finally removed super-old syscp-update-procedures, we now require the last available syscp for upgrading; migrate some functions to PDO database class, refs #1287

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>

lib/functions/filedir/function.maildirExists.php

@@ -24,7 +24,7 @@
  */
 function maildirExists($result = null)
 {
-	global $settings, $theme;
+	global $settings;
 
 	if(is_array($result))
 	{

lib/functions/filedir/function.makeChownWithNewStats.php

@@ -26,7 +26,7 @@
  */
 function makeChownWithNewStats($row)
 {
-	global $settings, $theme;
+	global $settings;
 
 	// get correct user
 	if($settings['system']['mod_fcgid'] == '1' && isset($row['deactivated']) && $row['deactivated'] == '0')

lib/functions/filedir/function.makePathfield.php

@@ -34,7 +34,7 @@
 
 function makePathfield($path, $uid, $gid, $fieldType, $value = '', $dom = false)
 {
-	global $lng, $theme;
+	global $lng;
 
 	$value = str_replace($path, '', $value);
 	$field = array();

lib/functions/filedir/function.safe_exec.php

@@ -20,101 +20,33 @@
 /**
  * Wrapper around the exec command.
  *
- * @author Martin Burchert <eremit@adm1n.de>
- * @version 1.2
  * @param string exec_string String to be executed
+ * 
  * @return string The result of the exec()
- *
- * History:
- * 1.0 : Initial Version
- * 1.1 : Added |,&,>,<,`,*,$,~,? as security breaks.
- * 1.2 : Removed * as security break
  */
+function safe_exec($exec_string, &$return_value = false) {
 
-function safe_exec($exec_string, &$return_value = false)
-{
-	global $settings, $theme;
-
-	//
-	// define allowed system commands
-	//
-
-	$allowed_commands = array(
-		'touch',
-		'chown',
-		'mkdir',
-		'webalizer',
-		'cp',
-		'du',
-		'chmod',
-		'chattr',
-		'chflags', /* freebsd equivalent to linux' chattr */
-		$settings['system']['apachereload_command'],
-		$settings['system']['bindreload_command'],
-		$settings['dkim']['dkimrestart_command'],
-		'openssl',
-		'unzip',
-		'php',
-		'rm',
-		'awstats_buildstaticpages.pl',
-		'ln'
-	);
-
-	//
-	// check for ; in execute command
-	//
-
-	if((stristr($exec_string, ';'))
-	   or (stristr($exec_string, '|'))
-	   or (stristr($exec_string, '&'))
-	   or (stristr($exec_string, '>'))
-	   or (stristr($exec_string, '<'))
-	   or (stristr($exec_string, '`'))
-	   or (stristr($exec_string, '$'))
-	   or (stristr($exec_string, '~'))
-	   or (stristr($exec_string, '?')))
-	{
+	// check for bad signs in execute command
+	if ((stristr($exec_string, ';'))
+	   || (stristr($exec_string, '|'))
+	   || (stristr($exec_string, '&'))
+	   || (stristr($exec_string, '>'))
+	   || (stristr($exec_string, '<'))
+	   || (stristr($exec_string, '`'))
+	   || (stristr($exec_string, '$'))
+	   || (stristr($exec_string, '~'))
+	   || (stristr($exec_string, '?'))
+	) {
 		die('SECURITY CHECK FAILED!' . "\n" . 'The execute string "' . htmlspecialchars($exec_string) . '" is a possible security risk!' . "\n" . 'Please check your whole server for security problems by hand!' . "\n");
 	}
 
-	/*
-	 * This is not needed anymore, we allow all commands and just check for pipes and stuff
-	//
-	// check if command is allowed here
-	//
-
-	$ok = false;
-	foreach($allowed_commands as $allowed_command)
-	{
-		if(strpos($exec_string, $allowed_command) === 0
-		   && (strlen($exec_string) === ($allowed_command_pos = strlen($allowed_command)) || substr($exec_string, $allowed_command_pos, 1) === ' '))
-		{
-			$ok = true;
-		}
-	}
-
-	if(!$ok)
-	{
-		die('SECURITY CHECK FAILED!' . "\n" . 'Your command "' . htmlspecialchars($exec_string) . '" is not allowed!' . "\n" . 'Please check your whole server for security problems by hand!' . "\n");
-	}
-	*/
-
-	//
 	// execute the command and return output
-	//
-	// --- martin @ 08.08.2005 -------------------------------------------------------
-	// fixing usage of uninitialised variable
-
 	$return = '';
 
