Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
e10f77e219 | ||
|
|
83ff0f5b00 | ||
|
|
0562d248b5 | ||
|
|
3fda5be5a3 | ||
|
|
4d454a3903 | ||
|
|
0e703a4199 | ||
|
|
47c71f6035 | ||
|
|
5923cbb1d5 | ||
|
|
3f10a4aded | ||
|
|
eaea93296d | ||
|
|
1182453c18 |
48
api_keys.php
48
api_keys.php
@@ -71,27 +71,39 @@ if ($action == 'delete') {
|
||||
}
|
||||
}
|
||||
} elseif ($action == 'add') {
|
||||
$ins_stmt = Database::prepare("
|
||||
INSERT INTO `" . TABLE_API_KEYS . "` SET
|
||||
`apikey` = :key, `secret` = :secret, `adminid` = :aid, `customerid` = :cid, `valid_until` = '-1', `allowed_from` = ''
|
||||
");
|
||||
// customer generates for himself, admins will see a customer-select-box later
|
||||
if (AREA == 'admin') {
|
||||
$cid = 0;
|
||||
} elseif (AREA == 'customer') {
|
||||
$cid = $userinfo['customerid'];
|
||||
|
||||
if (isset($_POST['send']) && $_POST['send'] == 'send') {
|
||||
$ins_stmt = Database::prepare("
|
||||
INSERT INTO `" . TABLE_API_KEYS . "` SET
|
||||
`apikey` = :key, `secret` = :secret, `adminid` = :aid, `customerid` = :cid, `valid_until` = '-1', `allowed_from` = ''
|
||||
");
|
||||
// customer generates for himself, admins will see a customer-select-box later
|
||||
if (AREA == 'admin') {
|
||||
$cid = 0;
|
||||
} elseif (AREA == 'customer') {
|
||||
$cid = $userinfo['customerid'];
|
||||
}
|
||||
$key = hash('sha256', openssl_random_pseudo_bytes(64 * 64));
|
||||
$secret = hash('sha512', openssl_random_pseudo_bytes(64 * 64 * 4));
|
||||
Database::pexecute($ins_stmt, array(
|
||||
'key' => $key,
|
||||
'secret' => $secret,
|
||||
'aid' => $userinfo['adminid'],
|
||||
'cid' => $cid
|
||||
));
|
||||
$success_message = $lng['apikeys']['apikey_added'];
|
||||
} else {
|
||||
\Froxlor\UI\HTML::askYesNo('api_reallyadd', $filename, array(
|
||||
'page' => $page,
|
||||
'action' => $action
|
||||
), $id);
|
||||
}
|
||||
$key = hash('sha256', openssl_random_pseudo_bytes(64 * 64));
|
||||
$secret = hash('sha512', openssl_random_pseudo_bytes(64 * 64 * 4));
|
||||
Database::pexecute($ins_stmt, array(
|
||||
'key' => $key,
|
||||
'secret' => $secret,
|
||||
'aid' => $userinfo['adminid'],
|
||||
'cid' => $cid
|
||||
));
|
||||
$success_message = $lng['apikeys']['apikey_added'];
|
||||
} elseif ($action == 'jqEditApiKey') {
|
||||
$keyid = isset($_POST['id']) ? (int) $_POST['id'] : 0;
|
||||
if (empty($keyid)) {
|
||||
echo json_encode(false);
|
||||
exit;
|
||||
}
|
||||
$allowed_from = isset($_POST['allowed_from']) ? $_POST['allowed_from'] : "";
|
||||
$valid_until = isset($_POST['valid_until']) ? (int) $_POST['valid_until'] : -1;
|
||||
|
||||
|
||||
@@ -58,15 +58,23 @@ if ($action == 'add_record' && ! empty($_POST)) {
|
||||
// remove entry
|
||||
$entry_id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
|
||||
if ($entry_id > 0) {
|
||||
try {
|
||||
DomainZones::getLocal($userinfo, array(
|
||||
'entry_id' => $entry_id,
|
||||
'id' => $domain_id
|
||||
))->delete();
|
||||
// success message (inline)
|
||||
$success_message = $lng['success']['dns_record_deleted'];
|
||||
} catch (Exception $e) {
|
||||
$errors = str_replace("\n", "<br>", $e->getMessage());
|
||||
if (isset($_POST['send']) && $_POST['send'] == 'send') {
|
||||
try {
|
||||
DomainZones::getLocal($userinfo, array(
