set version to 0.10.31 for upcoming release

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

admin_admins.php

@@ -129,7 +129,7 @@ if ($page == 'admins' && $userinfo['change_serversettings'] == '1') {
 				'userid' => $userinfo['userid']
 			));
 
-			$s = md5(uniqid(microtime(), 1));
+			$s = \Froxlor\Froxlor::genSessionId();
 			$ins_stmt = Database::prepare("
 				INSERT INTO `" . TABLE_PANEL_SESSIONS . "` SET
 				`hash` = :hash, `userid` = :userid, `ipaddress` = :ip,

admin_apcuinfo.php

@@ -67,6 +67,9 @@ if ($page == 'showinfo') {
 	$uptime_duration = duration($cache['start_time']);
 	$size_vars = bsize($cache['mem_size']);
 
+	$num_hits_and_misses = $cache['num_hits'] + $cache['num_misses'];
+	$num_hits_and_misses = 0 >= $num_hits_and_misses ? 1 : $num_hits_and_misses;
+
 	// check for possible empty values that are used in the templates
 	if (! isset($cache['file_upload_progress'])) {
 		$cache['file_upload_progress'] = $lng['logger']['unknown'];
@@ -84,8 +87,8 @@ if ($page == 'showinfo') {
 
 	$freemem = bsize($mem_avail) . sprintf(" (%.1f%%)", $mem_avail * 100 / $mem_size);
 	$usedmem = bsize($mem_used) . sprintf(" (%.1f%%)", $mem_used * 100 / $mem_size);
-	$hits = $cache['num_hits'] . @sprintf(" (%.1f%%)", $cache['num_hits'] * 100 / ($cache['num_hits'] + $cache['num_misses']));
-	$misses = $cache['num_misses'] . @sprintf(" (%.1f%%)", $cache['num_misses'] * 100 / ($cache['num_hits'] + $cache['num_misses']));
+	$hits = $cache['num_hits'] . @sprintf(" (%.1f%%)", $cache['num_hits'] * 100 / $num_hits_and_misses);
+	$misses = $cache['num_misses'] . @sprintf(" (%.1f%%)", $cache['num_misses'] * 100 / $num_hits_and_misses);
 
 	// Fragmentation: (freeseg - 1) / total_seg
 	$nseg = $freeseg = $fragsize = $freetotal = 0;

admin_configfiles.php

@@ -38,13 +38,43 @@ if ($userinfo['change_serversettings'] == '1') {
 
 	// try to convert namserver hosts to ip's
 	$ns_ips = "";
+	$known_ns_ips = [];
 	if (Settings::Get('system.nameservers') != '') {
 		$nameservers = explode(',', Settings::Get('system.nameservers'));
 		foreach ($nameservers as $nameserver) {
 			$nameserver = trim($nameserver);
+			// DNS servers might be multi homed; allow transfer from all ip
+			// addresses of the DNS server
 			$nameserver_ips = \Froxlor\PhpHelper::gethostbynamel6($nameserver);
-			if (is_array($nameserver_ips) && count($nameserver_ips) > 0) {
-				$ns_ips .= implode(",", $nameserver_ips);
+			// append dot to hostname
+			if (substr($nameserver, - 1, 1) != '.') {
+				$nameserver .= '.';
+			}
+			// ignore invalid responses
+			if (! is_array($nameserver_ips)) {
+				// act like \Froxlor\PhpHelper::gethostbynamel6() and return unmodified hostname on error
+				$nameserver_ips = array(
+					$nameserver
+				);
+			} else {
+				$known_ns_ips = array_merge($known_ns_ips, $nameserver_ips);
+			}
+			if (!empty($ns_ips)) {
+				$ns_ips .= ',';
+			}
+			$ns_ips .= implode(",", $nameserver_ips);
+		}
+	}
+
+	// AXFR server
+	if (Settings::Get('system.axfrservers') != '') {
+		$axfrservers = explode(',', Settings::Get('system.axfrservers'));
+		foreach ($axfrservers as $axfrserver) {
+			if (!in_array(trim($axfrserver), $known_ns_ips)) {
+				if (!empty($ns_ips)) {
+					$ns_ips .= ',';
+				}
+				$ns_ips .= trim($axfrserver);
 			}
 		}
 	}
@@ -59,7 +89,6 @@ if ($userinfo['change_serversettings'] == '1') {
 		'<SERVERIP>' => Settings::Get('system.ipaddress'),
 		'<NAMESERVERS>' => Settings::Get('system.nameservers'),
 		'<NAMESERVERS_IP>' => $ns_ips,
-		'<AXFRSERVERS>' => Settings::Get('system.axfrservers'),
 		'<VIRTUAL_MAILBOX_BASE>' => Settings::Get('system.vmail_homedir'),
 		'<VIRTUAL_UID_MAPS>' => Settings::Get('system.vmail_uid'),
 		'<VIRTUAL_GID_MAPS>' => Settings::Get('system.vmail_gid'),

admin_customers.php

@@ -178,7 +178,7 @@ if ($page == 'customers' && $userinfo['customers'] != '0') {
 				'hash' => $s
 			));
 
-			$s = md5(uniqid(microtime(), 1));
+			$s = \Froxlor\Froxlor::genSessionId();
 			$insert = Database::prepare("
 				INSERT INTO `" . TABLE_PANEL_SESSIONS . "` SET
 					`hash` = :hash,

index.php

@@ -28,6 +28,12 @@ if ($action == '') {
 }
 
 if (session_status() == PHP_SESSION_NONE) {
+	ini_set("session.name", "s");
+	ini_set("url_rewriter.tags", "");
+	ini_set("session.use_cookies", false);
+	ini_set("session.cookie_httponly", true);
+	ini_set("session.cookie_secure", $is_ssl);
+	session_id('login');
 	session_start();
 }
 
@@ -669,7 +675,7 @@ function finishLogin($userinfo)
 	global $version, $dbversion, $remote_addr, $http_user_agent, $languages;
 
 	if (isset($userinfo['userid']) && $userinfo['userid'] != '') {
-		$s = md5(uniqid(microtime(), 1));
+		$s = \Froxlor\Froxlor::genSessionId();
 
 		if (isset($_POST['language'])) {
 			$language = \Froxlor\Validate\Validate::validate($_POST['language'], 'language');

install/froxlor.sql

@@ -532,7 +532,7 @@ opcache.interned_strings_buffer'),
 	('system', 'vmail_gid', '2000'),
 	('system', 'vmail_homedir', '/var/customers/mail/'),
 	('system', 'vmail_maildirname', 'Maildir'),
-	('system', 'bind_enable', '1'),
+	('system', 'bind_enable', '0'),
 	('system', 'bindconf_directory', '/etc/bind/'),
 	('system', 'bindreload_command', '/etc/init.d/bind9 reload'),
 	('system', 'hostname', 'SERVERNAME'),
@@ -722,8 +722,8 @@ opcache.interned_strings_buffer'),
 	('panel', 'logo_image_login', ''),
 	('panel', 'logo_overridetheme', '0'),
 	('panel', 'logo_overridecustom', '0'),
-	('panel', 'version', '0.10.28'),
-	('panel', 'db_version', '202108180');
+	('panel', 'version', '0.10.31'),
+	('panel', 'db_version', '202109040');
 
 
 DROP TABLE IF EXISTS `panel_tasks`;
@@ -822,7 +822,8 @@ INSERT INTO `panel_languages` (`id`, `language`, `iso`, `file`) VALUES
     (4, 'Português', 'pt', 'lng/portugues.lng.php'),
     (5, 'Italiano', 'it', 'lng/italian.lng.php'),
     (6, 'Nederlands', 'nl', 'lng/dutch.lng.php'),
-    (7, 'Svenska', 'sv', 'lng/swedish.lng.php');
+    (7, 'Svenska', 'sv', 'lng/swedish.lng.php'),
+    (8, 'Česká republika', 'cs', 'lng/czech.lng.php');
 
 
 DROP TABLE IF EXISTS `panel_syslog`;

install/lib/class.FroxlorInstall.php

@@ -163,10 +163,13 @@ class FroxlorInstall
 
 		$this->_getPostField('mysql_host', '127.0.0.1');
 		$this->_getPostField('mysql_database', 'froxlor');
+		$this->_getPostField('mysql_forcecreate', '0');
 		$this->_getPostField('mysql_unpriv_user', 'froxlor');
 		$this->_getPostField('mysql_unpriv_pass');
 		$this->_getPostField('mysql_root_user', 'root');
 		$this->_getPostField('mysql_root_pass');
+		$this->_getPostField('mysql_ssl_ca_file');
+		$this->_getPostField('mysql_ssl_verify_server_certificate', 0);
 		$this->_getPostField('admin_user', 'admin');
 		$this->_getPostField('admin_pass1');
 		$this->_getPostField('admin_pass2');
@@ -212,6 +215,12 @@ class FroxlorInstall
 		$options = array(
 			'PDO::MYSQL_ATTR_INIT_COMMAND' => 'SET names utf8'
 		);
+
+		if (!empty($this->_data['mysql_ssl_ca_file'])) {
+			$options[\PDO::MYSQL_ATTR_SSL_CA] = $this->_data['mysql_ssl_ca_file'];
+			$options[\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) $this->_data['mysql_ssl_verify_server_certificate'];
+		}
+
 		$dsn = "mysql:host=" . $this->_data['mysql_host'] . ";";
 		$fatal_fail = false;
 		try {
@@ -246,15 +255,23 @@ class FroxlorInstall
 			$content .= $this->_status_message('green', "OK");
 			// check for existing db and create backup if so
 			$content .= $this->_backupExistingDatabase($db_root);
-			// create unprivileged user and the database itself
-			$content .= $this->_createDatabaseAndUser($db_root);
-			// importing data to new database
-			$content .= $this->_importDatabaseData();
+			if (!$this->_abort) {
+				// create unprivileged user and the database itself
+				$content .= $this->_createDatabaseAndUser($db_root);
+				// importing data to new database
+				$content .= $this->_importDatabaseData();
+			}
 			if (! $this->_abort) {
 				// create DB object for new database
 				$options = array(
 					'PDO::MYSQL_ATTR_INIT_COMMAND' => 'SET names utf8'
 				);
+
+				if (!empty($this->_data['mysql_ssl_ca_file'])) {
+					$options[\PDO::MYSQL_ATTR_SSL_CA] = $this->_data['mysql_ssl_ca_file'];
+					$options[\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) $this->_data['mysql_ssl_verify_server_certificate'];
+				}
+
 				$dsn = "mysql:host=" . $this->_data['mysql_host'] . ";dbname=" . $this->_data['mysql_database'] . ";";
 				$another_fail = false;
 				try {
@@ -324,10 +341,14 @@ class FroxlorInstall
 		$userdata .= "\$sql['user']='" . addcslashes($this->_data['mysql_unpriv_user'], "'\\") . "';\n";
 		$userdata .= "\$sql['password']='" . addcslashes($this->_data['mysql_unpriv_pass'], "'\\") . "';\n";
 		$userdata .= "\$sql['db']='" . addcslashes($this->_data['mysql_database'], "'\\") . "';\n";
+		$userdata .= "\$sql['ssl']['caFile']='" . addcslashes($this->_data['mysql_ssl_ca_file'], "'\\") . "';\n";
+		$userdata .= "\$sql['ssl']['verifyServerCertificate']='" . addcslashes($this->_data['mysql_ssl_verify_server_certificate'], "'\\") . "';\n";
 		$userdata .= "\$sql_root[0]['caption']='Default';\n";
 		$userdata .= "\$sql_root[0]['host']='" . addcslashes($this->_data['mysql_host'], "'\\") . "';\n";
 		$userdata .= "\$sql_root[0]['user']='" . addcslashes($this->_data['mysql_root_user'], "'\\") . "';\n";
 		$userdata .= "\$sql_root[0]['password']='" . addcslashes($this->_data['mysql_root_pass'], "'\\") . "';\n";
+		$userdata .= "\$sql_root[0]['ssl']['caFile']='" . addcslashes($this->_data['mysql_ssl_ca_file'], "'\\") . "';\n";
+		$userdata .= "\$sql_root[0]['ssl']['verifyServerCertificate']='" . addcslashes($this->_data['mysql_ssl_verify_server_certificate'], "'\\") . "';\n";
 		$userdata .= "// enable debugging to browser in case of SQL errors\n";
 		$userdata .= "\$sql['debug'] = false;\n";
 		$userdata .= "?>";
@@ -360,6 +381,30 @@ class FroxlorInstall
 		return $content;
 	}
 
