set version to 0.10.38.2 for security release

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

api_keys.php

@@ -1,5 +1,5 @@
 <?php
-if (! defined('AREA')) {
+if (!defined('AREA')) {
 	header("Location: index.php");
 	exit();
 }
@@ -27,39 +27,47 @@ use Froxlor\Database\Database;
 
 $del_stmt = Database::prepare("DELETE FROM `" . TABLE_API_KEYS . "` WHERE id = :id");
 $success_message = "";
-$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
+$id = isset($_POST['id']) ? (int) $_POST['id'] : (isset($_GET['id']) ? (int) $_GET['id'] : 0);
 $area = AREA;
 
 // do the delete and then just show a success-message and the apikeys list again
 if ($action == 'delete') {
 	if ($id > 0) {
-		$chk = (AREA == 'admin' && $userinfo['customers_see_all'] == '1') ? true : false;
-		if (AREA == 'customer') {
-			$chk_stmt = Database::prepare("
-				SELECT c.customerid FROM `" . TABLE_PANEL_CUSTOMERS . "` c
-				LEFT JOIN `" . TABLE_API_KEYS . "` ak ON ak.customerid = c.customerid
-				WHERE ak.`id` = :id AND c.`customerid` = :cid
-			");
-			$chk = Database::pexecute_first($chk_stmt, array(
-				'id' => $id,
-				'cid' => $userinfo['customerid']
-			));
-		} elseif (AREA == 'admin' && $userinfo['customers_see_all'] == '0') {
-			$chk_stmt = Database::prepare("
-				SELECT a.adminid FROM `" . TABLE_PANEL_ADMINS . "` a
-				LEFT JOIN `" . TABLE_API_KEYS . "` ak ON ak.adminid = a.adminid
-				WHERE ak.`id` = :id AND a.`adminid` = :aid
-			");
-			$chk = Database::pexecute_first($chk_stmt, array(
-				'id' => $id,
-				'aid' => $userinfo['adminid']
-			));
-		}
-		if ($chk !== false) {
-			Database::pexecute($del_stmt, array(
+		if (isset($_POST['send']) && $_POST['send'] == 'send') {
+			$chk = (AREA == 'admin' && $userinfo['customers_see_all'] == '1') ? true : false;
+			if (AREA == 'customer') {
+				$chk_stmt = Database::prepare("
+					SELECT c.customerid FROM `" . TABLE_PANEL_CUSTOMERS . "` c
+					LEFT JOIN `" . TABLE_API_KEYS . "` ak ON ak.customerid = c.customerid
+					WHERE ak.`id` = :id AND c.`customerid` = :cid
+				");
+				$chk = Database::pexecute_first($chk_stmt, array(
+					'id' => $id,
+					'cid' => $userinfo['customerid']
+				));
+			} elseif (AREA == 'admin' && $userinfo['customers_see_all'] == '0') {
+				$chk_stmt = Database::prepare("
+					SELECT a.adminid FROM `" . TABLE_PANEL_ADMINS . "` a
+					LEFT JOIN `" . TABLE_API_KEYS . "` ak ON ak.adminid = a.adminid
+					WHERE ak.`id` = :id AND a.`adminid` = :aid
+				");
+				$chk = Database::pexecute_first($chk_stmt, array(
+					'id' => $id,
+					'aid' => $userinfo['adminid']
+				));
+			}
+			if ($chk !== false) {
+				Database::pexecute($del_stmt, array(
+					'id' => $id
+				));
+				$success_message = sprintf($lng['apikeys']['apikey_removed'], $id);
+			}
+		} else {
+			\Froxlor\UI\HTML::askYesNo('api_reallydelete', $filename, array(
+				'page' => $page,
+				'action' => $action,
 				'id' => $id
-			));
-			$success_message = sprintf($lng['apikeys']['apikey_removed'], $id);
+			), $id);
 		}
 	}
 } elseif ($action == 'add') {
@@ -85,10 +93,10 @@ if ($action == 'delete') {
 } elseif ($action == 'jqEditApiKey') {
 	$keyid = isset($_POST['id']) ? (int) $_POST['id'] : 0;
 	$allowed_from = isset($_POST['allowed_from']) ? $_POST['allowed_from'] : "";
-	$valid_until = isset($_POST['valid_until']) ? (int) $_POST['valid_until'] : - 1;
+	$valid_until = isset($_POST['valid_until']) ? (int) $_POST['valid_until'] : -1;
 
 	// validate allowed_from
-	if (! empty($allowed_from)) {
+	if (!empty($allowed_from)) {
 		$ip_list = array_map('trim', explode(",", $allowed_from));
 		$_check_list = $ip_list;
 		foreach ($_check_list as $idx => $ip) {
@@ -100,8 +108,8 @@ if ($action == 'delete') {
 		$allowed_from = implode(",", array_unique($ip_list));
 	}
 
-	if ($valid_until <= 0 || ! is_numeric($valid_until)) {
-		$valid_until = - 1;
+	if ($valid_until <= 0 || !is_numeric($valid_until)) {
+		$valid_until = -1;
 	}
 
