From df6df4c5d3c817e3d43bb63f1b603430aa90e85e Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Thu, 5 May 2022 15:02:09 +0200
Subject: [PATCH] validating input of install

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 lib/Froxlor/Install/Install.php              | 68 ++++++++++++++++++--
 lib/formfields/install/formfield.install.php |  7 +-
 lng/en.lng.php                               | 12 ++++
 3 files changed, 77 insertions(+), 10 deletions(-)

diff --git a/lib/Froxlor/Install/Install.php b/lib/Froxlor/Install/Install.php
index 3f949636..e604caa9 100644
--- a/lib/Froxlor/Install/Install.php
+++ b/lib/Froxlor/Install/Install.php
@@ -30,6 +30,7 @@ use Froxlor\Install\Install\Core;
 use Froxlor\UI\Panel\UI;
 use Froxlor\UI\Request;
 use Froxlor\Config\ConfigParser;
+use Froxlor\Validate\Validate;
 
 class Install
 {
@@ -138,6 +139,14 @@ class Install
 			if ($this->currentStep == 1) {
 				$this->checkDatabase($validatedData);
 			}
+			// Check validity of admin user data
+			elseif ($this->currentStep == 2) {
+				$this->checkAdminUser($validatedData);
+			}
+			// Check validity of system data
+			elseif ($this->currentStep == 3) {
+				$this->checkSystem($validatedData);
+			}
 			// Store validated data for later use
 			$_SESSION['installation'] = array_merge($_SESSION['installation'] ?? [], $validatedData);
 		}
@@ -228,6 +237,51 @@ class Install
 		return $attribute;
 	}
 
+	/**
+	 * @throws Exception
+	 */
+	private function checkSystem(array $validatedData): void
+	{
+		$serverip = $validatedData['serverip'] ?? '';
+		$servername = $validatedData['servername'] ?? '';
+		$httpuser = $validatedData['httpuser'] ?? 'www-data';
+		$httpgroup = $validatedData['httpgroup'] ?? 'www-data';
+
+		if (!Validate::validate_ip2($serverip, true, '', false, true)) {
+			throw new Exception(lng('error.invalidip', [$serverip]));
+		} elseif (!Validate::validateDomain($servername) && !Validate::validateLocalHostname($servername)) {
+			throw new Exception(lng('install.errors.servernameneedstobevalid'));
+		} elseif (posix_getpwnam($httpuser) === false) {
+			throw new Exception(lng('install.errors.websrvuserdoesnotexist'));
+		} elseif (posix_getgrnam($httpgroup) === false) {
+			throw new Exception(lng('install.errors.websrvgrpdoesnotexist'));
+		}
+	}
+
+	/**
+	 * @throws Exception
+	 */
+	private function checkAdminUser(array $validatedData): void
+	{
+		$name = $validatedData['admin_name'] ?? 'Administrator';
+		$loginname = $validatedData['admin_user'] ?? '';
+		$email = $validatedData['admin_email'] ?? '';
+		$password = $validatedData['admin_pass'] ?? '';
+		$password_confirm = $validatedData['admin_pass_confirm'] ?? '';
+
+		if (!preg_match('/^[^\r\n\t\f\0]*$/D', $name)) {
+			throw new Exception(lng('error.stringformaterror', ['admin_name']));
+		} elseif (empty(trim($loginname)) || !preg_match('/^[a-z][a-z0-9]', $loginname)) {
+			throw new Exception(lng('error.loginnameiswrong', [$loginname]));
+		} elseif (empty(trim($email)) || !Validate::validateEmail($email)) {
+			throw new Exception(lng('error.emailiswrong', [$email]));
+		} elseif (empty($password) || $password != $password_confirm) {
+			throw new Exception(lng('error.newpasswordconfirmerror'));
+		} elseif (!empty($password) && $password == $loginname) {
+			throw new Exception(lng('error.passwordshouldnotbeusername'));
+		}
+	}
+
 	/**
 	 * @throws Exception
 	 */
@@ -243,37 +297,37 @@ class Install
 		]);
 		$hasDatabase = $stmt->fetch();
 		if ($hasDatabase && !$validatedData['mysql_force_create']) {
-			throw new Exception('Database already exist, please set override option to rebuild!');
+			throw new Exception(lng('install.errors.databaseexists'));
 		}
 