+	/**
+	 * generate safe unique token
+	 *
+	 * @param int $length
+	 * @return string
+	 */
+	private function genUniqueToken(int $length = 16)
+	{
+		if(!isset($length) || intval($length) <= 8 ){
+			$length = 16;
+		}
+		if (function_exists('random_bytes')) {
+			return bin2hex(random_bytes($length));
+		}
+		if (function_exists('mcrypt_create_iv')) {
+			return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM));
+		}
+		if (function_exists('openssl_random_pseudo_bytes')) {
+			return bin2hex(openssl_random_pseudo_bytes($length));
+		}
+		// if everything else fails, use unsafe fallback
+		return md5(uniqid(microtime(), 1));
+	}
+
 	/**
 	 * create corresponding entries in froxlor database
 	 *
@@ -403,8 +448,8 @@ class FroxlorInstall
 		$content .= $this->_status_message('begin', $this->_lng['install']['adding_admin_user']);
 		$ins_data = array(
 			'loginname' => $this->_data['admin_user'],
-				/* use SHA256 default crypt */
-				'password' => crypt($this->_data['admin_pass1'], '$5$' . md5(uniqid(microtime(), 1)) . md5(uniqid(microtime(), 1))),
+			/* use SHA256 default crypt */
+			'password' => crypt($this->_data['admin_pass1'], '$5$' . $this->genUniqueToken() . $this->genUniqueToken()),
 			'email' => 'admin@' . $this->_data['servername'],
 			'deflang' => $this->_languages[$this->_activelng]
 		);
@@ -555,6 +600,12 @@ class FroxlorInstall
 		$options = array(
 			'PDO::MYSQL_ATTR_INIT_COMMAND' => 'SET names utf8'
 		);
+
+		if (!empty($this->_data['mysql_ssl_ca_file'])) {
+			$options[\PDO::MYSQL_ATTR_SSL_CA] = $this->_data['mysql_ssl_ca_file'];
+			$options[\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) $this->_data['mysql_ssl_verify_server_certificate'];
+		}
+
 		$dsn = "mysql:host=" . $this->_data['mysql_host'] . ";dbname=" . $this->_data['mysql_database'] . ";";
 		$fatal_fail = false;
 		try {
@@ -733,39 +784,59 @@ class FroxlorInstall
 		));
 		$rows = $db_root->query("SELECT FOUND_ROWS()")->fetchColumn();
 
+		$content .= $this->_status_message('begin', $this->_lng['install']['check_db_exists']);
+
 		// check result
 		if ($result_stmt !== false && $rows > 0) {
 			$tables_exist = true;
 		}
 
 		if ($tables_exist) {
-			// tell what's going on
-			$content .= $this->_status_message('begin', $this->_lng['install']['backup_old_db']);
+			if ((int)$this->_data['mysql_forcecreate'] > 0) {
+				// set status
+				$content .= $this->_status_message('orange', 'exists (' . $this->_data['mysql_database'] . ')');
+				// tell what's going on
+				$content .= $this->_status_message('begin', $this->_lng['install']['backup_old_db']);
 
-			// create temporary backup-filename
-			$filename = "/tmp/froxlor_backup_" . date('YmdHi') . ".sql";
+				// create temporary backup-filename
+				$filename = "/tmp/froxlor_backup_" . date('YmdHi') . ".sql";
 
-			// look for mysqldump
-			$do_backup = false;
-			if (file_exists("/usr/bin/mysqldump")) {
-				$do_backup = true;
-				$mysql_dump = '/usr/bin/mysqldump';
-			} elseif (file_exists("/usr/local/bin/mysqldump")) {
-				$do_backup = true;
-				$mysql_dump = '/usr/local/bin/mysqldump';
-			}
+				// look for mysqldump
+				$do_backup = false;
+				if (file_exists("/usr/bin/mysqldump")) {
+					$do_backup = true;
+					$mysql_dump = '/usr/bin/mysqldump';
+				} elseif (file_exists("/usr/local/bin/mysqldump")) {
+					$do_backup = true;
+					$mysql_dump = '/usr/local/bin/mysqldump';
+				}
 
-			if ($do_backup) {
-				$command = $mysql_dump . " " . escapeshellarg($this->_data['mysql_database']) . " -u " . escapeshellarg($this->_data['mysql_root_user']) . " --password='" . escapeshellarg($this->_data['mysql_root_pass']) . "' --result-file=" . $filename;
-				$output = exec($command);
-				if (stristr($output, "error")) {
-					$content .= $this->_status_message('red', $this->_lng['install']['backup_failed']);
+				// create temporary .cnf file
+				$cnffilename = "/tmp/froxlor_dump.cnf";
+				$dumpcnf = "[mysqldump]" . PHP_EOL . "password=\"" . $this->_data['mysql_root_pass'] . "\"" . PHP_EOL;
+				file_put_contents($cnffilename, $dumpcnf);
+
+				if ($do_backup) {
+					$command = $mysql_dump . " --defaults-extra-file=" . $cnffilename . " " . escapeshellarg($this->_data['mysql_database']) . " -u " . escapeshellarg($this->_data['mysql_root_user']) . " --result-file=" . $filename;
+					$output = [];
+					exec($command, $output);
+					@unlink($cnffilename);
+					if (stristr(implode(" ", $output), "error") || ! file_exists($filename)) {
+						$content .= $this->_status_message('red', $this->_lng['install']['backup_failed']);
+						$this->_abort = true;
+					} else {
+						$content .= $this->_status_message('green', 'OK (' . $filename . ')');
+					}
 				} else {
-					$content .= $this->_status_message('green', 'OK (' . $filename . ')');
+					$content .= $this->_status_message('red', $this->_lng['install']['backup_binary_missing']);
+					$this->_abort = true;
 				}
 			} else {
-				$content .= $this->_status_message('red', $this->_lng['install']['backup_binary_missing']);
+				$content .= $this->_status_message('red', $this->_lng['install']['db_exists']);
+				$this->_abort = true;
 			}
+		} else {
+			$content .= $content .= $this->_status_message('green', 'OK');
 		}
 
 		return $content;
@@ -801,6 +872,8 @@ class FroxlorInstall
 		$formdata .= $this->_getSectionItemString('mysql_host', true);
 		// database
 		$formdata .= $this->_getSectionItemString('mysql_database', true);
+		// database overwrite if exists?
+		$formdata .= $this->_getSectionItemYesNo('mysql_forcecreate', false);
 		// unpriv-user has to be different from root
 		if ($this->_data['mysql_unpriv_user'] == $this->_data['mysql_root_user']) {
 			$style = 'blue';
@@ -830,6 +903,9 @@ class FroxlorInstall
 		}
 		$formdata .= $this->_getSectionItemString('mysql_root_pass', true, $style, 'password');
 
+		$formdata .= $this->_getSectionItemString('mysql_ssl_ca_file', false, $style);
+		$formdata .= $this->_getSectionItemYesNo('mysql_ssl_verify_server_certificate', false, $style);
+
 		/**
 		 * admin data
 		 */
@@ -1363,7 +1439,14 @@ class FroxlorInstall
 
 			// read os-release
 			if (file_exists('/etc/os-release')) {
-				$os_dist = parse_ini_file('/etc/os-release', false);
+				$os_dist_content = file_get_contents('/etc/os-release');
+				$os_dist_arr = explode("\n", $os_dist_content);
+				$os_dist = [];
+				foreach ($os_dist_arr as $os_dist_line) {
+					if (empty(trim($os_dist_line))) continue;
+					$tmp = explode("=", $os_dist_line);
+					$os_dist[$tmp[0]] = str_replace('"', "", trim($tmp[1]));
+				}
 				if (is_array($os_dist) && array_key_exists('ID', $os_dist) && array_key_exists('VERSION_ID', $os_dist)) {
 					$os_version = explode('.', $os_dist['VERSION_ID'])[0];
 				}

install/lng/english.lng.php

@@ -22,8 +22,8 @@ $lng['requirements']['not_true'] = 'no';
 $lng['requirements']['notfound'] = 'not found';
 $lng['requirements']['notinstalled'] = 'not installed';
 $lng['requirements']['activated'] = 'enabled';
-$lng['requirements']['phpversion'] = 'PHP version >= 7.0';
-$lng['requirements']['newerphpprefered'] = 'Good, but php-7.1 is preferred.';
+$lng['requirements']['phpversion'] = 'PHP version >= 7.1';
+$lng['requirements']['newerphpprefered'] = 'Good, but php-7.4 is preferred.';
 $lng['requirements']['phppdo'] = 'PHP PDO extension and PDO-MySQL driver...';
 $lng['requirements']['phpsession'] = 'PHP session-extension...';
 $lng['requirements']['phpctype'] = 'PHP ctype-extension...';
@@ -53,10 +53,13 @@ $lng['install']['welcometext'] = 'Thank you for choosing Froxlor. Please fill ou
 $lng['install']['database'] = 'Database connection';
 $lng['install']['mysql_host'] = 'MySQL-Hostname';
 $lng['install']['mysql_database'] = 'Database name';
+$lng['install']['mysql_forcecreate'] = 'Backup and overwrite database if exists?';
 $lng['install']['mysql_unpriv_user'] = 'Username for the unprivileged MySQL-account';
 $lng['install']['mysql_unpriv_pass'] = 'Password for the unprivileged MySQL-account';
 $lng['install']['mysql_root_user'] = 'Username for the MySQL-root-account';
 $lng['install']['mysql_root_pass'] = 'Password for the MySQL-root-account';
+$lng['install']['mysql_ssl_ca_file'] = 'MySQL server certificate file path';
+$lng['install']['mysql_ssl_verify_server_certificate'] = 'Verify MySQL TLS certificate';
 $lng['install']['admin_account'] = 'Administrator Account';
 $lng['install']['admin_user'] = 'Administrator Username';
 $lng['install']['admin_pass1'] = 'Administrator Password';
@@ -79,6 +82,8 @@ $lng['install']['testing_mysql_fail'] = 'There seems to be a problem with the da
 $lng['install']['backup_old_db'] = 'Creating backup of old database...';
 $lng['install']['backup_binary_missing'] = 'Could not find mysqldump';
 $lng['install']['backup_failed'] = 'Could not backup database';
+$lng['install']['check_db_exists'] = 'Checking database...';
+$lng['install']['db_exists'] = 'Unable to create database. A database with the same name exists and should not be overwritten';
 $lng['install']['prepare_db'] = 'Preparing database...';
 $lng['install']['create_mysqluser_and_db'] = 'Creating database and username...';
 $lng['install']['testing_new_db'] = 'Testing if database and user have been created correctly...';

