From cffd16a6a1979d520f8b0bfa9aac9a004578d160 Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Tue, 24 Dec 2013 10:13:11 +0100 Subject: [PATCH] re-do all the fixes (git screwed up branches, i don't know, this is a clean one now) Signed-off-by: Michael Kaufmann (d00p) --- customer_domains.php | 8 +-- customer_extras.php | 39 +++++++-------- customer_ftp.php | 56 ++++++++++----------- lib/classes/database/class.Database.php | 66 ++++++++++++++++++------- 4 files changed, 100 insertions(+), 69 deletions(-) diff --git a/customer_domains.php b/customer_domains.php index eebc173b..949ffa4d 100644 --- a/customer_domains.php +++ b/customer_domains.php @@ -425,7 +425,7 @@ if($page == 'overview') { } $openbasedir = makeoption($lng['domain']['docroot'], 0, NULL, true) . makeoption($lng['domain']['homedir'], 1, NULL, true); - $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], $settings['panel']['pathedit']); + $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid']); $subdomain_add_data = include_once dirname(__FILE__).'/lib/formfields/customer/domains/formfield.domains_add.php'; $subdomain_add_form = htmlform::genHTMLForm($subdomain_add_data); @@ -615,14 +615,14 @@ if($page == 'overview') { if(preg_match('/^https?\:\/\//', $result['documentroot']) && validateUrl($idna_convert->encode($result['documentroot']))) { if($settings['panel']['pathedit'] == 'Dropdown') { $urlvalue = $result['documentroot']; - $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], $settings['panel']['pathedit']); + $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid']); } else { $urlvalue = ''; - $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], $settings['panel']['pathedit'], $result['documentroot'], true); + $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], $result['documentroot'], true); } } else { $urlvalue = ''; - $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], $settings['panel']['pathedit'], $result['documentroot']); + $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], $result['documentroot']); } $redirectcode = ''; diff --git a/customer_extras.php b/customer_extras.php index 235a2e72..012120c7 100644 --- a/customer_extras.php +++ b/customer_extras.php @@ -41,15 +41,15 @@ if($page == 'overview') { $backup_enabled = makeyesno('backup_enabled', '1', '0', $row['backup_enabled']); if(isset($_POST['send']) && $_POST['send'] == 'send') { - $backup_enabled = ($_POST['backup_enabled'] == '1' ? '1' : '0'); - + $backup_enabled = ($_POST['backup_enabled'] == '1' ? '1' : '0'); + $stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `backup_enabled`= :backupenabled WHERE `customerid`= :customerid" ); Database::pexecute($stmt, array("backupenabled" => $backup_enabled, "customerid" => $userinfo['customerid'])); - - redirectTo($filename, Array('page' => $page, 's' => $s)); + + redirectTo($filename, Array('page' => $page, 's' => $s)); } $backup_data = include_once dirname(__FILE__).'/lib/formfields/customer/extras/formfield.backup.php'; @@ -57,7 +57,7 @@ if($page == 'overview') { $title = $backup_data['backup']['title']; $image = $backup_data['backup']['image']; - + eval("echo \"" . getTemplate("extras/backup") . "\";"); } elseif($page == 'htpasswds') { if($action == '') { @@ -110,7 +110,7 @@ if($page == 'overview') { AND `id`= :id" ); Database::pexecute($stmt, array("customerid" => $userinfo['customerid'], "id" => $id)); - + $log->logAction(USR_ACTION, LOG_INFO, "deleted htpasswd for '" . $result['username'] . " (" . $result['path'] . ")'"); inserttask('1'); redirectTo($filename, Array('page' => $page, 's' => $s)); @@ -130,7 +130,7 @@ if($page == 'overview') { $username = validate($_POST['username'], 'username', '/^[a-zA-Z0-9][a-zA-Z0-9\-_]+\$?$/'); $authname = validate($_POST['directory_authname'], 'directory_authname', '/^[a-zA-Z0-9][a-zA-Z0-9\-_ ]+\$?