 		// check if we can create a new database
 		$testDatabase = uniqid('froxlor_tmp_');
 		if ($pdo->exec('CREATE DATABASE IF NOT EXISTS ' . $testDatabase . ';') === false) {
-			throw new Exception('cant create test db');
+			throw new Exception(lng('install.errors.unabletocreatedb'));
 		}
 		if ($pdo->exec('DROP DATABASE IF EXISTS ' . $testDatabase . ';') === false) {
-			throw new Exception('Cant drop test db');
+			throw new Exception(lng('install.errors.unabletodropdb'));
 		}
 
 		// check if the user already exist
 		$stmt = $pdo->prepare("SELECT `User` FROM `mysql`.`user` WHERE `User` = ?");
 		$stmt->execute([$validatedData['mysql_unprivileged_user']]);
 		if ($stmt->rowCount() && !$validatedData['mysql_force_create']) {
-			throw new Exception('Username already exist, please use another username or delete it first!');
+			throw new Exception(lng('install.errors.mysqlusernameexists'));
 		}
 
 		// check if we can create a new user
 		$testUser = uniqid('froxlor_tmp_');
 		$stmt = $pdo->prepare('CREATE USER ?@? IDENTIFIED BY ?');
 		if ($stmt->execute([$testUser, $validatedData['mysql_host'], uniqid()]) === false) {
-			throw new Exception('cant create test user');
+			throw new Exception(lng('install.errors.unabletocreateuser'));
 		}
 		$stmt = $pdo->prepare('DROP USER ?@?');
 		if ($stmt->execute([$testUser, $validatedData['mysql_host']]) === false) {
-			throw new Exception('cant create test user');
+			throw new Exception(lng('install.errors.unabletodropuser'));
 		}
 		if ($pdo->prepare('FLUSH PRIVILEGES')->execute() === false) {
-			throw new Exception('Cant flush privileges');
+			throw new Exception(lng('install.errors.unabletoflushprivs'));
 		}
 	}
 }
diff --git a/lib/formfields/install/formfield.install.php b/lib/formfields/install/formfield.install.php
index a13f3260..b994eb61 100644
--- a/lib/formfields/install/formfield.install.php
+++ b/lib/formfields/install/formfield.install.php
@@ -180,26 +180,27 @@ return [
 						'type' => 'select',
 						'mandatory' => true,
 						'select_var' => $this->webserverBackend,
+						'selected' => old('webserver_backend', 'php-fpm', 'installation'),
 					],
 					'httpuser' => [
 						'label' => lng('admin.webserver_user'),
 						'placeholder' => lng('admin.webserver_user'),
 						'type' => 'text',
 						'mandatory' => true,
-						'value' => old('httpuser', 'www-data', 'installation'),
+						'value' => old('httpuser', posix_getpwuid(posix_getuid()), 'installation'),
 					],
 					'httpgroup' => [
 						'label' => lng('admin.webserver_group'),
 						'placeholder' => lng('admin.webserver_group'),
 						'type' => 'text',
 						'mandatory' => true,
-						'value' => old('httpgroup', 'www-data', 'installation'),
+						'value' => old('httpgroup', posix_getgrgid(posix_getgid()), 'installation'),
 					],
 					'activate_newsfeed' => [
 						'label' => lng('install.system.activate_newsfeed'),
 						'type' => 'checkbox',
 						'value' => '1',
-						'checked' => false
+						'checked' => old('activate_newsfeed', '0', 'installation'),
 					],
 				]
 			],
diff --git a/lng/en.lng.php b/lng/en.lng.php
index 1a6d35c2..8a0a6c70 100644
--- a/lng/en.lng.php
+++ b/lng/en.lng.php
@@ -2498,5 +2498,17 @@ Yours sincerely, your administrator',
 			'description' => 'The command below will download, install and configure your system according to the data you have given in this installation process.',
 			'runcmd' => 'Run the following command as root-user in your shell on this server:',
 		],
+		'errors' => [
+			'databaseexists' => 'Database already exist, please set override option to rebuild!',
+			'unabletocreatedb' => 'Test database could not be created',
+			'unabletodropdb' => 'Test database could not be dropped',
+			'mysqlusernameexists' => 'The user specified for unprivileged user already exist. Please use another username or delete it first.',
+			'unabletocreateuser' => 'Test user could not be created',
+			'unabletodropuser' => 'Test user could not be dropped',
+			'unabletoflushprivs' => 'Given privileged user is unable to flush privileges',
+			'servernameneedstobevalid' => 'Given servername does not seem to be a FQDN or hostname',
+			'websrvuserdoesnotexist' => 'Given webserver-user does not seem to exist on the system',
+			'websrvgrpdoesnotexist' => 'Given webserver-group does not seem to exist on the system',
+		]
 	],
 ];