install/lng/french.lng.php

@@ -22,7 +22,7 @@ $lng['requirements']['not_true'] = 'non';
 $lng['requirements']['notfound'] = 'introuvable';
 $lng['requirements']['notinstalled'] = 'non installé';
 $lng['requirements']['activated'] = 'activé';
-$lng['requirements']['phpversion'] = 'PHP version >= 7.0';
+$lng['requirements']['phpversion'] = 'PHP version >= 7.1';
 $lng['requirements']['phppdo'] = 'extension PHP PDO et pilote PDO-MySQL ...';
 $lng['requirements']['phpxml'] = 'extension PHP XML...';
 $lng['requirements']['phpfilter'] = 'extension PHP filter ...';

install/lng/german.lng.php

@@ -22,8 +22,8 @@ $lng['requirements']['not_true'] = 'nein';
 $lng['requirements']['notfound'] = 'nicht gefunden';
 $lng['requirements']['notinstalled'] = 'nicht installiert';
 $lng['requirements']['activated'] = 'ist aktiviert.';
-$lng['requirements']['phpversion'] = 'PHP Version >= 7.0';
-$lng['requirements']['newerphpprefered'] = 'Passt, aber php-7.1 wird bevorzugt.';
+$lng['requirements']['phpversion'] = 'PHP Version >= 7.1';
+$lng['requirements']['newerphpprefered'] = 'Passt, aber php-7.4 wird bevorzugt.';
 $lng['requirements']['phppdo'] = 'PHP PDO Erweiterung und PDO-MySQL Treiber...';
 $lng['requirements']['phpsession'] = 'PHP session-Erweiterung...';
 $lng['requirements']['phpctype'] = 'PHP ctype-Erweiterung...';
@@ -53,10 +53,13 @@ $lng['install']['welcometext'] = 'Vielen Dank dass Sie sich für Froxlor entschi
 $lng['install']['database'] = 'Datenbankverbindung';
 $lng['install']['mysql_host'] = 'MySQL-Hostname';
 $lng['install']['mysql_database'] = 'Datenbank Name';
+$lng['install']['mysql_forcecreate'] = 'Datenbank sichern und überschreiben wenn vorhanden?';
 $lng['install']['mysql_unpriv_user'] = 'Benutzername für den unprivilegierten MySQL-Account';
 $lng['install']['mysql_unpriv_pass'] = 'Passwort für den unprivilegierten MySQL-Account';
 $lng['install']['mysql_root_user'] = 'Benutzername für den MySQL-Root-Account';
 $lng['install']['mysql_root_pass'] = 'Passwort für den MySQL-Root-Account';
+$lng['install']['mysql_ssl_ca_file'] = 'MySQL-Server Zertifikatspfad';
+$lng['install']['mysql_ssl_verify_server_certificate'] = 'Validieren des MySQL-Server Zertifikats';
 $lng['install']['admin_account'] = 'Admin-Zugang';
 $lng['install']['admin_user'] = 'Administrator-Benutzername';
 $lng['install']['admin_pass1'] = 'Administrator-Passwort';
@@ -79,6 +82,8 @@ $lng['install']['testing_mysql_fail'] = 'Bei der Verwendung der Datenbank gibt e
 $lng['install']['backup_old_db'] = 'Sicherung vorheriger Datenbank...';
 $lng['install']['backup_binary_missing'] = 'Konnte mysqldump nicht finden';
 $lng['install']['backup_failed'] = 'Sicherung fehlgeschlagen';
+$lng['install']['check_db_exists'] = 'Databenbank wird geprüft...';
+$lng['install']['db_exists'] = 'Datenbank kann nicht erstellt werden. Eine Datenbank mit dem selben Namen existiert bereits und soll nicht überschrieben werden.';
 $lng['install']['prepare_db'] = 'Datenbank wird vorbereitet...';
 $lng['install']['create_mysqluser_and_db'] = 'Erstelle Datenbank und Benutzer...';
 $lng['install']['testing_new_db'] = 'Teste, ob Datenbank und Benutzer korrekt angelegt wurden...';

install/updates/froxlor/0.10/update_0.10.inc.php

@@ -926,3 +926,30 @@ if (\Froxlor\Froxlor::isFroxlorVersion('0.10.27')) {
 	showUpdateStep("Updating from 0.10.27 to 0.10.28", false);
 	\Froxlor\Froxlor::updateToVersion('0.10.28');
 }
+
+if (\Froxlor\Froxlor::isDatabaseVersion('202108180')) {
+	showUpdateStep("Adding czech language file", true);
+	Database::query("INSERT INTO `" . TABLE_PANEL_LANGUAGE . "` SET `language` = 'Česká republika', `iso` = 'cs', `file` = 'lng/czech.lng.php'");
+	lastStepStatus(0);
+	\Froxlor\Froxlor::updateToDbVersion('202109040');
+}
+
+if (\Froxlor\Froxlor::isFroxlorVersion('0.10.28')) {
+	showUpdateStep("Updating from 0.10.28 to 0.10.29", false);
+	\Froxlor\Froxlor::updateToVersion('0.10.29');
+}
+
+if (\Froxlor\Froxlor::isFroxlorVersion('0.10.29')) {
+	showUpdateStep("Updating from 0.10.29 to 0.10.29.1", false);
+	\Froxlor\Froxlor::updateToVersion('0.10.29.1');
+}
+
+if (\Froxlor\Froxlor::isFroxlorVersion('0.10.29.1')) {
+	showUpdateStep("Updating from 0.10.29.1 to 0.10.30", false);
+	\Froxlor\Froxlor::updateToVersion('0.10.30');
+}
+
+if (\Froxlor\Froxlor::isFroxlorVersion('0.10.30')) {
+	showUpdateStep("Updating from 0.10.30 to 0.10.31", false);
+	\Froxlor\Froxlor::updateToVersion('0.10.31');
+}

lib/Froxlor/Api/Commands/Customers.php

@@ -915,7 +915,7 @@ class Customers extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resource
 	 * @param bool $mysqls_ul
 	 *        	optional, whether customer should have unlimited mysql-databases, default 0 (false)
 	 * @param bool $createstdsubdomain
-	 *        	optional, whether to create a standard-subdomain ([loginname].froxlor-hostname.tld), default 0 (false)
+	 *        	optional, whether to create a standard-subdomain ([loginname].froxlor-hostname.tld), default 1 (if customer has std-subdomain) else 0 (false)
 	 * @param bool $phpenabled
 	 *        	optional, whether to allow usage of PHP, default 0 (false)
 	 * @param array $allowed_phpconfigs
@@ -979,7 +979,7 @@ class Customers extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resource
 			$email_pop3 = $this->getParam('email_pop3', true, $result['pop3']);
 			$ftps = $this->getUlParam('ftps', 'ftps_ul', true, $result['ftps']);
 			$mysqls = $this->getUlParam('mysqls', 'mysqls_ul', true, $result['mysqls']);
-			$createstdsubdomain = $this->getBoolParam('createstdsubdomain', true, 0);
+			$createstdsubdomain = $this->getBoolParam('createstdsubdomain', true, ($result['standardsubdomain'] != 0 ? 1 : 0));
 			$password = $this->getParam('new_customer_password', true, '');
 			$phpenabled = $this->getBoolParam('phpenabled', true, $result['phpenabled']);
 			$allowed_phpconfigs = $this->getParam('allowed_phpconfigs', true, json_decode($result['allowed_phpconfigs'], true));
@@ -1051,7 +1051,7 @@ class Customers extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resource
 		}
 
 		if ($this->isAdmin()) {
-			if ($createstdsubdomain != '1') {
+			if ($createstdsubdomain != '1' || $deactivated) {
 				$createstdsubdomain = '0';
 			}
 

lib/Froxlor/Api/Commands/Domains.php

@@ -239,7 +239,7 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
 	 *        	optional, whether to create an exclusive web-logfile for this domain, default 0 (false)
 	 * @param int $alias
 	 *        	optional, domain-id of a domain that the new domain should be an alias of, default 0 (none)
-	 * @param bool $issubof
+	 * @param int $issubof
 	 *        	optional, domain-id of a domain this domain is a subdomain of (required for webserver-cronjob to generate the correct order), default 0 (none)
 	 * @param string $registration_date
 	 *        	optional, date of domain registration in form of YYYY-MM-DD, default empty (none)
@@ -427,6 +427,20 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
 				}
 				$_documentroot = \Froxlor\FileDir::makeCorrectDir($customer['documentroot'] . $path_suffix);
 
+				$documentroot = \Froxlor\Validate\Validate::validate($documentroot, 'documentroot', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true);
+
+				// If path is empty and 'Use domain name as default value for DocumentRoot path' is enabled in settings,
+				// set default path to subdomain or domain name
+				if (! empty($documentroot)) {
+					if (substr($documentroot, 0, 1) != '/' && ! preg_match('/^https?\:\/\//', $documentroot)) {
+						$documentroot = $_documentroot . '/' . $documentroot;
+					} elseif (substr($documentroot, 0, 1) == '/' && $this->getUserDetail('change_serversettings') != '1') {
+						\Froxlor\UI\Response::standard_error('pathmustberelative', '', true);
+					}
+				} else {
+					$documentroot = $_documentroot;
+				}
+
 				$registration_date = \Froxlor\Validate\Validate::validate($registration_date, 'registration_date', '/^(19|20)\d\d[-](0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])$/', '', array(
 					'0000-00-00',
 					'0',
@@ -454,17 +468,6 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
 					}
 
 					$specialsettings = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $specialsettings), 'specialsettings', \Froxlor\Validate\Validate::REGEX_CONF_TEXT, '', array(), true);
-					\Froxlor\Validate\Validate::validate($documentroot, 'documentroot', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true);
-
-					// If path is empty and 'Use domain name as default value for DocumentRoot path' is enabled in settings,
-					// set default path to subdomain or domain name
-					if (! empty($documentroot)) {
-						if (substr($documentroot, 0, 1) != '/' && ! preg_match('/^https?\:\/\//', $documentroot)) {
-							$documentroot = $_documentroot . '/' . $documentroot;
-						}
-					} else {
-						$documentroot = $_documentroot;
-					}
 
 					$ssl_protocols = array();
 					if (! empty($p_ssl_protocols) && is_numeric($p_ssl_protocols)) {
@@ -507,7 +510,6 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
 					$notryfiles = '0';
 					$writeaccesslog = '1';
 					$writeerrorlog = '1';
-					$documentroot = $_documentroot;
 					$override_tls = '0';
 					$ssl_protocols = array();
 				}
@@ -901,7 +903,7 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
 	 *        	optional, when setting $speciallogfile to false, this needs to be set to true to confirm the action, default 0 (false)
 	 * @param int $alias
 	 *        	optional, domain-id of a domain that the new domain should be an alias of, default 0 (none)
-	 * @param bool $issubof
+	 * @param int $issubof
 	 *        	optional, domain-id of a domain this domain is a subdomain of (required for webserver-cronjob to generate the correct order), default 0 (none)
 	 * @param string $registration_date
 	 *        	optional, date of domain registration in form of YYYY-MM-DD, default empty (none)
@@ -1187,6 +1189,38 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
 				$serveraliasoption = $p_serveraliasoption;
 			}
 
