diff --git a/lib/Froxlor/Api/Commands/Domains.php b/lib/Froxlor/Api/Commands/Domains.php
index dca7dd98..ff3ac065 100644
--- a/lib/Froxlor/Api/Commands/Domains.php
+++ b/lib/Froxlor/Api/Commands/Domains.php
@@ -427,6 +427,20 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
}
$_documentroot = \Froxlor\FileDir::makeCorrectDir($customer['documentroot'] . $path_suffix);
+ $documentroot = \Froxlor\Validate\Validate::validate($documentroot, 'documentroot', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true);
+
+ // If path is empty and 'Use domain name as default value for DocumentRoot path' is enabled in settings,
+ // set default path to subdomain or domain name
+ if (! empty($documentroot)) {
+ if (substr($documentroot, 0, 1) != '/' && ! preg_match('/^https?\:\/\//', $documentroot)) {
+ $documentroot = $_documentroot . '/' . $documentroot;
+ } elseif (substr($documentroot, 0, 1) == '/' && $this->getUserDetail('change_serversettings') != '1') {
+ \Froxlor\UI\Response::standard_error('pathmustberelative', '', true);
+ }
+ } else {
+ $documentroot = $_documentroot;
+ }
+
$registration_date = \Froxlor\Validate\Validate::validate($registration_date, 'registration_date', '/^(19|20)\d\d[-](0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])$/', '', array(
'0000-00-00',
'0',
@@ -454,17 +468,6 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
}
$specialsettings = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $specialsettings), 'specialsettings', \Froxlor\Validate\Validate::REGEX_CONF_TEXT, '', array(), true);
- \Froxlor\Validate\Validate::validate($documentroot, 'documentroot', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true);
-
- // If path is empty and 'Use domain name as default value for DocumentRoot path' is enabled in settings,
- // set default path to subdomain or domain name
- if (! empty($documentroot)) {
- if (substr($documentroot, 0, 1) != '/' && ! preg_match('/^https?\:\/\//', $documentroot)) {
- $documentroot = $_documentroot . '/' . $documentroot;
- }
- } else {
- $documentroot = $_documentroot;
- }
$ssl_protocols = array();
if (! empty($p_ssl_protocols) && is_numeric($p_ssl_protocols)) {
@@ -507,7 +510,6 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
$notryfiles = '0';
$writeaccesslog = '1';
$writeerrorlog = '1';
- $documentroot = $_documentroot;
$override_tls = '0';
$ssl_protocols = array();
}
@@ -1187,6 +1189,38 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
$serveraliasoption = $p_serveraliasoption;
}
+ $documentroot = \Froxlor\Validate\Validate::validate($documentroot, 'documentroot', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true);
+
+ if (! empty($documentroot) && $documentroot != $result['documentroot'] && substr($documentroot, 0, 1) == '/' && substr($documentroot, 0, strlen($customer['documentroot'])) != $customer['documentroot'] && $this->getUserDetail('change_serversettings') != '1') {
+ \Froxlor\UI\Response::standard_error('pathmustberelative', '', true);
+ }
+
+ // when moving customer and no path is specified, update would normally reuse the current document-root
+ // which would point to the wrong customer, therefore we will re-create that directory
+ if (! empty($documentroot) && $customerid > 0 && $customerid != $result['customerid'] && Settings::Get('panel.allow_domain_change_customer') == '1') {
+ if (Settings::Get('system.documentroot_use_default_value') == 1) {
+ $_documentroot = \Froxlor\FileDir::makeCorrectDir($customer['documentroot'] . '/' . $result['domain']);
+ } else {
+ $_documentroot = $customer['documentroot'];
+ }
+ // set the customers default docroot
+ $documentroot = $_documentroot;
+ }
+
+ if ($documentroot == '') {
+ // If path is empty and 'Use domain name as default value for DocumentRoot path' is enabled in settings,
+ // set default path to subdomain or domain name
+ if (Settings::Get('system.documentroot_use_default_value') == 1) {