$/'); validate($_POST['directory_password'], 'password'); - + $username_path_check_stmt = Database::prepare("SELECT `id`, `username`, `path` FROM `" . TABLE_PANEL_HTPASSWDS . "` WHERE `username`= :username AND `path`= :path @@ -184,7 +184,7 @@ if($page == 'overview') { redirectTo($filename, Array('page' => $page, 's' => $s)); } } else { - $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], $settings['panel']['pathedit']); + $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid']); $htpasswd_add_data = include_once dirname(__FILE__).'/lib/formfields/customer/extras/formfield.htpasswd_add.php'; $htpasswd_add_form = htmlform::genHTMLForm($htpasswd_add_data); @@ -213,18 +213,18 @@ if($page == 'overview') { } else { $password = crypt($_POST['directory_password']); } - + $params = array( "customerid" => $userinfo['customerid'], "id" => $id ); - + $pwd_sql = ''; if($_POST['directory_password'] != '') { $pwd_sql = "`password`= :password "; $params["password"] = $password; } - + $auth_sql = ''; if($authname != $result['authname']) { $auth_sql = "`authname`= :authname "; @@ -344,7 +344,7 @@ if($page == 'overview') { ); Database::pexecute($path_dupe_check_stmt, array("path" => $path, "customerid" => $userinfo['customerid'])); $path_dupe_check = $path_dupe_check_stmt->fetch(PDO::FETCH_ASSOC); - + if(!$_POST['path']) { standard_error('invalidpath'); } @@ -353,18 +353,18 @@ if($page == 'overview') { $options_cgi = '1'; } else { $options_cgi = '0'; - } + } $error404path = ''; if (isset($_POST['error404path'])) { $error404path = correctErrorDocument($_POST['error404path']); } - + $error403path = ''; if (isset($_POST['error403path'])) { $error403path = correctErrorDocument($_POST['error403path']); } - + $error500path = ''; if (isset($_POST['error500path'])) { $error500path = correctErrorDocument($_POST['error500path']); @@ -400,7 +400,7 @@ if($page == 'overview') { redirectTo($filename, Array('page' => $page, 's' => $s)); } } else { - $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], $settings['panel']['pathedit']); + $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid']); $cperlenabled = customerHasPerlEnabled($userinfo['customerid']); /* $options_indexes = makeyesno('options_indexes', '1', '0', '0'); @@ -444,8 +444,8 @@ if($page == 'overview') { || ($error404path != $result['error404path']) || ($error403path != $result['error403path']) || ($error500path != $result['error500path']) - || ($options_cgi != $result['options_cgi'])) { - + || ($options_cgi != $result['options_cgi']) + ) { inserttask('1'); $stmt = Database::prepare("UPDATE `" . TABLE_PANEL_HTACCESS . "` SET `options_indexes` = :options_indexes, @@ -489,7 +489,7 @@ if($page == 'overview') { $htaccess_edit_data = include_once dirname(__FILE__).'/lib/formfields/customer/extras/formfield.htaccess_edit.php'; $htaccess_edit_form = htmlform::genHTMLForm($htaccess_edit_data); - + $title = $htaccess_edit_data['htaccess_edit']['title']; $image = $htaccess_edit_data['htaccess_edit']['image']; @@ -499,4 +499,3 @@ if($page == 'overview') { } } -?> diff --git a/customer_ftp.php b/customer_ftp.php index 3dbda933..ca8a4db2 100644 --- a/customer_ftp.php +++ b/customer_ftp.php @@ -38,7 +38,7 @@ if ($page == 'overview') { 'homedir' => $lng['panel']['path'] ); $paging = new paging($userinfo, TABLE_FTP_USERS, $fields, $settings['panel']['paging'], $settings['panel']['natsorting']); - + $result_stmt = Database::prepare("SELECT `id`, `username`, `homedir` FROM `" . TABLE_FTP_USERS . "` WHERE `customerid`= :customerid AND `username` NOT LIKE '%_backup'" . $paging->getSqlWhere(true) . " " . $paging->getSqlOrderBy() . " " . $paging->getSqlLimit() @@ -63,7 +63,7 @@ if ($page == 'overview') { } $row['documentroot'] = makeCorrectDir($row['documentroot']); - + $row = htmlentities_array($row); eval("\$accounts.