+			$documentroot = \Froxlor\Validate\Validate::validate($documentroot, 'documentroot', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true);
+
+			if (! empty($documentroot) && $documentroot != $result['documentroot'] && substr($documentroot, 0, 1) == '/' && substr($documentroot, 0, strlen($customer['documentroot'])) != $customer['documentroot'] && $this->getUserDetail('change_serversettings') != '1') {
+				\Froxlor\UI\Response::standard_error('pathmustberelative', '', true);
+			}
+
+			// when moving customer and no path is specified, update would normally reuse the current document-root
+			// which would point to the wrong customer, therefore we will re-create that directory
+			if (! empty($documentroot) && $customerid > 0 && $customerid != $result['customerid'] && Settings::Get('panel.allow_domain_change_customer') == '1') {
+				if (Settings::Get('system.documentroot_use_default_value') == 1) {
+					$_documentroot = \Froxlor\FileDir::makeCorrectDir($customer['documentroot'] . '/' . $result['domain']);
+				} else {
+					$_documentroot = $customer['documentroot'];
+				}
+				// set the customers default docroot
+				$documentroot = $_documentroot;
+			}
+
+			if ($documentroot == '') {
+				// If path is empty and 'Use domain name as default value for DocumentRoot path' is enabled in settings,
+				// set default path to subdomain or domain name
+				if (Settings::Get('system.documentroot_use_default_value') == 1) {
+					$documentroot = \Froxlor\FileDir::makeCorrectDir($customer['documentroot'] . '/' . $result['domain']);
+				} else {
+					$documentroot = $customer['documentroot'];
+				}
+			}
+
+			if (! preg_match('/^https?\:\/\//', $documentroot) && strstr($documentroot, ":") !== false) {
+				\Froxlor\UI\Response::standard_error('pathmaynotcontaincolon', '', true);
+			}
+
 			if ($this->getUserDetail('change_serversettings') == '1') {
 
 				if (Settings::Get('system.bind_enable') == '1') {
@@ -1201,33 +1235,6 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
 				}
 
 				$specialsettings = \Froxlor\Validate\Validate::validate(str_replace("\r\n", "\n", $specialsettings), 'specialsettings', \Froxlor\Validate\Validate::REGEX_CONF_TEXT, '', array(), true);
-				$documentroot = \Froxlor\Validate\Validate::validate($documentroot, 'documentroot', \Froxlor\Validate\Validate::REGEX_DIR, '', array(), true);
-
-				// when moving customer and no path is specified, update would normally reuse the current document-root
-				// which would point to the wrong customer, therefore we will re-create that directory
-				if (! empty($documentroot) && $customerid > 0 && $customerid != $result['customerid'] && Settings::Get('panel.allow_domain_change_customer') == '1') {
-					if (Settings::Get('system.documentroot_use_default_value') == 1) {
-						$_documentroot = \Froxlor\FileDir::makeCorrectDir($customer['documentroot'] . '/' . $result['domain']);
-					} else {
-						$_documentroot = $customer['documentroot'];
-					}
-					// set the customers default docroot
-					$documentroot = $_documentroot;
-				}
-
-				if ($documentroot == '') {
-					// If path is empty and 'Use domain name as default value for DocumentRoot path' is enabled in settings,
-					// set default path to subdomain or domain name
-					if (Settings::Get('system.documentroot_use_default_value') == 1) {
-						$documentroot = \Froxlor\FileDir::makeCorrectDir($customer['documentroot'] . '/' . $result['domain']);
-					} else {
-						$documentroot = $customer['documentroot'];
-					}
-				}
-
-				if (! preg_match('/^https?\:\/\//', $documentroot) && strstr($documentroot, ":") !== false) {
-					\Froxlor\UI\Response::standard_error('pathmaynotcontaincolon', '', true);
-				}
 
 				$ssl_protocols = array();
 				if (! empty($p_ssl_protocols) && is_numeric($p_ssl_protocols)) {
@@ -1267,7 +1274,6 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
 				$notryfiles = $result['notryfiles'];
 				$writeaccesslog = $result['writeaccesslog'];
 				$writeerrorlog = $result['writeerrorlog'];
-				$documentroot = $result['documentroot'];
 				$ssl_protocols = $p_ssl_protocols;
 				$override_tls = $result['override_tls'];
 			}

lib/Froxlor/Api/Commands/Mysqls.php

@@ -61,7 +61,9 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 		$password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true);
 		$password = \Froxlor\System\Crypt::validatePassword($password, true);
 		$databasedescription = \Froxlor\Validate\Validate::validate(trim($databasedescription), 'description', '', '', array(), true);
-		$databasename = \Froxlor\Validate\Validate::validate(trim($databasename), 'database_name', '', '', array(), true);
+		if (!empty($databasename)) {
+			$databasename = \Froxlor\Validate\Validate::validate(trim($databasename), 'database_name', '/^[A-Za-z0-9][A-Za-z0-9\-_]+$/i', '', array(), true);
+		}
 
 		// validate whether the dbserver exists
 		$dbserver = \Froxlor\Validate\Validate::validate($dbserver, html_entity_decode($this->lng['mysql']['mysql_server']), '', '', 0, true);

lib/Froxlor/Api/Commands/PhpSettings.php

@@ -217,7 +217,9 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
 	 *        	optional number of seconds for idle-timeout if FPM is used, default is fpm-daemon-value
 	 * @param string $limit_extensions
 	 *        	optional limitation of php-file-extensions if FPM is used, default is fpm-daemon-value
-	 *        	
+	 * @param bool $allow_all_customers
+	 *        	optional add this configuration to the list of every existing customer's allowed-fpm-config list, default is false (no)
+	 *
 	 * @access admin
 	 * @throws \Exception
 	 * @return string json-encoded array
@@ -261,6 +263,7 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
 			$max_requests = $this->getParam('max_requests', true, $def_fpmconfig['max_requests']);
 			$idle_timeout = $this->getParam('idle_timeout', true, $def_fpmconfig['idle_timeout']);
 			$limit_extensions = $this->getParam('limit_extensions', true, $def_fpmconfig['limit_extensions']);
+			$allow_all_customers = $this->getBoolParam('allow_all_customers', true, 0);
 
 			// validation
 			$description = \Froxlor\Validate\Validate::validate($description, 'description', '', '', array(), true);
@@ -367,6 +370,8 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
 			$result = $this->apiCall('PhpSettings.get', array(
 				'id' => $ins_data['id']
 			));
+
+			$this->addForAllCustomers($allow_all_customers, $ins_data['id']);
 			return $this->response(200, "successful", $result);
 		}
 		throw new \Exception("Not allowed to execute given command.", 403);
@@ -418,6 +423,8 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
 	 *        	optional number of seconds for idle-timeout if FPM is used, default is fpm-daemon-value
 	 * @param string $limit_extensions
 	 *        	optional limitation of php-file-extensions if FPM is used, default is fpm-daemon-value
+	 * @param bool $allow_all_customers
+	 *        	optional add this configuration to the list of every existing customer's allowed-fpm-config list, default is false (no)
 	 *        	
 	 * @access admin
 	 * @throws \Exception
@@ -456,6 +463,7 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
 			$max_requests = $this->getParam('max_requests', true, $result['max_requests']);
 			$idle_timeout = $this->getParam('idle_timeout', true, $result['idle_timeout']);
 			$limit_extensions = $this->getParam('limit_extensions', true, $result['limit_extensions']);
+			$allow_all_customers = $this->getBoolParam('allow_all_customers', true, 0);
 
 			// validation
 			$description = \Froxlor\Validate\Validate::validate($description, 'description', '', '', array(), true);
@@ -563,6 +571,8 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
 			$result = $this->apiCall('PhpSettings.get', array(
 				'id' => $id
 			));
+
+			$this->addForAllCustomers($allow_all_customers, $id);
 			return $this->response(200, "successful", $result);
 		}
 		throw new \Exception("Not allowed to execute given command.", 403);
@@ -618,4 +628,38 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
 		}
 		throw new \Exception("Not allowed to execute given command.", 403);
 	}
+
+	/**
+	 * add given php-config id to the list of allowed php-config to all currently existing customers
+	 * if allow_all_customers parameter is true in PhpSettings::add() or PhpSettings::update()
+	 *
+	 * @param bool $allow_all_customers
+	 * @param int $config_id
+	 */
+	private function addForAllCustomers(bool $allow_all_customers, int $config_id)
+	{
+		// should this config be added to the allowed list of all existing customers?
+		if ($allow_all_customers) {
+			$sel_stmt = Database::prepare("SELECT customerid, allowed_phpconfigs FROM `" . TABLE_PANEL_CUSTOMERS . "`");
+			$upd_stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET allowed_phpconfigs = :ap WHERE customerid = :cid");
+			Database::pexecute($sel_stmt);
+			while ($cust = $sel_stmt->fetch(\PDO::FETCH_ASSOC)) {
+				// get existing entries of customer
+				$ap = json_decode($cust['allowed_phpconfigs'], true);
+				// initialize array if it's empty
+				if (empty($ap)) {
+					$ap = [];
+				}
+				// add this config
+				$ap[] = $config_id;
+				// check for duplicates and force value-type to be int
+				$ap = array_map('intval', array_unique($ap));
+				// update customer-entry
+				Database::pexecute($upd_stmt, [
+					'ap' => json_encode($ap),
+					'cid' => $cust['customerid']
+				]);
+			}
+		}
+	}
 }

lib/Froxlor/Api/Commands/SubDomains.php

@@ -262,6 +262,16 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
 				$phpsid_result['phpsettingid'] = intval($phpsettingid);
 			}
 
+			$allowed_phpconfigs = $customer['allowed_phpconfigs'];
+			if (! empty($allowed_phpconfigs)) {
+				$allowed_phpconfigs = json_decode($allowed_phpconfigs, true);
+			} else {
+				$allowed_phpconfigs = [];
+			}
+			if (! in_array($phpsid_result['phpsettingid'], $allowed_phpconfigs)) {
+				\Froxlor\UI\Response::standard_error('notallowedphpconfigused', '', true);
+			}
+
 			// actually insert domain
 			$stmt = Database::prepare("
 				INSERT INTO `" . TABLE_PANEL_DOMAINS . "` SET
@@ -616,7 +626,7 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
 
 		// We can't enable let's encrypt for wildcard-domains
 		if ($iswildcarddomain == '1' && $letsencrypt == '1') {
-			\Froxlor\UI\Response::standard_error('nowildcardwithletsencrypt');
+			\Froxlor\UI\Response::standard_error('nowildcardwithletsencrypt', '', true);
 		}
 
 		// Temporarily deactivate ssl_redirect until Let's Encrypt certificate was generated
@@ -638,6 +648,16 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
 			$this->logger()->logAction($this->isAdmin() ? \Froxlor\FroxlorLogger::ADM_ACTION : \Froxlor\FroxlorLogger::USR_ACTION, LOG_NOTICE, "[API] automatically deleted mail-table entries for '" . $idna_convert->decode($result['domain']) . "'");
 		}
 
