedescription), 'description', '', '', array(), true); $databasedescription = \Froxlor\Validate\Validate::validate(trim($databasedescription), 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
if ($password != '') { if ($password != '') {
// validate password // validate password

4
lib/Froxlor/Api/Commands/PhpSettings.php
View File

@@ -266,7 +266,7 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
$allow_all_customers = $this->getBoolParam('allow_all_customers', true, 0); $allow_all_customers = $this->getBoolParam('allow_all_customers', true, 0);
// validation // validation
$description = \Froxlor\Validate\Validate::validate($description, 'description', '', '', array(), true); $description = \Froxlor\Validate\Validate::validate($description, 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
$phpsettings = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $phpsettings), 'phpsettings', '/^[^\0]*$/', '', array(), true); $phpsettings = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $phpsettings), 'phpsettings', '/^[^\0]*$/', '', array(), true);
if (Settings::Get('system.mod_fcgid') == 1) { if (Settings::Get('system.mod_fcgid') == 1) {
$binary = \Froxlor\FileDir::makeCorrectFile(\Froxlor\Validate\Validate::validate($binary, 'binary', '', '', array(), true)); $binary = \Froxlor\FileDir::makeCorrectFile(\Froxlor\Validate\Validate::validate($binary, 'binary', '', '', array(), true));
@@ -466,7 +466,7 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
$allow_all_customers = $this->getBoolParam('allow_all_customers', true, 0); $allow_all_customers = $this->getBoolParam('allow_all_customers', true, 0);
// validation // validation
$description = \Froxlor\Validate\Validate::validate($description, 'description', '', '', array(), true); $description = \Froxlor\Validate\Validate::validate($description, 'description', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
$phpsettings = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $phpsettings), 'phpsettings', '/^[^\0]*$/', '', array(), true); $phpsettings = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $phpsettings), 'phpsettings', '/^[^\0]*$/', '', array(), true);
if (Settings::Get('system.mod_fcgid') == 1) { if (Settings::Get('system.mod_fcgid') == 1) {
$binary = \Froxlor\FileDir::makeCorrectFile(\Froxlor\Validate\Validate::validate($binary, 'binary', '', '', array(), true)); $binary = \Froxlor\FileDir::makeCorrectFile(\Froxlor\Validate\Validate::validate($binary, 'binary', '', '', array(), true));

4
lib/Froxlor/Cli/Action/ConfigServicesAction.php
View File

@@ -85,8 +85,8 @@ class ConfigServicesAction extends \Froxlor\Cli\Action
$distributions_select_data = array(); $distributions_select_data = array();
//set default os. //set default os.
$os_dist = array('ID' => 'buster'); $os_dist = array('ID' => 'bullseye');
$os_version = array('0' => '10'); $os_version = array('0' => '11');
$os_default = $os_dist['ID']; $os_default = $os_dist['ID'];
//read os-release //read os-release

4
lib/Froxlor/UI/HTML.php
View File

@@ -269,7 +269,7 @@ class HTML
} }
$text = strtr($text, array( $text = strtr($text, array(
'%s' => $targetname '%s' => htmlspecialchars($targetname)
)); ));
eval("echo \"" . Template::getTemplate('misc/question_yesno', '1') . "\";"); eval("echo \"" . Template::getTemplate('misc/question_yesno', '1') . "\";");
exit(); exit();
@@ -302,7 +302,7 @@ class HTML
} }
$text = strtr($text, array( $text = strtr($text, array(
'%s' => $targetname '%s' => htmlspecialchars($targetname)
)); ));
eval("echo \"" . Template::getTemplate('misc/question_yesno_checkbox', '1') . "\";"); eval("echo \"" . Template::getTemplate('misc/question_yesno_checkbox', '1') . "\";");
exit(); exit();

2
lib/Froxlor/Validate/Validate.php
View File

@@ -10,6 +10,8 @@ class Validate
const REGEX_CONF_TEXT = '/^[^\0]*$/'; const REGEX_CONF_TEXT = '/^[^\0]*$/';
const REGEX_DESC_TEXT = '/^[^\0\r\n<>]*$/';
/** /**
* Validates the given string by matching against the pattern, prints an error on failure and exits * Validates the given string by matching against the pattern, prints an error on failure and exits
* *