 	// -------------------------------------------------------------------------------
-
-	if($return_value == false)
-	{
+	if ($return_value == false) {
 		exec($exec_string, $return);
-	}
-	else
-	{
+	} else {
 		exec($exec_string, $return, $return_value);
 	}
 

lib/functions/filedir/function.storeDefaultIndex.php

@@ -25,18 +25,26 @@
  * 
  * @return null
  */
-function storeDefaultIndex($loginname = null, $destination = null, $logger = null, $force = false)
-{
-	global $db, $settings, $pathtophpfiles, $theme;
+function storeDefaultIndex($loginname = null, $destination = null, $logger = null, $force = false) {
+
+	global $settings;
 
 	if ($force
 		|| (int)$settings['system']['store_index_file_subs'] == 1
 	) {
-		$result = $db->query("SELECT `t`.`value`, `c`.`email` AS `customer_email`, `a`.`email` AS `admin_email`, `c`.`loginname` AS `customer_login`, `a`.`loginname` AS `admin_login` FROM `" . TABLE_PANEL_CUSTOMERS . "` AS `c` INNER JOIN `" . TABLE_PANEL_ADMINS . "` AS `a` ON `c`.`adminid` = `a`.`adminid` INNER JOIN `" . TABLE_PANEL_TEMPLATES . "` AS `t` ON `a`.`adminid` = `t`.`adminid` WHERE `varname` = 'index_html' AND `c`.`loginname` = '" . $db->escape($loginname) . "'");
-	
-		if($db->num_rows($result) > 0)
-		{
-			$template = $db->fetch_array($result);
+		$result_stmt = Database::prepare("
+			SELECT `t`.`value`, `c`.`email` AS `customer_email`, `a`.`email` AS `admin_email`, `c`.`loginname` AS `customer_login`, `a`.`loginname` AS `admin_login`
+			FROM `" . TABLE_PANEL_CUSTOMERS . "` AS `c` INNER JOIN `" . TABLE_PANEL_ADMINS . "` AS `a`
+			ON `c`.`adminid` = `a`.`adminid`
+			INNER JOIN `" . TABLE_PANEL_TEMPLATES . "` AS `t`
+			ON `a`.`adminid` = `t`.`adminid`
+			WHERE `varname` = 'index_html' AND `c`.`loginname` = :loginname");
+		Database::pexecute($result_stmt, array('loginname' => $loginname));
+
+		if (Database::num_rows() > 0) {
+
+			$template = $result_stmt->fetch(PDO::FETCH_ASSOC);
+
 			$replace_arr = array(
 				'SERVERNAME' => $settings['system']['hostname'],
 				'CUSTOMER' => $template['customer_login'],
@@ -44,6 +52,7 @@ function storeDefaultIndex($loginname = null, $destination = null, $logger = nul
 				'CUSTOMER_EMAIL' => $template['customer_email'],
 				'ADMIN_EMAIL' => $template['admin_email']
 			);
+
 			$htmlcontent = replace_variables($template['value'], $replace_arr);
 			$indexhtmlpath = makeCorrectFile($destination . '/index.' . $settings['system']['index_file_extension']);
 			$index_html_handler = fopen($indexhtmlpath, 'w');
@@ -52,14 +61,13 @@ function storeDefaultIndex($loginname = null, $destination = null, $logger = nul
 			if ($logger !== null) {
 				$logger->logAction(CRON_ACTION, LOG_NOTICE, 'Creating \'index.' . $settings['system']['index_file_extension'] . '\' for Customer \'' . $template['customer_login'] . '\' based on template in directory ' . escapeshellarg($indexhtmlpath));
 			}
-		}
-		else
-		{
+
+		} else {
 			$destination = makeCorrectDir($destination);
 			if ($logger !== null) {
-				$logger->logAction(CRON_ACTION, LOG_NOTICE, 'Running: cp -a ' . $pathtophpfiles . '/templates/misc/standardcustomer/* ' . escapeshellarg($destination));
+				$logger->logAction(CRON_ACTION, LOG_NOTICE, 'Running: cp -a ' . FROXLOR_INSTALL_DIR . '/templates/misc/standardcustomer/* ' . escapeshellarg($destination));
 			}
-			safe_exec('cp -a ' . $pathtophpfiles . '/templates/misc/standardcustomer/* ' . escapeshellarg($destination));
+			safe_exec('cp -a ' . FROXLOR_INSTALL_DIR . '/templates/misc/standardcustomer/* ' . escapeshellarg($destination));
 		}
 	}
 	return;