+		$allowed_phpconfigs = $customer['allowed_phpconfigs'];
+		if (! empty($allowed_phpconfigs)) {
+			$allowed_phpconfigs = json_decode($allowed_phpconfigs, true);
+		} else {
+			$allowed_phpconfigs = [];
+		}
+		if (! in_array($phpsettingid, $allowed_phpconfigs)) {
+			\Froxlor\UI\Response::standard_error('notallowedphpconfigused', '', true);
+		}
+
 		// handle redirect
 		if ($_doredirect) {
 			\Froxlor\Domain\Domain::updateRedirectOfDomain($id, $redirectcode);

lib/Froxlor/Bulk/BulkAction.php

@@ -133,7 +133,7 @@ abstract class BulkAction
 
 		$new_data = array();
 		foreach ($this->api_params as $idx => $param) {
-			if (isset($data_array[$idx]) && ! empty($data_array[$idx])) {
+			if (isset($data_array[$idx])) {
 				$new_data[$param] = $data_array[$idx];
 			}
 		}

lib/Froxlor/Cli/Action/ConfigServicesAction.php

@@ -341,13 +341,43 @@ class ConfigServicesAction extends \Froxlor\Cli\Action
 
 		// try to convert namserver hosts to ip's
 		$ns_ips = "";
+		$known_ns_ips = [];
 		if (Settings::Get('system.nameservers') != '') {
 			$nameservers = explode(',', Settings::Get('system.nameservers'));
 			foreach ($nameservers as $nameserver) {
 				$nameserver = trim($nameserver);
+				// DNS servers might be multi homed; allow transfer from all ip
+				// addresses of the DNS server
 				$nameserver_ips = \Froxlor\PhpHelper::gethostbynamel6($nameserver);
-				if (is_array($nameserver_ips) && count($nameserver_ips) > 0) {
-					$ns_ips .= implode(",", $nameserver_ips);
+				// append dot to hostname
+				if (substr($nameserver, - 1, 1) != '.') {
+					$nameserver .= '.';
+				}
+				// ignore invalid responses
+				if (! is_array($nameserver_ips)) {
+					// act like \Froxlor\PhpHelper::gethostbynamel6() and return unmodified hostname on error
+					$nameserver_ips = array(
+						$nameserver
+					);
+				} else {
+					$known_ns_ips = array_merge($known_ns_ips, $nameserver_ips);
+				}
+				if (!empty($ns_ips)) {
+					$ns_ips .= ',';
+				}
+				$ns_ips .= implode(",", $nameserver_ips);
+			}
+		}
+
+		// AXFR server
+		if (Settings::Get('system.axfrservers') != '') {
+			$axfrservers = explode(',', Settings::Get('system.axfrservers'));
+			foreach ($axfrservers as $axfrserver) {
+				if (!in_array(trim($axfrserver), $known_ns_ips)) {
+					if (!empty($ns_ips)) {
+						$ns_ips .= ',';
+					}
+					$ns_ips .= trim($axfrserver);
 				}
 			}
 		}
@@ -365,7 +395,6 @@ class ConfigServicesAction extends \Froxlor\Cli\Action
 			'<SERVERIP>' => Settings::Get('system.ipaddress'),
 			'<NAMESERVERS>' => Settings::Get('system.nameservers'),
 			'<NAMESERVERS_IP>' => $ns_ips,
-			'<AXFRSERVERS>' => Settings::Get('system.axfrservers'),
 			'<VIRTUAL_MAILBOX_BASE>' => Settings::Get('system.vmail_homedir'),
 			'<VIRTUAL_UID_MAPS>' => Settings::Get('system.vmail_uid'),
 			'<VIRTUAL_GID_MAPS>' => Settings::Get('system.vmail_gid'),

lib/Froxlor/Cron/Dns/PowerDNS.php

@@ -15,7 +15,7 @@ use Froxlor\Settings;
  * @author Froxlor team <team@froxlor.org> (2016-)
  * @license GPLv2 http://files.froxlor.org/misc/COPYING.txt
  * @package Cron
- *
+ *         
  */
 class PowerDNS extends DnsBase
 {
@@ -99,30 +99,32 @@ class PowerDNS extends DnsBase
 			));
 			$pdns_domain = $pdns_domains_stmt->fetch(\PDO::FETCH_ASSOC);
 
-			$del_rec_stmt->execute(array(
-				'did' => $pdns_domain['id']
-			));
-			$del_meta_stmt->execute(array(
-				'did' => $pdns_domain['id']
-			));
-			$del_dom_stmt->execute(array(
-				'did' => $pdns_domain['id']
-			));
+			if ($pdns_domain && ! empty($pdns_domain['id'])) {
+				$del_rec_stmt->execute(array(
+					'did' => $pdns_domain['id']
+				));
+				$del_meta_stmt->execute(array(
+					'did' => $pdns_domain['id']
+				));
+				$del_dom_stmt->execute(array(
+					'did' => $pdns_domain['id']
+				));
+			}
 		}
 	}
 
 	private function insertZone($domainname, $serial = 0)
 	{
-        $ins_stmt = \Froxlor\Dns\PowerDNS::getDB()->prepare("
+		$ins_stmt = \Froxlor\Dns\PowerDNS::getDB()->prepare("
 			INSERT INTO domains set `name` = :domainname, `notified_serial` = :serial, `type` = :type
 		");
-        $ins_stmt->execute(array(
-            'domainname' => $domainname,
-            'serial' => $serial,
-            'type' => strtoupper(Settings::Get('system.powerdns_mode'))
-        ));
-        $lastid = \Froxlor\Dns\PowerDNS::getDB()->lastInsertId();
-        return $lastid;;
+		$ins_stmt->execute(array(
+			'domainname' => $domainname,
+			'serial' => $serial,
+			'type' => strtoupper(Settings::Get('system.powerdns_mode'))
+		));
+		$lastid = \Froxlor\Dns\PowerDNS::getDB()->lastInsertId();
+		return $lastid;
 	}
 
 	private function insertRecords($domainid = 0, $records = array(), $origin = "")

lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php

@@ -131,7 +131,8 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
 				'ssl_key_file' => null,
 				'ssl_ca_file' => null,
 				'ssl_csr_file' => null,
-				'id' => null
+				'id' => null,
+				'wwwserveralias' => 0
 			);
 
 			// add to queue
@@ -165,7 +166,8 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
 				'ssl_key_file' => is_array($renew_froxlor) ? $renew_froxlor['ssl_key_file'] : null,
 				'ssl_ca_file' => is_array($renew_froxlor) ? $renew_froxlor['ssl_ca_file'] : null,
 				'ssl_csr_file' => is_array($renew_froxlor) ? $renew_froxlor['ssl_csr_file'] : null,
-				'id' => is_array($renew_froxlor) ? $renew_froxlor['id'] : null
+				'id' => is_array($renew_froxlor) ? $renew_froxlor['id'] : null,
+				'wwwserveralias' => 0
 			);
 			$renew_domains[] = $certrow;
 		}

lib/Froxlor/Database/Database.php

@@ -279,6 +279,8 @@ class Database
 			$host = $sql_root[self::$dbserver]['host'];
 			$socket = isset($sql_root[self::$dbserver]['socket']) ? $sql_root[self::$dbserver]['socket'] : null;
 			$port = isset($sql_root[self::$dbserver]['port']) ? $sql_root[self::$dbserver]['port'] : '3306';
+			$sslCAFile = $sql_root[self::$dbserver]['ssl']['caFile'] ?? "";
+			$sslVerifyServerCertificate = $sql_root[self::$dbserver]['ssl']['verifyServerCertificate'] ?? false;
 		} else {
 			$caption = 'localhost';
 			$user = $sql["user"];
@@ -286,6 +288,8 @@ class Database
 			$host = $sql["host"];
 			$socket = isset($sql['socket']) ? $sql['socket'] : null;
 			$port = isset($sql['port']) ? $sql['port'] : '3306';
+			$sslCAFile = $sql['ssl']['caFile'] ?? "";
+			$sslVerifyServerCertificate = $sql['ssl']['verifyServerCertificate'] ?? false;
 		}
 
 		// save sql-access-data if needed
@@ -297,7 +301,9 @@ class Database
 				'port' => $port,
 				'socket' => $socket,
 				'db' => $sql["db"],
-				'caption' => $caption
+				'caption' => $caption,
+				'ssl_ca_file' => $sslCAFile,
+				'ssl_verify_server_certificate' => $sslVerifyServerCertificate
 			);
 		}
 
@@ -321,6 +327,11 @@ class Database
 		} else {
 			$dbconf["dsn"]['host'] = $host;
 			$dbconf["dsn"]['port'] = $port;
+
+			if (!empty(self::$sqldata['ssl_ca_file'])) {
+				$options[\PDO::MYSQL_ATTR_SSL_CA] = self::$sqldata['ssl_ca_file'];
+				$options[\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) self::$sqldata['ssl_verify_server_certificate'];
+			}
 		}
 
 		self::$dbname = $sql["db"];

lib/Froxlor/Database/DbManager.php

@@ -82,10 +82,10 @@ class DbManager
 			// get all usernames from db-manager
 			$allsqlusers = $this->getManager()->getAllSqlUsers();
 			// generate random username
-			$username = $loginname . '-' . substr(md5(uniqid(microtime(), 1)), 20, 3);
+			$username = $loginname . '-' . substr(\Froxlor\Froxlor::genSessionId(), 20, 3);
 			// check whether it exists on the DBMS
 			while (in_array($username, $allsqlusers)) {
-				$username = $loginname . '-' . substr(md5(uniqid(microtime(), 1)), 20, 3);
+				$username = $loginname . '-' . substr(\Froxlor\Froxlor::genSessionId(), 20, 3);
 			}
 		} elseif (strtoupper(Settings::Get('customer.mysqlprefix')) == 'DBNAME') {
 			$username = $loginname;

lib/Froxlor/Dns/PowerDNS.php

@@ -62,6 +62,11 @@ class PowerDNS
 		} else {
 			$dbconf["dsn"]['host'] = $mysql_data['gmysql-host'];
 			$dbconf["dsn"]['port'] = $mysql_data['gmysql-port'];
+
+			if (!empty($mysql_data['gmysql-ssl-ca-file'])) {
+				$options[\PDO::MYSQL_ATTR_SSL_CA] = $mysql_data['gmysql-ssl-ca-file'];
+				$options[\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) $mysql_data['gmysql-ssl-verify-server-certificate'];
+			}
 		}
 
 		// add options to dsn-string

lib/Froxlor/Domain/Domain.php

@@ -340,7 +340,7 @@ class Domain
 				// run remove command
 				\Froxlor\FileDir::safe_exec($acmesh . $params);
 				// remove certificates directory
-				@unlink($certificate_folder);
+				\Froxlor\FileDir::safe_exec('rm -rf ' . $certificate_folder);
 			}
 		}
 		return true;

lib/Froxlor/Froxlor.php

@@ -7,10 +7,10 @@ final class Froxlor
 {
 
 	// Main version variable
-	const VERSION = '0.10.28';
+	const VERSION = '0.10.31';
 
 	// Database version (YYYYMMDDC where C is a daily counter)
-	const DBVERSION = '202108180';
+	const DBVERSION = '202109040';
 
 	// Distribution branding-tag (used for Debian etc.)
 	const BRANDING = '';
@@ -202,6 +202,30 @@ final class Froxlor
 		return false;
 	}
 
+	/**
+	 * generate safe unique session id
+	 *
+	 * @param int $length
+	 * @return string
+	 */
+	public static function genSessionId(int $length = 16)
+	{
+		if(!isset($length) || intval($length) <= 8 ){
+			$length = 16;
+		}
+		if (function_exists('random_bytes')) {
+			return bin2hex(random_bytes($length));
+		}
+		if (function_exists('mcrypt_create_iv')) {
+			return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM));
+		}
+		if (function_exists('openssl_random_pseudo_bytes')) {
+			return bin2hex(openssl_random_pseudo_bytes($length));
+		}
+		// if everything else fails, use unsafe fallback
+		return md5(uniqid(microtime(), 1));
+	}
+
 	/**
 	 * compare of froxlor versions
 	 *

lib/configfiles/bionic.xml

@@ -382,13 +382,12 @@ exit "$RETVAL"
 				</daemon>
 				<daemon name="powerdns" title="PowerDNS (standalone)">
 					<install><![CDATA[apt-get install pdns-server pdns-backend-mysql]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -907,7 +906,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # mysql-settings / you need to create the power-dns database for yourself!
 launch=gmysql
@@ -917,6 +916,8 @@ gmysql-dbname=pdns
 gmysql-user=powerdns
 gmysql-group=client
 gmysql-password=
+#gmysql-ssl-ca-file=
+#gmysql-ssl-verify-server-certificate=0
 ]]>
 						</content>
 					</file>
@@ -925,13 +926,12 @@ gmysql-password=
 				<daemon name="powerdns_bind"
 					title="PowerDNS via bind-backend">
 					<install><![CDATA[apt-get install pdns-server]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -1451,7 +1451,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # Bind backend configuration
 