+ $documentroot = \Froxlor\FileDir::makeCorrectDir($customer['documentroot'] . '/' . $result['domain']);
+ } else {
+ $documentroot = $customer['documentroot'];
+ }
+ }
+
+ if (! preg_match('/^https?\:\/\//', $documentroot) && strstr($documentroot, ":") !== false) {
+ \Froxlor\UI\Response::standard_error('pathmaynotcontaincolon', '', true);
+ }
+
if ($this->getUserDetail('change_serversettings') == '1') {
if (Settings::Get('system.bind_enable') == '1') {
@@ -1201,33 +1235,6 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
}
$specialsettings = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $specialsettings), 'specialsettings', \Froxlor\Validate\Validate::REGEX_CONF_TEXT, '', array(), true);
- $documentroot = \Froxlor\Validate\Validate::validate($documentroot, 'documentroot', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true);
-
- // when moving customer and no path is specified, update would normally reuse the current document-root
- // which would point to the wrong customer, therefore we will re-create that directory
- if (! empty($documentroot) && $customerid > 0 && $customerid != $result['customerid'] && Settings::Get('panel.allow_domain_change_customer') == '1') {
- if (Settings::Get('system.documentroot_use_default_value') == 1) {
- $_documentroot = \Froxlor\FileDir::makeCorrectDir($customer['documentroot'] . '/' . $result['domain']);
- } else {
- $_documentroot = $customer['documentroot'];
- }
- // set the customers default docroot
- $documentroot = $_documentroot;
- }
-
- if ($documentroot == '') {
- // If path is empty and 'Use domain name as default value for DocumentRoot path' is enabled in settings,
- // set default path to subdomain or domain name
- if (Settings::Get('system.documentroot_use_default_value') == 1) {
- $documentroot = \Froxlor\FileDir::makeCorrectDir($customer['documentroot'] . '/' . $result['domain']);
- } else {
- $documentroot = $customer['documentroot'];
- }
- }
-
- if (! preg_match('/^https?\:\/\//', $documentroot) && strstr($documentroot, ":") !== false) {
- \Froxlor\UI\Response::standard_error('pathmaynotcontaincolon', '', true);
- }
$ssl_protocols = array();
if (! empty($p_ssl_protocols) && is_numeric($p_ssl_protocols)) {
diff --git a/lng/english.lng.php b/lng/english.lng.php
index 9472e51f..64d33b3c 100644
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -1722,7 +1722,7 @@ $lng['serversettings']['panel_password_special_char_required']['description'] =
$lng['serversettings']['panel_password_special_char']['title'] = 'Special characters list';
$lng['serversettings']['panel_password_special_char']['description'] = 'One of these characters is required if the above option is set.';
$lng['phpfpm']['use_mod_proxy']['title'] = 'Use mod_proxy / mod_proxy_fcgi';
-$lng['phpfpm']['use_mod_proxy']['description'] = 'Must be enabled when using Debian 9.x (Stretch). Activate to use php-fpm via mod_proxy_fcgi. Requires at least apache-2.4.9';
+$lng['phpfpm']['use_mod_proxy']['description'] = 'Must be enabled when using Debian 9.x (Stretch) or newer. Activate to use php-fpm via mod_proxy_fcgi. Requires at least apache-2.4.9';
$lng['error']['no_phpinfo'] = 'Sorry, unable to read phpinfo()';
$lng['admin']['movetoadmin'] = 'Move customer';
@@ -2135,3 +2135,4 @@ $lng['error']['notallowedphpconfigused'] = 'Trying to use php-config which is no
$lng['serversettings']['phpfpm_settings']['allow_all_customers']['title'] = 'Assign this configuration to all currently existing customers';
$lng['serversettings']['phpfpm_settings']['allow_all_customers']['description'] = 'Set this to "true" if you want to assign this configuration to all currently existing customers so it can be used by them. This setting is not permanent but can be run multiple times.';
+$lng['error']['pathmustberelative'] = 'The user does not have the permission to specify directories outside the customers home-directory. Please specify a relative path (no leading /).';