 	$upd_stmt = Database::prepare("

index.php

@@ -22,6 +22,7 @@ require './lib/init.php';
 use Froxlor\Database\Database;
 use Froxlor\Settings;
 use Froxlor\FroxlorLogger;
+use Froxlor\Validate\Validate;
 
 if ($action == '') {
 	$action = 'login';
@@ -352,8 +353,7 @@ if ($action == '2fa_entercode') {
 				$message = sprintf($lng['error']['login_blocked'], Settings::Get('login.deactivatetime'));
 				break;
 			case 4:
-				$cmail = isset($_GET['customermail']) ? $_GET['customermail'] : 'unknown';
-				$message = str_replace('%s', $cmail, $lng['error']['errorsendingmail']);
+				$message = $lng['error']['errorsendingmailpub'];
 				break;
 			case 5:
 				$message = $lng['error']['user_banned'];

install/froxlor.sql

@@ -723,7 +723,7 @@ opcache.validate_timestamps'),
 	('panel', 'logo_image_login', ''),
 	('panel', 'logo_overridetheme', '0'),
 	('panel', 'logo_overridecustom', '0'),
-	('panel', 'version', '0.10.37'),
+	('panel', 'version', '0.10.38.2'),
 	('panel', 'db_version', '202112310');
 
 

install/updates/froxlor/0.10/update_0.10.inc.php

@@ -1001,3 +1001,18 @@ if (\Froxlor\Froxlor::isFroxlorVersion('0.10.36')) {
 	showUpdateStep("Updating from 0.10.36 to 0.10.37", false);
 	\Froxlor\Froxlor::updateToVersion('0.10.37');
 }
+
+if (\Froxlor\Froxlor::isFroxlorVersion('0.10.37')) {
+        showUpdateStep("Updating from 0.10.37 to 0.10.38", false);
+        \Froxlor\Froxlor::updateToVersion('0.10.38');
+}
+
+if (\Froxlor\Froxlor::isFroxlorVersion('0.10.38')) {
+        showUpdateStep("Updating from 0.10.38 to 0.10.38.1", false);
+        \Froxlor\Froxlor::updateToVersion('0.10.38.1');
+}
+
+if (\Froxlor\Froxlor::isFroxlorVersion('0.10.38.1')) {
+        showUpdateStep("Updating from 0.10.38.1 to 0.10.38.2", false);
+        \Froxlor\Froxlor::updateToVersion('0.10.38.2');
+}

lib/Froxlor/Api/Commands/Admins.php

@@ -227,7 +227,7 @@ class Admins extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 			$ipaddress = $this->getParam('ipaddress', true, - 1);
 
 			// validation
-			$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
+			$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
 			$idna_convert = new \Froxlor\Idna\IdnaWrapper();
 			$email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true));
 			$def_language = \Froxlor\Validate\Validate::validate($def_language, 'default language', '', '', array(), true);
@@ -527,7 +527,7 @@ class Admins extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 				}
 
 				// validation
-				$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
+				$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
 				$idna_convert = new \Froxlor\Idna\IdnaWrapper();
 				$email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true));
 				$def_language = \Froxlor\Validate\Validate::validate($def_language, 'default language', '', '', array(), true);

lib/Froxlor/Api/Commands/Customers.php

@@ -404,12 +404,12 @@ class Customers extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resource
 				}
 
 				// validation
-				$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
-				$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', '', '', array(), true);
-				$company = \Froxlor\Validate\Validate::validate($company, 'company', '', '', array(), true);
-				$street = \Froxlor\Validate\Validate::validate($street, 'street', '', '', array(), true);
+				$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
+				$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
+				$company = \Froxlor\Validate\Validate::validate($company, 'company', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
+				$street = \Froxlor\Validate\Validate::validate($street, 'street', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
 				$zipcode = \Froxlor\Validate\Validate::validate($zipcode, 'zipcode', '/^[0-9 \-A-Z]*$/', '', array(), true);
-				$city = \Froxlor\Validate\Validate::validate($city, 'city', '', '', array(), true);
+				$city = \Froxlor\Validate\Validate::validate($city, 'city', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
 				$phone = \Froxlor\Validate\Validate::validate($phone, 'phone', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
 				$fax = \Froxlor\Validate\Validate::validate($fax, 'fax', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
 				$idna_convert = new \Froxlor\Idna\IdnaWrapper();
@@ -998,12 +998,12 @@ class Customers extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resource
 		// validation
 		if ($this->isAdmin()) {
 			$idna_convert = new \Froxlor\Idna\IdnaWrapper();
-			$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
-			$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', '', '', array(), true);
-			$company = \Froxlor\Validate\Validate::validate($company, 'company', '', '', array(), true);
-			$street = \Froxlor\Validate\Validate::validate($street, 'street', '', '', array(), true);
+			$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
+			$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
+			$company = \Froxlor\Validate\Validate::validate($company, 'company', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
+			$street = \Froxlor\Validate\Validate::validate($street, 'street', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
 			$zipcode = \Froxlor\Validate\Validate::validate($zipcode, 'zipcode', '/^[0-9 \-A-Z]*$/', '', array(), true);
-			$city = \Froxlor\Validate\Validate::validate($city, 'city', '', '', array(), true);
+			$city = \Froxlor\Validate\Validate::validate($city, 'city', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
 			$phone = \Froxlor\Validate\Validate::validate($phone, 'phone', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
 			$fax = \Froxlor\Validate\Validate::validate($fax, 'fax', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
 			$email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true));

lib/Froxlor/Api/Commands/PhpSettings.php

@@ -99,7 +99,7 @@ class PhpSettings extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
 				}
 