@@ -3877,6 +3877,15 @@ plugin {
   # (Currently only relevant for ManageSieve)
   #sieve_quota_max_storage = 0
 }
+]]>
+							</content>
+						</file>
+						<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
+							chmod="0644" backup="true">
+							<content><![CDATA[
+plugin {
+  quota = maildir:User quota
+}
 ]]>
 							</content>
 						</file>

lib/configfiles/bullseye.xml

@@ -75,7 +75,7 @@ Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}
 ]]>
 						</content>
 					</file>
-					<command><![CDATA[/etc/init.d/apache2 restart]]></command>
+					<command><![CDATA[service apache2 restart]]></command>
 				</daemon>
 				<!-- HTTP Lighttpd -->
 				<daemon name="lighttpd" title="LigHTTPd">
@@ -139,7 +139,7 @@ include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
 					</command>
 					<command><![CDATA[lighty-disable-mod cgi]]></command>
 					<command><![CDATA[lighty-disable-mod fastcgi]]></command>
-					<command><![CDATA[/etc/init.d/lighttpd restart]]></command>
+					<command><![CDATA[service lighttpd restart]]></command>
 				</daemon>
 				<!-- HTTP Nginx -->
 				<daemon name="nginx" title="nginx">
@@ -355,7 +355,7 @@ exit "$RETVAL"
 						</visibility>
 						<content><![CDATA[/etc/init.d/php-fcgi restart]]></content>
 					</command>
-					<command><![CDATA[/etc/init.d/nginx restart]]></command>
+					<command><![CDATA[service nginx restart]]></command>
 				</daemon>
 			</service>
 			<!--DNS -->
@@ -367,17 +367,16 @@ exit "$RETVAL"
 					<command><![CDATA[touch {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
 					<command><![CDATA[chown bind:0 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
 					<command><![CDATA[chmod 0644 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
-					<command><![CDATA[/etc/init.d/bind9 restart]]></command>
+					<command><![CDATA[service bind9 restart]]></command>
 				</daemon>
 				<daemon name="powerdns" title="PowerDNS (standalone)">
 					<install><![CDATA[apt-get install pdns-server pdns-backend-mysql]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -881,7 +880,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # mysql-settings / you need to create the power-dns database for yourself!
 launch=gmysql
@@ -891,21 +890,22 @@ gmysql-dbname=pdns
 gmysql-user=powerdns
 gmysql-group=client
 gmysql-password=
+#gmysql-ssl-ca-file=
+#gmysql-ssl-verify-server-certificate=0
 ]]>
 						</content>
 					</file>
-					<command><![CDATA[/etc/init.d/pdns restart]]></command>
+					<command><![CDATA[service pdns restart]]></command>
 				</daemon>
 				<daemon name="powerdns_bind"
 					title="PowerDNS via bind-backend">
 					<install><![CDATA[apt-get install pdns-server]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -1410,7 +1410,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # Bind backend configuration
 
@@ -1426,7 +1426,7 @@ bind-check-interval=180
 ]]>
 						</content>
 					</file>
-					<command><![CDATA[/etc/init.d/pdns restart]]></command>
+					<command><![CDATA[service pdns restart]]></command>
 				</daemon>
 			</service>
 			<!-- SMTP services -->
@@ -1549,7 +1549,7 @@ root:               root@<SERVERNAME>
 					</files>
 					<commands index="3">
 						<command><![CDATA[newaliases]]></command>
-						<command><![CDATA[/etc/init.d/postfix restart]]></command>
+						<command><![CDATA[service postfix restart]]></command>
 					</commands>
 				</general>
 				<!-- postfix with dovecot -->
@@ -4084,12 +4084,21 @@ plugin {
   # the source line numbers.
   #sieve_trace_addresses = no 
 }
+]]>
+							</content>
+						</file>
+						<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
+							chmod="0644" backup="true">
+							<content><![CDATA[
+plugin {
+  quota = maildir:User quota
+}
 ]]>
 							</content>
 						</file>
 					</files>
 					<commands index="1">
-						<command><![CDATA[/etc/init.d/dovecot restart]]></command>
+						<command><![CDATA[service dovecot restart]]></command>
 					</commands>
 				</general>
 				<!-- Dovecot with postfix -->
@@ -4516,7 +4525,7 @@ TLSVerifyClient                         off
 ]]>
 						</content>
 					</file>
-					<command><![CDATA[/etc/init.d/proftpd restart]]></command>
+					<command><![CDATA[service proftpd restart]]></command>
 				</daemon>
 				<!-- Pureftpd -->
 				<daemon name="pureftpd" title="PureFTPd">
@@ -4742,7 +4751,7 @@ UPLOADGID=
 ]]>
 						</content>
 					</file>
-					<command><![CDATA[/etc/init.d/pure-ftpd-mysql restart]]></command>
+					<command><![CDATA[service pure-ftpd-mysql restart]]></command>
 				</daemon>
 			</service>
 			<!-- System tools/services -->
@@ -4836,7 +4845,7 @@ aliases:     files
 						<command><![CDATA[useradd -s /bin/false -g {{settings.system.mod_fcgid_httpgroup}} {{settings.system.mod_fcgid_httpuser}}]]></command>
 						<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_configdir}}]]></command>
 						<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_tmpdir}}]]></command>
-						<command><![CDATA[a2dismod php7.3]]></command>
+						<command><![CDATA[a2dismod php7.4]]></command>
 					</commands>
 					<!-- instead of just restarting apache, we let the cronjob do all the 
 						dirty work -->
@@ -4869,12 +4878,12 @@ aliases:     files
 						</visibility>
 						<visibility mode="true">{{settings.phpfpm.enabled_ownvhost}}
 						</visibility>
-						<command><![CDATA[a2dismod php7.3]]></command>
+						<command><![CDATA[a2dismod php7.4]]></command>
 					</commands>
 					<commands index="5">
 						<visibility mode="equals" value="apache2">{{settings.system.webserver}}
 						</visibility>
-						<command><![CDATA[/etc/init.d/apache2 restart]]></command>
+						<command><![CDATA[service apache2 restart]]></command>
 					</commands>
 					<!-- instead of just restarting apache, we let the cronjob do all the 
 						dirty work -->

lib/configfiles/buster.xml

@@ -371,13 +371,12 @@ exit "$RETVAL"
 				</daemon>
 				<daemon name="powerdns" title="PowerDNS (standalone)">
 					<install><![CDATA[apt-get install pdns-server pdns-backend-mysql]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -881,7 +880,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # mysql-settings / you need to create the power-dns database for yourself!
 launch=gmysql
@@ -891,6 +890,8 @@ gmysql-dbname=pdns
 gmysql-user=powerdns
 gmysql-group=client
 gmysql-password=
+#gmysql-ssl-ca-file=
+#gmysql-ssl-verify-server-certificate=0
 ]]>
 						</content>
 					</file>
@@ -899,13 +900,12 @@ gmysql-password=
 				<daemon name="powerdns_bind"
 					title="PowerDNS via bind-backend">
 					<install><![CDATA[apt-get install pdns-server]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -1410,7 +1410,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # Bind backend configuration
 
@@ -4079,6 +4079,15 @@ plugin {
   # the source line numbers.
   #sieve_trace_addresses = no 
 }
+]]>
+							</content>
+						</file>
+						<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
+							chmod="0644" backup="true">
+							<content><![CDATA[
+plugin {
+  quota = maildir:User quota
+}
 ]]>
 							</content>
 						</file>

lib/configfiles/centos7.xml

@@ -1712,6 +1712,15 @@ plugin {
   # (Currently only relevant for ManageSieve)
   #sieve_quota_max_storage = 0
 }
+]]>
+						</content>
+					</file>
+					<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
+						chmod="0644" backup="true">
+						<content><![CDATA[
+plugin {
+  quota = maildir:User quota
+}
 ]]>
 						</content>
 					</file>

lib/configfiles/centos8.xml

@@ -1713,6 +1713,15 @@ plugin {
   # (Currently only relevant for ManageSieve)
   #sieve_quota_max_storage = 0
 }
+]]>
+						</content>
+					</file>
+					<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
+						chmod="0644" backup="true">
+						<content><![CDATA[
+plugin {
+  quota = maildir:User quota
+}
 ]]>
 						</content>
 					</file>

lib/configfiles/focal.xml

@@ -369,13 +369,12 @@ exit "$RETVAL"
 				</daemon>
 				<daemon name="powerdns" title="PowerDNS (standalone)">
 					<install><![CDATA[apt-get install pdns-server pdns-backend-mysql]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -894,7 +893,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # mysql-settings / you need to create the power-dns database for yourself!
 launch=gmysql
@@ -904,6 +903,8 @@ gmysql-dbname=pdns
 gmysql-user=powerdns
 gmysql-group=client
 gmysql-password=
+#gmysql-ssl-ca-file=
+#gmysql-ssl-verify-server-certificate=0
 ]]>
 						</content>
 					</file>
@@ -912,13 +913,12 @@ gmysql-password=
 				<daemon name="powerdns_bind"
 					title="PowerDNS via bind-backend">
 					<install><![CDATA[apt-get install pdns-server]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -1438,7 +1438,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # Bind backend configuration
 
@@ -3293,6 +3293,15 @@ plugin {
   # (Currently only relevant for ManageSieve)
   #sieve_quota_max_storage = 0
 }
+]]>
+							</content>
+						</file>
+						<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
+							chmod="0644" backup="true">
+							<content><![CDATA[
+plugin {
+  quota = maildir:User quota
+}
 ]]>
 							</content>
 						</file>

lib/configfiles/gentoo.xml

@@ -391,14 +391,13 @@ mail	IN		A	<SERVERIP>
 				</daemon>
 				<daemon name="powerdns" title="PowerDNS (standalone)">
 					<install><![CDATA[emerge net-dns/pdns]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # Autogenerated configuration file template
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -902,7 +901,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # mysql-settings / you need to create the power-dns database for yourself!
 launch=gmysql
@@ -912,6 +911,8 @@ gmysql-dbname=pdns
 gmysql-user=powerdns
 gmysql-group=client
 gmysql-password=
+#gmysql-ssl-ca-file=
+#gmysql-ssl-verify-server-certificate=0
 ]]>
 						</content>
 					</file>
@@ -920,14 +921,13 @@ gmysql-password=
 				<daemon name="powerdns_bind"
 					title="PowerDNS via bind-backend">
 					<install><![CDATA[emerge net-dns/pdns]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # Autogenerated configuration file template
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -1431,7 +1431,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #local-ipv6=YOUR_IPv6_(if_any)
 bind-config=<BIND_CONFIG_PATH>named.conf
@@ -2345,6 +2345,15 @@ plugin {
 ]]>
 						</content>
 					</file>
+						<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
+							chmod="0644" backup="true">
+							<content><![CDATA[
+plugin {
+  quota = maildir:User quota
+}
+]]>
+							</content>
+						</file>
 					<command><![CDATA[rc-update add dovecot default]]></command>
 					<command><![CDATA[/etc/init.d/dovecot restart]]></command>
 				</daemon>

lib/configfiles/stretch.xml

@@ -371,13 +371,12 @@ exit "$RETVAL"
 				</daemon>
 				<daemon name="powerdns" title="PowerDNS (standalone)">
 					<install><![CDATA[apt-get install pdns-server pdns-backend-mysql]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -896,7 +895,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # mysql-settings / you need to create the power-dns database for yourself!
 launch=gmysql
@@ -906,6 +905,8 @@ gmysql-dbname=pdns
 gmysql-user=powerdns
 gmysql-group=client
 gmysql-password=
+#gmysql-ssl-ca-file=
+#gmysql-ssl-verify-server-certificate=0
 ]]>
 						</content>
 					</file>
@@ -914,13 +915,12 @@ gmysql-password=
 				<daemon name="powerdns_bind"
 					title="PowerDNS via bind-backend">
 					<install><![CDATA[apt-get install pdns-server]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -1440,7 +1440,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # Bind backend configuration
 