diff --git a/lng/german.lng.php b/lng/german.lng.php
index 7d85d144..c5b7bcc6 100644
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1445,7 +1445,7 @@ $lng['serversettings']['panel_password_special_char_required']['description'] =
$lng['serversettings']['panel_password_special_char']['title'] = 'Sonderzeichen-Liste';
$lng['serversettings']['panel_password_special_char']['description'] = 'Mindestens eines dieser Sonderzeichen muss in dem Passwort vorkommen, sofern die Sonderzeichen-Option aktiviert ist.';
$lng['phpfpm']['use_mod_proxy']['title'] = 'Verwende mod_proxy / mod_proxy_fcgi';
-$lng['phpfpm']['use_mod_proxy']['description'] = 'Muss gesetzt sein bei Debian 9.x (Stretch). Diese Option kann aktiviert werden, um php-fpm via mod_proxy_fcgi einzubinden. Dies setzt mindestens apache-2.4.9 voraus';
+$lng['phpfpm']['use_mod_proxy']['description'] = 'Muss gesetzt sein bei Debian 9.x (Stretch) oder neuer. Diese Option kann aktiviert werden, um php-fpm via mod_proxy_fcgi einzubinden. Dies setzt mindestens apache-2.4.9 voraus';
$lng['error']['no_phpinfo'] = 'Entschuldigung, es ist nicht möglich die phpinfo() auszulesen.';
$lng['admin']['movetoadmin'] = 'Kunde verschieben';
@@ -1781,3 +1781,4 @@ $lng['error']['notallowedphpconfigused'] = 'Nutzung einer PHP-Konfiguration welc
$lng['serversettings']['phpfpm_settings']['allow_all_customers']['title'] = 'Für aktuelle Kunden automatisch hinzufügen';
$lng['serversettings']['phpfpm_settings']['allow_all_customers']['description'] = 'Ist diese Einstellung aktiv, wird die Konfiguration automatisch allen aktuell existierenden Kunden-Accounts zugewiesen. Diese Einstellung ist nicht permanent, kann aber mehrfach / nach Bedarf ausgeführt werden.';
+$lng['error']['pathmustberelative'] = 'Der Benutzer hat nicht die benötigten Berechtigungen, um Pfade außerhalb des Kunden-Heimatverzeichnisses anzugeben. Bitte einen relativen Pfad angeben (kein führendes /).';
diff --git a/tests/Domains/DomainsTest.php b/tests/Domains/DomainsTest.php
index 274bc0d3..a7081d34 100644
--- a/tests/Domains/DomainsTest.php
+++ b/tests/Domains/DomainsTest.php
@@ -138,6 +138,25 @@ class DomainsTest extends TestCase
$this->assertEquals(2, $result['subcanemaildomain']);
}
+ public function testResellerDomainsAddWithAbsolutePathNoChangeServerSettings()
+ {
+ global $admin_userdata;
+ // get reseller
+ $json_result = Admins::getLocal($admin_userdata, array(
+ 'loginname' => 'reseller'
+ ))->get();
+ $reseller_userdata = json_decode($json_result, true)['data'];
+ $reseller_userdata['adminsession'] = 1;
+ $data = [
+ 'domain' => 'test3.local',
+ 'customerid' => 1,
+ 'documentroot' => '/some/absolute/directory/the_reseller/cannot/set/',
+ 'ipandport' => 4
+ ];
+ $this->expectExceptionMessage("The user does not have the permission to specify directories outside the customers home-directory. Please specify a relative path (no leading /).");
+ $json_result = Domains::getLocal($reseller_userdata, $data)->add();
+ }
+
/**
*
* @depends testAdminDomainsAdd
@@ -161,6 +180,27 @@ class DomainsTest extends TestCase
$this->assertEquals('test2.local', $result['domain']);
}
+ /**
+ *
+ * @depends testResellerDomainsUpdate
+ */
+ public function testResellerDomainsUpdateAboslutePathNotAllowed()
+ {
+ global $admin_userdata;
+ // get reseller
+ $json_result = Admins::getLocal($admin_userdata, array(
+ 'loginname' => 'reseller'
+ ))->get();
+ $reseller_userdata = json_decode($json_result, true)['data'];
+ $reseller_userdata['adminsession'] = 1;
+ $data = [
+ 'domainname' => 'test2.local',
+ 'documentroot' => '/some/other/dir'
+ ];
+ $this->expectExceptionMessage("The user does not have the permission to specify directories outside the customers home-directory. Please specify a relative path (no leading /).");
+ $json_result = Domains::getLocal($reseller_userdata, $data)->update();
+ }
+
public function testAdminDomainsAddSysHostname()
{
global $admin_userdata;