 				// check whether we use that config as froxor-vhost config
-				if (Settings::Get('system.mod_fcgid_defaultini_ownvhost') == $row['id'] || Settings::Get('phpfpm.vhost_defaultini') == $row['id']) {
+				if ((Settings::Get('system.mod_fcgid') == '1' && Settings::Get('system.mod_fcgid_defaultini_ownvhost') == $row['id']) || (Settings::Get('phpfpm.enabled') == '1' && Settings::Get('phpfpm.vhost_defaultini') == $row['id'])) {
 					$domains[] = Settings::Get('system.hostname');
 				}
 

lib/Froxlor/FileDir.php

@@ -491,7 +491,7 @@ class FileDir
 					new \RecursiveDirectoryIterator($path, \RecursiveDirectoryIterator::SKIP_DOTS),
 					$filter
 				),
-				\RecursiveIteratorIterator::LEAVES_ONLY,
+				\RecursiveIteratorIterator::SELF_FIRST,
 				\RecursiveIteratorIterator::CATCH_GET_CHILD
 			);
 			// we can limit the recursion-depth, but will it be helpful or

lib/Froxlor/Froxlor.php

@@ -7,7 +7,7 @@ final class Froxlor
 {
 
 	// Main version variable
-	const VERSION = '0.10.37';
+	const VERSION = '0.10.38.2';
 
 	// Database version (YYYYMMDDC where C is a daily counter)
 	const DBVERSION = '202112310';

lng/english.lng.php

@@ -673,6 +673,7 @@ $lng['admin']['message'] = 'Write a Message';
 $lng['admin']['text'] = 'Message';
 $lng['menu']['message'] = 'Messages';
 $lng['error']['errorsendingmail'] = 'The message to "%s" failed';
+$lng['error']['errorsendingmailpub'] = 'The message to the given email-address failed';
 $lng['error']['cannotreaddir'] = 'Unable to read directory "%s"';
 $lng['message']['success'] = 'Successfully sent message to %s recipients';
 $lng['message']['norecipients'] = 'No e-mail has been sent because there are no recipients in the database';
@@ -2138,3 +2139,5 @@ $lng['serversettings']['phpfpm_settings']['allow_all_customers']['description']
 $lng['error']['pathmustberelative'] = 'The user does not have the permission to specify directories outside the customers home-directory. Please specify a relative path (no leading /).';
 $lng['serversettings']['acmeshpath']['title'] = 'Path to acme.sh';
 $lng['serversettings']['acmeshpath']['description'] = 'Set this to where acme.sh is installed to, including the acme.sh script<br>Default is <b>/root/.acme.sh/acme.sh</b>';
+
+$lng['question']['api_reallydelete'] = 'Do you really want to delete the api-key #%d?';

lng/german.lng.php

@@ -666,6 +666,7 @@ $lng['admin']['message'] = 'Rundmail senden';
 $lng['admin']['text'] = 'Nachricht';
 $lng['menu']['message'] = 'Nachrichten';
 $lng['error']['errorsendingmail'] = 'Das Versenden der Nachricht an "%s" schlug fehl.';
+$lng['error']['errorsendingmailpub'] = 'Das Versenden der Nachricht an die angegebene E-Mail Adresse schlug fehl.';
 $lng['error']['cannotreaddir'] = 'Der Ordner "%s" kann nicht gelesen werden';
 $lng['message']['success'] = 'Nachricht erfolgreich an "%s" Empfänger gesendet';
 $lng['message']['norecipients'] = 'Es wurde keine E-Mail versendet, da sich keine Empfänger in der Datenbank befinden';
@@ -1784,3 +1785,5 @@ $lng['serversettings']['phpfpm_settings']['allow_all_customers']['description']
 $lng['error']['pathmustberelative'] = 'Der Benutzer hat nicht die benötigten Berechtigungen, um Pfade außerhalb des Kunden-Heimatverzeichnisses anzugeben. Bitte einen relativen Pfad angeben (kein führendes /).';
 $lng['serversettings']['acmeshpath']['title'] = 'Pfad zu acme.sh';
 $lng['serversettings']['acmeshpath']['description'] = 'Installationspfad zu acme.sh, inklusive acme.sh Script<br>Standard ist <b>/root/.acme.sh/acme.sh</b>';
+
+$lng['question']['api_reallydelete'] = 'Api-Key #%d wirklich löschen?';