@@ -3866,6 +3866,15 @@ plugin {
   # (Currently only relevant for ManageSieve)
   #sieve_quota_max_storage = 0
 }
+]]>
+							</content>
+						</file>
+						<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
+							chmod="0644" backup="true">
+							<content><![CDATA[
+plugin {
+  quota = maildir:User quota
+}
 ]]>
 							</content>
 						</file>

lib/configfiles/xenial.xml

@@ -382,13 +382,12 @@ exit "$RETVAL"
 				</daemon>
 				<daemon name="powerdns" title="PowerDNS (standalone)">
 					<install><![CDATA[apt-get install pdns-server pdns-backend-mysql]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -907,7 +906,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # mysql-settings / you need to create the power-dns database for yourself!
 launch=gmysql
@@ -917,6 +916,8 @@ gmysql-dbname=pdns
 gmysql-user=powerdns
 gmysql-group=client
 gmysql-password=
+#gmysql-ssl-ca-file=
+#gmysql-ssl-verify-server-certificate=0
 ]]>
 						</content>
 					</file>
@@ -925,13 +926,12 @@ gmysql-password=
 				<daemon name="powerdns_bind"
 					title="PowerDNS via bind-backend">
 					<install><![CDATA[apt-get install pdns-server]]></install>
-					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
+					<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
 						<content><![CDATA[
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
 # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
-# add these entries to the list if any specified: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -1451,7 +1451,7 @@ include-dir=/etc/powerdns/froxlor/
 					</file>
 					<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
-						chown="root:root" chmod="600">
+						chown="root:pdns" chmod="640">
 						<content><![CDATA[
 # Bind backend configuration
 
@@ -3877,6 +3877,15 @@ plugin {
   # (Currently only relevant for ManageSieve)
   #sieve_quota_max_storage = 0
 }
+]]>
+							</content>
+						</file>
+						<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
+							chmod="0644" backup="true">
+							<content><![CDATA[
+plugin {
+  quota = maildir:User quota
+}
 ]]>
 							</content>
 						</file>

lib/formfields/admin/phpconfig/formfield.phpconfig_add.php

@@ -179,6 +179,18 @@ return array(
 						'cols' => 80,
 						'rows' => 20,
 						'value' => $result['phpsettings']
+					),
+					'allow_all_customers' => array(
+						'label' => $lng['serversettings']['phpfpm_settings']['allow_all_customers']['title'],
+						'desc' => $lng['serversettings']['phpfpm_settings']['allow_all_customers']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
+						),
+						'value' => array()
 					)
 				)
 			)

lib/formfields/admin/phpconfig/formfield.phpconfig_edit.php

@@ -187,6 +187,18 @@ return array(
 						'cols' => 80,
 						'rows' => 20,
 						'value' => $result['phpsettings']
+					),
+					'allow_all_customers' => array(
+						'label' => $lng['serversettings']['phpfpm_settings']['allow_all_customers']['title'],
+						'desc' => $lng['serversettings']['phpfpm_settings']['allow_all_customers']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
+						),
+						'value' => array()
 					)
 				)
 			)

lib/init.php

@@ -103,7 +103,7 @@ unset($_);
 unset($value);
 unset($key);
 
-$filename = htmlentities(basename($_SERVER['PHP_SELF']));
+$filename = htmlentities(basename($_SERVER['SCRIPT_NAME']));
 
 // check whether the userdata file exists
 if (! file_exists(\Froxlor\Froxlor::getInstallDir() . '/lib/userdata.inc.php')) {
@@ -161,7 +161,9 @@ $idna_convert = new \Froxlor\Idna\IdnaWrapper();
 /**
  * If Froxlor was called via HTTPS -> enforce it for the next time by settings HSTS header according to settings
  */
+$is_ssl = false;
 if (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off')) {
+	$is_ssl = true;
 	$maxage = Settings::Get('system.hsts_maxage');
 	if (empty($maxage)) {
 		$maxage = 0;
@@ -217,6 +219,8 @@ if (isset($s) && $s != "" && $nosession != 1) {
 	ini_set("session.name", "s");
 	ini_set("url_rewriter.tags", "");
 	ini_set("session.use_cookies", false);
+	ini_set("session.cookie_httponly", true);
+	ini_set("session.cookie_secure", $is_ssl);
 	session_id($s);
 	session_start();
 	$query = "SELECT `s`.*, `u`.* FROM `" . TABLE_PANEL_SESSIONS . "` `s` LEFT JOIN `";

lng/czech.lng.php

@@ -382,7 +382,7 @@ $lng['serversettings']['pathedit']['description'] = 'Měla by cesta být na výb
 $lng['serversettings']['nameservers']['title'] = 'Názvy serverů';
 $lng['serversettings']['nameservers']['description'] = 'Seznam oddělený čárkami obsahující názvy hostitelů všech jmenných serverů. První bude primární.';
 $lng['serversettings']['mxservers']['title'] = 'MX servery';
-$lng['serversettings']['mxservers']['description'] = 'Seznam oddělený čárkami obsahující dvojici čísla a jméno hostitele oddělené mezerou (např. \ '10 mx.example.com \ ') obsahující servery mx.';
+$lng['serversettings']['mxservers']['description'] = 'Seznam oddělený čárkami obsahující dvojici čísla a jméno hostitele oddělené mezerou (např. \'10 mx.example.com\') obsahující servery mx.';
 
 /**
  * CHANGED BETWEEN 1.2.12 and 1.2.13

lng/english.lng.php

@@ -1722,7 +1722,7 @@ $lng['serversettings']['panel_password_special_char_required']['description'] =
 $lng['serversettings']['panel_password_special_char']['title'] = 'Special characters list';
 $lng['serversettings']['panel_password_special_char']['description'] = 'One of these characters is required if the above option is set.';
 $lng['phpfpm']['use_mod_proxy']['title'] = 'Use mod_proxy / mod_proxy_fcgi';
-$lng['phpfpm']['use_mod_proxy']['description'] = '<strong class="red">Must be enabled when using Debian 9.x (Stretch)</strong>. Activate to use php-fpm via mod_proxy_fcgi. Requires at least apache-2.4.9';
+$lng['phpfpm']['use_mod_proxy']['description'] = '<strong class="red">Must be enabled when using Debian 9.x (Stretch) or newer</strong>. Activate to use php-fpm via mod_proxy_fcgi. Requires at least apache-2.4.9';
 $lng['error']['no_phpinfo'] = 'Sorry, unable to read phpinfo()';
 
 $lng['admin']['movetoadmin'] = 'Move customer';
@@ -2131,3 +2131,8 @@ $lng['serversettings']['froxlorusergroup']['description'] = 'Usage of libnss-ext
 $lng['error']['local_group_exists'] = 'The given group already exists on the system.';
 $lng['error']['local_group_invalid'] = 'The given group name is invalid';
 $lng['error']['invaliddnsforletsencrypt'] = 'The domains DNS does not include any of the chosen IP addresses. Let\'s Encrypt certificate generation not possible.';
+$lng['error']['notallowedphpconfigused'] = 'Trying to use php-config which is not assigned to customer';
+
+$lng['serversettings']['phpfpm_settings']['allow_all_customers']['title'] = 'Assign this configuration to all currently existing customers';
+$lng['serversettings']['phpfpm_settings']['allow_all_customers']['description'] = 'Set this to "true" if you want to assign this configuration to all currently existing customers so it can be used by them. This setting is not permanent but can be run multiple times.';
+$lng['error']['pathmustberelative'] = 'The user does not have the permission to specify directories outside the customers home-directory. Please specify a relative path (no leading /).';

lng/german.lng.php

@@ -1445,7 +1445,7 @@ $lng['serversettings']['panel_password_special_char_required']['description'] =
 $lng['serversettings']['panel_password_special_char']['title'] = 'Sonderzeichen-Liste';
 $lng['serversettings']['panel_password_special_char']['description'] = 'Mindestens eines dieser Sonderzeichen muss in dem Passwort vorkommen, sofern die Sonderzeichen-Option aktiviert ist.';
 $lng['phpfpm']['use_mod_proxy']['title'] = 'Verwende mod_proxy / mod_proxy_fcgi';
-$lng['phpfpm']['use_mod_proxy']['description'] = '<strong class="red">Muss gesetzt sein bei Debian 9.x (Stretch)</strong>. Diese Option kann aktiviert werden, um php-fpm via mod_proxy_fcgi einzubinden. Dies setzt mindestens apache-2.4.9 voraus';
+$lng['phpfpm']['use_mod_proxy']['description'] = '<strong class="red">Muss gesetzt sein bei Debian 9.x (Stretch) oder neuer</strong>. Diese Option kann aktiviert werden, um php-fpm via mod_proxy_fcgi einzubinden. Dies setzt mindestens apache-2.4.9 voraus';
 $lng['error']['no_phpinfo'] = 'Entschuldigung, es ist nicht möglich die phpinfo() auszulesen.';
 
 $lng['admin']['movetoadmin'] = 'Kunde verschieben';
@@ -1777,3 +1777,8 @@ $lng['serversettings']['froxlorusergroup']['description'] = 'Voraussetzung hierf
 $lng['error']['local_group_exists'] = 'Die angegebene Gruppe existiert bereits auf dem System';
 $lng['error']['local_group_invalid'] = 'Der angegebene Gruppen-Name ist nicht gültig';
 $lng['error']['invaliddnsforletsencrypt'] = 'Die DNS-Einträge der Domain enhalten keine der gewählten IP Adressen. Let\'s Encrypt Zertifikats-Erstellung ist nicht möglich.';
+$lng['error']['notallowedphpconfigused'] = 'Nutzung einer PHP-Konfiguration welche nicht dem Kunden zugeordnet ist';
+
+$lng['serversettings']['phpfpm_settings']['allow_all_customers']['title'] = 'Für aktuelle Kunden automatisch hinzufügen';
+$lng['serversettings']['phpfpm_settings']['allow_all_customers']['description'] = 'Ist diese Einstellung aktiv, wird die Konfiguration automatisch allen aktuell existierenden Kunden-Accounts zugewiesen. Diese Einstellung ist nicht permanent, kann aber mehrfach / nach Bedarf ausgeführt werden.';
+$lng['error']['pathmustberelative'] = 'Der Benutzer hat nicht die benötigten Berechtigungen, um Pfade außerhalb des Kunden-Heimatverzeichnisses anzugeben. Bitte einen relativen Pfad angeben (kein führendes /).';

templates/Sparkle/login/fpwd.tpl

@@ -10,7 +10,7 @@ $header
 				</div>
 			</if>
 			<section class="loginsec">
-				<form method="post" action="$filename" enctype="application/x-www-form-urlencoded">
+				<form method="post" action="index.php" enctype="application/x-www-form-urlencoded">
 					<fieldset>
 					<legend>Froxlor&nbsp;-&nbsp;{$lng['login']['presend']}</legend>
 					<p>

templates/Sparkle/login/login.tpl

@@ -25,7 +25,7 @@ $header
 		</if>
 
 		<section class="loginsec">
-			<form method="post" action="$filename" enctype="application/x-www-form-urlencoded">
+			<form method="post" action="index.php" enctype="application/x-www-form-urlencoded">
 				<input type="hidden" name="script" value="{$lastscript}" />
 				<input type="hidden" name="qrystr" value="{$lastqrystr}" />
 				<fieldset>