=\"" . getTemplate('ftp/accounts_account') . "\";"); $count++; @@ -80,7 +80,7 @@ if ($page == 'overview') { ); Database::pexecute($result_stmt, array("customerid" => $userinfo['customerid'], "id" => $id)); $result = $result_stmt->fetch(PDO::FETCH_ASSOC); - + if (isset($result['username']) && $result['username'] != $userinfo['loginname']) { if (isset($_POST['send']) && $_POST['send'] == 'send') { $stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "` @@ -98,23 +98,23 @@ if ($page == 'overview') { "username" => $userinfo['loginname'] ); Database::pexecute($stmt, $params); - + $result_stmt = Database::prepare("SELECT `username`, `homedir` FROM `" . TABLE_FTP_USERS . "` WHERE `customerid` = :customerid AND `id` = :id" ); Database::pexecute($result_stmt, array("customerid" => $userinfo['customerid'], "id" => $id)); $result = $result_stmt->fetch(PDO::FETCH_ASSOC); - + $stmt = Database::prepare("DELETE FROM `" . TABLE_FTP_QUOTATALLIES . "` WHERE `name` = :name"); Database::pexecute($stmt, array("name" => $result['username'])); - + $stmt = Database::prepare("DELETE FROM `" . TABLE_FTP_USERS . "` WHERE `customerid` = :customerid AND `id` = :id" ); Database::pexecute($stmt, array("customerid" => $userinfo['customerid'], "id" => $id)); - + $stmt = Database::prepare(" UPDATE `" . TABLE_FTP_GROUPS . "` SET `members` = REPLACE(`members`, :username,'') @@ -130,13 +130,13 @@ if ($page == 'overview') { if (isset($_POST['delete_userfiles']) && (int)$_POST['delete_userfiles'] == 1) { inserttask('8', $userinfo['loginname'], $result['homedir']); } - + $stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `ftps_used` = `ftps_used` - 1 $resetaccnumber WHERE `customerid` = :customerid" ); Database::pexecute($stmt, array("customerid" => $userinfo['customerid'])); - + redirectTo($filename, array('page' => $page, 's' => $s)); } else { ask_yesno_withcheckbox('ftp_reallydelete', 'admin_customer_alsoremoveftphomedir', $filename, array('id' => $id, 'page' => $page, 'action' => $action), $result['username']); @@ -170,7 +170,7 @@ if ($page == 'overview') { ); Database::pexecute($ftpdomain_check_stmt, array("domain" => $ftpdomain, "customerid" => $userinfo['customerid'])); $ftpdomain_check = $ftpdomain_check_stmt->fetch(PDO::FETCH_ASSOC); - + if ($ftpdomain_check['domain'] != $ftpdomain) { standard_error('maindomainnonexist', $domain); } @@ -178,13 +178,13 @@ if ($page == 'overview') { } else { $username = $userinfo['loginname'] . $settings['customer']['ftpprefix'] . (intval($userinfo['ftp_lastaccountnumber']) + 1); } - + $username_check_stmt = Database::prepare("SELECT * FROM `" . TABLE_FTP_USERS . "` WHERE `username` = :username" ); Database::pexecute($username_check_stmt, array("username" => $username)); $username_check = $username_check_stmt->fetch(PDO::FETCH_ASSOC); - + if (!empty($username_check) && $username_check['username'] = $username) { standard_error('usernamealreadyexists', $username); } elseif ($password == '') { @@ -195,7 +195,7 @@ if ($page == 'overview') { $path = makeCorrectDir($userinfo['documentroot'] . '/' . $path); $cryptPassword = makeCryptPassword($password); - + $stmt = Database::prepare("INSERT INTO `" . TABLE_FTP_USERS . "` (`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) VALUES (:customerid, :username, :password, :homedir, 'y', :guid, :guid)" @@ -208,12 +208,12 @@ if ($page == 'overview') { "guid" => $userinfo['guid'] ); Database::pexecute($stmt, $params); - + $result_stmt = Database::prepare("SELECT `bytes_in_used` FROM `" . TABLE_FTP_QUOTATALLIES . "` WHERE `name` = :name" ); Database::pexecute($result_stmt, array("name" => $userinfo['loginname'])); - + while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) { $stmt = Database::prepare("INSERT INTO `" . TABLE_FTP_QUOTATALLIES . "` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) @@ -221,7 +221,7 @@ if ($page == 'overview') { ); Database::pexecute($stmt, array("name" => $username, "bytes_in_used" => $row['bytes_in_used'])); } - + $stmt = Database::prepare("UPDATE `" . TABLE_FTP_GROUPS . "` SET `members` = CONCAT_WS(',',`members`, :username) WHERE `customerid`= :customerid @@ -233,7 +233,7 @@ if ($page == 'overview') { "guid" => $userinfo['guid'] ); Database::pexecute($stmt, $params); - + $stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `ftps_used` = `ftps_used` + 1, `ftp_lastaccountnumber` = `ftp_lastaccountnumber` + 1 @@ -252,7 +252,7 @@ if ($page == 'overview') { 'USR_PASS' => $password, 'USR_PATH' => makeCorrectDir(substr($path, strlen($userinfo['documentroot']))) ); - + $def_language = $userinfo['def_language']; $result_stmt = Database::prepare("SELECT `value` FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid` = :adminid @@ -263,7 +263,7 @@ if ($page == 'overview') { Database::pexecute($result_stmt, array("adminid" => $userinfo['adminid'], "lang" => $def_language)); $result = $result_stmt->fetch(PDO::FETCH_ASSOC); $mail_subject = html_entity_decode(replace_variables((($result['value'] != '') ? $result['value'] : $lng['customer']['ftp_add']['infomail_subject']), $replace_arr)); - + $def_language = $userinfo['def_language']; $result_stmt = Database::prepare("SELECT `value` FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid` = :adminid @@ -274,7 +274,7 @@ if ($page == 'overview') { Database::pexecute($result_stmt, array("adminid" => $userinfo['adminid'], "lang" => $def_language)); $result = $result_stmt->fetch(PDO::FETCH_ASSOC); $mail_body = html_entity_decode(replace_variables((($result['value'] != '') ? $result['value'] : $lng['customer']['ftp_add']['infomail_body']['main']), $replace_arr)); - + $_mailerror = false; try { $mail->Subject = $mail_subject; @@ -301,7 +301,7 @@ if ($page == 'overview') { redirectTo($filename, Array('page' => $page, 's' => $s)); } } else { - $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], $settings['panel']['pathedit'], '/'); + $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], '/'); if ($settings['customer']['ftpatdomain'] == '1') { $domainlist = array(); @@ -348,7 +348,7 @@ if ($page == 'overview') { if (isset($_POST['send']) && $_POST['send'] == 'send') { // @FIXME use a good path-validating regex here (refs #1231) $path = validate($_POST['path'], 'path'); - + $_setnewpass = false; if (isset($_POST['ftp_password']) && $_POST['ftp_password'] != '') { $password = validate($_POST['ftp_password'], 'password'); @@ -363,14 +363,14 @@ if ($page == 'overview') { } $log->logAction(USR_ACTION, LOG_INFO, "updated ftp-account password for '" . $result['username'] . "'"); $cryptPassword = makeCryptPassword($password); - + $stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "` SET `password` = :password WHERE `customerid` = :customerid AND `id` = :id" ); Database::pexecute($stmt, array("customerid" => $userinfo['customerid'], "id" => $id, "password" => $cryptPassword)); - + // also update customers backup user password if password of main ftp user is changed if(!preg_match('/' . $settings['customer']['ftpprefix'] . '/', $result['username'])) { $stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "` @@ -386,7 +386,7 @@ if ($page == 'overview') { Database::pexecute($stmt, $params); } } - + if ($path != '') { $path = makeCorrectDir($userinfo['documentroot'] . '/' . $path); @@ -398,7 +398,7 @@ if ($page == 'overview') { } $log->logAction(USR_ACTION, LOG_INFO, "updated ftp-account homdir for '" . $result['username'] . "'"); - + $stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "` SET `homedir` = :homedir WHERE `customerid` = :customerid @@ -409,7 +409,7 @@ if ($page == 'overview') { "customerid" => $userinfo['customerid'], "id" => $id ); - Database::pexecute($stmt, $params); + Database::pexecute($stmt, $params); } } @@ -422,7 +422,7 @@ if ($page == 'overview') { } $homedir = makeCorrectDir($homedir); - $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], $settings['panel']['pathedit'], $homedir); + $pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid'], $homedir); if ($settings['customer']['ftpatdomain'] == '1') { $domains = ''; diff --git a/lib/classes/database/class.Database.php b/lib/classes/database/class.Database.php index 71cf51ce..b9bb431d 100644 --- a/lib/classes/database/class.Database.php +++ b/lib/classes/database/class.Database.php @@ -327,25 +327,57 @@ class Database { @fclose($errlog); if ($showerror) { - if (!isset($_SERVER['SHELL']) || (isset($_SERVER['SHELL']) && $_SERVER['SHELL'] == '')) { - // if we're not on the shell, output a nicer error-message - $err_hint = file_get_contents(dirname($sl_dir).'/templates/'.$theme.'/misc/dberrornice.tpl'); - // replace values - $err_hint = str_replace("", $error->getMessage(), $err_hint); - $err_hint = str_replace("", $error->getTraceAsString(), $err_hint); - $err_report_html = ''; - if (is_array($userinfo) && ( - ($userinfo['adminsession'] == '1' && $settings['system']['allow_error_report_admin'] == '1') - || ($userinfo['adminsession'] == '0' && $settings['system']['allow_error_report_customer'] == '1')) - ) { - $err_report_html = 'Report error'; - $err_report_html = str_replace("", $linker->getLink(array('section' => 'index', 'page' => 'send_error_report', 'errorid' => $errid)), $err_report_html); + // include userdata.inc.php + require FROXLOR_INSTALL_DIR."/lib/userdata.inc.php"; + + // le format + if (self::$_needroot == true + && isset($sql['root_user']) + && isset($sql['root_password']) + && (!isset($sql_root) || !is_array($sql_root)) + ) { + $sql_root = array(0 => array('caption' => 'Default', 'host' => $sql['host'], 'user' => $sql['root_user'], 'password' => $sql['root_password'])); + } + + // hide username/password in messages + $error_message = $error->getMessage(); + $error_trace = $error->getTraceAsString(); + // error-message + $error_message = str_replace($sql['password'], 'DB_UNPRIV_PWD', $error_message); + $error_message = str_replace($sql_root[0]['password'], 'DB_ROOT_PWD', $error_message); + // error-trace + $error_trace = str_replace($sql['password'], 'DB_UNPRIV_PWD', $error_trace); + $error_trace = str_replace($sql_root[0]['password'], 'DB_ROOT_PWD', $error_trace); + + // clean up sensitive data + unset($sql); + unset($sql_root); + + if ((isset($theme) && $theme != '') + && !isset($_SERVER['SHELL']) || (isset($_SERVER['SHELL']) && $_SERVER['SHELL'] == '') + ) { + // if we're not on the shell, output a nice error + $_errtpl = dirname($sl_dir).'/templates/'.$theme.'/misc/dberrornice.tpl'; + if (file_exists($_errtpl)) { + $err_hint = file_get_contents($_errtpl); + // replace values + $err_hint = str_replace("", $error_message, $err_hint); + $err_hint = str_replace("", $error_trace, $err_hint); + + $err_report_html = ''; + if (is_array($userinfo) && ( + ($userinfo['adminsession'] == '1' && $settings['system']['allow_error_report_admin'] == '1') + || ($userinfo['adminsession'] == '0' && $settings['system']['allow_error_report_customer'] == '1')) + ) { + $err_report_html = 'Report error'; + $err_report_html = str_replace("", $linker->getLink(array('section' => 'index', 'page' => 'send_error_report', 'errorid' => $errid)), $err_report_html); + } + $err_hint = str_replace("", $err_report_html, $err_hint); + + // show + die($err_hint); } - $err_hint = str_replace("", $err_report_html, $err_hint); - - // show - die($err_hint); } die("We are sorry, but a MySQL - error occurred. The administrator may find more information in in the sql-error.log in the logs/ directory"); }