PHP scripts
Although the implemented direction protection posed a prompt when
accessing the http://...com/protectedir/
it was still possible to call http://...com/protectedir/script.php
This vulnerability emerges from the precedence order of "location"
statements. The RegEx matching the PHP script is triggered before the
directory protection is evaluated. As a result, the PHP script is
interpreted and path parsing stops due to the circumflex (see
http://nginx.org/en/docs/http/ngx_http_core_module.html#location).
The fix involves adding a PHP parsing snippet to every protected
block. In order to prevent PHP-related config params repeatedly, the
required section is referenced using a prefix.
cron_tasks/bind: refactor zone creation
DNS records for subdomains managed as main domains (i.e. have
ismainbutsubto>1) get written to separate zone files for each subdomain.
This does not play well with hidden-master setups, where a quering DNS
server would only request a transfer of the topmost parent zone and ignore
SOA records therein to initiate the potentially required transfers of
subzones.
This patch changes how zonefiles are created, so that DNS records of
"ismainbutsubto>1"-domains end up within the zone of the topmost parent
domain. Obviously this relies on correctly set ismainbutsubto-fields of
all subdomains managed as main domain in Froxlor.
Refactoring summary:
- Previously _generateDomainConfig() would be called for each customer
domain, handle writing the zone file and accumulate the bind config
data.
Now writing the zone files is decoupled and both _generateDomainConfig()
and generateZone() get called from the main loop over the customer
domains.
- The main loop over customer domains only considers
"ismainbutsubto==0"-domains, children are handled via recursion within
walkDomainList() according to the previously collected relations of
direct children.
- The recursion accumulates the zone data, storing it in $_bind_conf_file
(which is now a private member) until it gets written to a zone file.
The resulting structure is written to the debugHandler.
-- For "ismainbutsubto==0"-domains, generateZone() returns a SOA record
and further applicable records as usual.
-- For "ismainbutsubto>0"-domains, generateZone() returns a "$ORIGIN
$domain"-line and further applicable records as usual. This now excludes
NS records, since they're no longer required.
- The boolean parameter $froxlorhost=true to _generateDomainConfig() and
generateZone() was replaced by the additional field
$hostname_arr['froxlorhost']
This patch adds isemaildomain==1 as an additional condition for the
creation of mx/imap/smtp/pop3/spf-txt records for a domain.
For the hostname entry, this depends on the system setting
dns_createmailentry.
The bind cronjob awlays creates www A/AAAA records, regardless of a
domain's iswildcarddomain or wwwserveralias settings.
With this patch www records only get created if "www alias" is selected
for a domain, i.e. iswildcarddomain is disabled and wwwserveralias is
enabled.
- previously the ssl settings were missing in rewrite vhosts
- this caused ssl errors for these hosts as the default certificate has been used instead of the vhost specific cert.
- this seem to only apply for nginx, not apache