templates/Sparkle/login/login_ftp.tpl

@@ -1,41 +0,0 @@
-	<article class="login bradius">
-		<header class="dark">
-			<img src="{$header_logo_login}" alt="{t}Froxlor Server Management Panel{/t}" />
-		</header>
-
-		{if isset($successmessage)}
-			<div class="successcontainer bradius">
-				<div class="successtitle">{t}Success{/t}</div>
-				<div class="success">{$successmessage}</div>
-			</div>
-		{/if}
-
-		{if isset($errormessage)}
-			<div class="errorcontainer bradius">
-				<div class="errortitle">{t}Error{/t}</div>
-				<div class="error">{$errormessage}</div>
-			</div>
-		{/if}
-
-		<section class="loginsec">
-			<form method="post" action="webftp.php" enctype="application/x-www-form-urlencoded">
-				<fieldset>
-				<legend>{t}Froxlor - WebFTP - Login{/t}</legend>
-				<p>
-					<label for="loginname">{t}Username{/t}:</label>&nbsp;
-					<input type="text" name="loginname" id="loginname" value="" required/>
-				</p>
-				<p>
-					<label for="password">{t}Password{/t}:</label>&nbsp;
-					<input type="password" name="password" id="password" required/>
-				</p>
-				<p class="submit">
-					<input type="hidden" name="send" value="send" />
-					<input type="submit" value="{t}Login{/t}" />
-				</p>
-				</fieldset>
-			</form>
-			<aside>&nbsp;</aside>
-		</section>
-
-	</article>

templates/Sparkle/login/rpwd.tpl

@@ -11,7 +11,7 @@ $header
 			</if>
 			<section class="loginsec">
 				<h3>{$lng['pwdreminder']['choosenew']}</h3>
-				<form method="post" action="{$filename}?action=resetpwd&resetcode={$activationcode}" enctype="application/x-www-form-urlencoded">
+				<form method="post" action="index.php?action=resetpwd&resetcode={$activationcode}" enctype="application/x-www-form-urlencoded">
 					<fieldset>
 					<legend>Froxlor&nbsp;-&nbsp;{$lng['login']['presend']}</legend>
 					<p>

templates/misc/standardcustomer/index.html

@@ -67,7 +67,7 @@ a:hover {
 		<span> <img
 			src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAAAQCAYAAAC1MDndAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAy1JREFUeNrs1muIVlUUBuBnvqZkoswudKErZFOG0kWt6WpN0wWCDMOsgX4UmVS/KovKhIKYLhRBJvV1o/5VlJCmYEmUFYijaBYhSRQVBVE0ZnRBJ/vzfnA4nDN+wTh/pgWHc/baa6+z97v3et/d0Ww24SQ8ij5MNL7tN6zBvdjWiZOxDpP8b3JA5qAXPQ0MtAnOm9jZBvqbsQHbsGsMFrQLv+KPUc47CQONlFXZPsNfJd/buBrDFfHDWIDDcAZmohsPjwFAD+EQnL8Xcl/WqOGc+/FJyXcxVuHJivjX8Hx2cwGeweO4fIxOkL10Wg9o1HSsxUcl30V5P1JxnFuxp+M53I67cQ5mYwZexj2YlnarJBdl3BE4FfPxdfofSOwNhX+uwgXxf1Uz/024DpNxFHrwRIEiPs74XnyIq3A8Xion6qxIvj0TX1vyb8x7CJ/jrELfjrx/zgmS0p2bCWzHzejAQTgmO35J+OpInIcv8GLKeROuzcI24lAsRH/yzcGJFfMfDIB/B/ipeD8bNojX8W1hPR+gCxPwTzsAdaGRgTeGrAZLJXd4zc59l1Jr2dzC91S8g+PSXhFwGgGxO4s6Bd9gaQRkAHdhSQHso/FCzRweS56ezLmB1bgCb+DBCg67rwaLSud+uDAAvVLRfw1OqCO18JEKbusvgNMqA/F153sCpgegT+O7Iwt8NwrZwKsh5irbUuDMFoXMquhv2eKRSKiOg54OUFXSt3SEfPvi4Dz77IEAW/8uH+vdpf6dkXGF+F9GyNtRkXe4or8tqwNoWrigbDeFTEfDZhbKckuBy9blu0XkC1Pi++PK+Objy5q80/NeXSDl9wrgnDkaAIlyzCj5zh1FCb00JL07Jd2LKfgBx+LWXE6XJP6pcMiUiMg8/FmRd3GEYHNiZ+H6wgZP/i+T7MzPJo5wkjYU2t01cWfjp6hH2WZn0adVbM7KALAS3weYftwZIVgTIHtxS8YtD6kOYX2Uqi8iIKCsD6CDhXnNi+iI+vXhwD3g83tHs9l8K5JZZbfh2UL7x0jyeLFljVzUhtoc0DWOwBnCoga25s6wrHDhG8+2I1j0YOu/AwBUU7aBHvM/ZwAAAABJRU5ErkJggg=="
 			style="height: 13px; margin: 0 2px 3px 0; vertical-align: middle;" />
-			&copy; 2009-2018 by <a href="http://www.froxlor.org">the Froxlor
+			&copy; 2009-2021 by <a href="http://www.froxlor.org">the Froxlor
 				Team</a>
 		</span>
 	</footer>

tests/Domains/DomainsTest.php

@@ -138,6 +138,25 @@ class DomainsTest extends TestCase
 		$this->assertEquals(2, $result['subcanemaildomain']);
 	}
 
+	public function testResellerDomainsAddWithAbsolutePathNoChangeServerSettings()
+	{
+		global $admin_userdata;
+		// get reseller
+		$json_result = Admins::getLocal($admin_userdata, array(
+			'loginname' => 'reseller'
+		))->get();
+		$reseller_userdata = json_decode($json_result, true)['data'];
+		$reseller_userdata['adminsession'] = 1;
+		$data = [
+			'domain' => 'test3.local',
+			'customerid' => 1,
+			'documentroot' => '/some/absolute/directory/the_reseller/cannot/set/',
+			'ipandport' => 4
+		];
+		$this->expectExceptionMessage("The user does not have the permission to specify directories outside the customers home-directory. Please specify a relative path (no leading /).");
+		$json_result = Domains::getLocal($reseller_userdata, $data)->add();
+	}
+
 	/**
 	 *
 	 * @depends testAdminDomainsAdd
@@ -153,12 +172,35 @@ class DomainsTest extends TestCase
 		$reseller_userdata['adminsession'] = 1;
 		$data = [
 			'domainname' => 'test2.local',
-			'ssl_protocols' => 'TLSv1'
+			'ssl_protocols' => 'TLSv1',
+			'documentroot' => '/var/customers/webs/test1/sub/'
 		];
 		$json_result = Domains::getLocal($reseller_userdata, $data)->update();
 		$result = json_decode($json_result, true)['data'];
 		$this->assertEmpty($result['ssl_protocols']);
 		$this->assertEquals('test2.local', $result['domain']);
+		$this->assertEquals('/var/customers/webs/test1/sub/', $result['documentroot']);
+	}
+
+	/**
+	 *
+	 * @depends testResellerDomainsUpdate
+	 */
+	public function testResellerDomainsUpdateAboslutePathNotAllowed()
+	{
+		global $admin_userdata;
+		// get reseller
+		$json_result = Admins::getLocal($admin_userdata, array(
+			'loginname' => 'reseller'
+		))->get();
+		$reseller_userdata = json_decode($json_result, true)['data'];
+		$reseller_userdata['adminsession'] = 1;
+		$data = [
+			'domainname' => 'test2.local',
+			'documentroot' => '/some/other/dir'
+		];
+		$this->expectExceptionMessage("The user does not have the permission to specify directories outside the customers home-directory. Please specify a relative path (no leading /).");
+		$json_result = Domains::getLocal($reseller_userdata, $data)->update();
 	}
 
 	public function testAdminDomainsAddSysHostname()
@@ -402,6 +444,7 @@ class DomainsTest extends TestCase
 	}
 
 	/**
+	 *
 	 * @refs https://github.com/Froxlor/Froxlor/issues/899
 	 */
 	public function testAdminIdn2DomainsAdd()

tests/PhpAndFpm/PhpSettingsTest.php

@@ -97,4 +97,34 @@ class PhpSettingsText extends TestCase
 			'id' => 1
 		))->get();
 	}
+
+	/**
+	 * @depends testAdminPhpSettingsAdd
+	 */
+	public function testAdminPhpSettingsAddForAll()
+	{
+		global $admin_userdata;
+		$data = [
+			'description' => 'test php #2',
+			'phpsettings' => 'error_reporting=E_ALL',
+			'fpmconfig' => Settings::Get('phpfpm.defaultini'),
+			'allow_all_customers' => true
+		];
+		$json_result = PhpSettings::getLocal($admin_userdata, $data)->add();
+		$result = json_decode($json_result, true)['data'];
+		$required_id = $result['id'];
+
+		$json_result = Customers::getLocal($admin_userdata)->listing();
+		$result = json_decode($json_result, true)['data'];
+
+		$allowed_cnt = 0;
+		foreach ($result['list'] as $customer) {
+			$cust_phpconfigsallowed = json_decode($customer['allowed_phpconfigs'], true);
+			if (!in_array($required_id, $cust_phpconfigsallowed)) {
+				$this->fail("Customer does not have php-config assigned which was added for all customers");
+			}
+			$allowed_cnt++;
+		}
+		$this->assertTrue($allowed_cnt == $result['count']);
+	}
 }

tests/bootstrap.php

@@ -43,14 +43,25 @@ require dirname(__DIR__) . '/lib/tables.inc.php';
 use Froxlor\Database\Database;
 use Froxlor\Settings;
 
-Database::needRoot(true);
 if (TRAVIS_CI == 0) {
+	Database::needRoot(true);
 	Database::query("DROP DATABASE IF EXISTS `froxlor010`;");
 	Database::query("CREATE DATABASE `froxlor010`;");
 	exec("mysql -u root -p" . $rpwd . " froxlor010 < " . dirname(__DIR__) . "/install/froxlor.sql");
+	Database::query("DROP USER IF EXISTS 'test1sql1'@'localhost';");
+	Database::query("DROP USER IF EXISTS 'test1sql1'@'127.0.0.1';");
+	Database::query("DROP USER IF EXISTS 'test1sql1'@'172.17.0.1';");
+	Database::query("DROP USER IF EXISTS 'test1sql1'@'82.149.225.46';");
+	Database::query("DROP USER IF EXISTS 'test1sql1'@'2a01:440:1:12:82:149:225:46';");
+	Database::query("DROP USER IF EXISTS 'test1_abc123'@'localhost';");
+	Database::query("DROP USER IF EXISTS 'test1_abc123'@'127.0.0.1';");
+	Database::query("DROP USER IF EXISTS 'test1_abc123'@'172.17.0.1';");
+	Database::query("DROP USER IF EXISTS 'test1_abc123'@'82.149.225.46';");
+	Database::query("DROP USER IF EXISTS 'test1_abc123'@'2a01:440:1:12:82:149:225:46';");
+	Database::query("DROP DATABASE IF EXISTS `test1sql1`;");
+	Database::query("DROP DATABASE IF EXISTS `test1_abc123`;");
+	Database::needRoot(false);
 }
-Database::query("DROP DATABASE IF EXISTS `test1sql1`;");
-Database::needRoot(false);
 
 // clear all tables
 Database::query("TRUNCATE TABLE `" . TABLE_PANEL_CUSTOMERS . "`;");
@@ -162,6 +173,7 @@ Settings::Set('system.mysql_access_host', 'localhost,127.0.0.1,172.17.0.1,2a01:4
 Settings::Set('system.use_ssl', '1', true);
 Settings::Set('system.froxlordirectlyviahostname', '1', true);
 Settings::Set('system.dns_createhostnameentry', '1', true);
+Settings::Set('system.bind_enable', '1', true);
 Settings::Set('system.dnsenabled', '1', true);
 Settings::Set('system.dns_server', 'PowerDNS', true);
 Settings::Set('phpfpm.enabled', '1', true);