|
||||
'entry_id' => $entry_id,
|
||||
'id' => $domain_id
|
||||
))->delete();
|
||||
// success message (inline)
|
||||
$success_message = $lng['success']['dns_record_deleted'];
|
||||
} catch (Exception $e) {
|
||||
$errors = str_replace("\n", "<br>", $e->getMessage());
|
||||
}
|
||||
} else {
|
||||
\Froxlor\UI\HTML::askYesNo('dnsentry_reallydelete', $filename, array(
|
||||
'page' => $page,
|
||||
'action' => $action,
|
||||
'id' => $id
|
||||
), $id);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
277
index.php
277
index.php
@@ -22,6 +22,7 @@ require './lib/init.php';
|
||||
use Froxlor\Database\Database;
|
||||
use Froxlor\Settings;
|
||||
use Froxlor\FroxlorLogger;
|
||||
use Froxlor\Validate\Validate;
|
||||
|
||||
if ($action == '') {
|
||||
$action = 'login';
|
||||
@@ -352,8 +353,7 @@ if ($action == '2fa_entercode') {
|
||||
$message = sprintf($lng['error']['login_blocked'], Settings::Get('login.deactivatetime'));
|
||||
break;
|
||||
case 4:
|
||||
$cmail = isset($_GET['customermail']) ? $_GET['customermail'] : 'unknown';
|
||||
$message = str_replace('%s', $cmail, $lng['error']['errorsendingmail']);
|
||||
$message = $lng['error']['errorsendingmailpub'];
|
||||
break;
|
||||
case 5:
|
||||
$message = $lng['error']['user_banned'];
|
||||
@@ -425,159 +425,162 @@ if ($action == 'forgotpwd') {
|
||||
}
|
||||
}
|
||||
|
||||
if ($result_stmt !== null) {
|
||||
$user = $result_stmt->fetch(PDO::FETCH_ASSOC);
|
||||
|
||||
/* Check whether user is banned */
|
||||
if ($user['deactivated']) {
|
||||
\Froxlor\UI\Response::redirectTo('index.php', array(
|
||||
'showmessage' => '8'
|
||||
));
|
||||
exit();
|
||||
$no_action = false;
|
||||
if ($adminchecked) {
|
||||
if (Settings::Get('panel.allow_preset_admin') != '1') {
|
||||
$message = $lng['pwdreminder']['notallowed'];
|
||||
unset($adminchecked);
|
||||
}
|
||||
} else {
|
||||
if (Settings::Get('panel.allow_preset') != '1') {
|
||||
$message = $lng['pwdreminder']['notallowed'];
|
||||
}
|
||||
}
|
||||
|
||||
if (($adminchecked && Settings::Get('panel.allow_preset_admin') == '1') || $adminchecked == false) {
|
||||
if ($user !== false) {
|
||||
// build a activation code
|
||||
$timestamp = time();
|
||||
$first = substr(md5($user['loginname'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), 0, 15);
|
||||
$third = substr(md5($user['email'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), - 15);
|
||||
$activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10);
|
||||
if (empty($message)) {
|
||||
if ($result_stmt !== null) {
|
||||
$user = $result_stmt->fetch(PDO::FETCH_ASSOC);
|
||||
|
||||
// Drop all existing activation codes for this user
|
||||
$stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`
|
||||
WHERE `userid` = :userid
|
||||
AND `admin` = :admin");
|
||||
$params = array(
|
||||
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
|
||||
"admin" => $adminchecked ? 1 : 0
|
||||
);
|
||||
Database::pexecute($stmt, $params);
|
||||
|
||||
// Add new activation code to database
|
||||
$stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_ACTIVATION . "`
|
||||
(userid, admin, creation, activationcode)
|
||||
VALUES (:userid, :admin, :creation, :activationcode)");
|
||||
$params = array(
|
||||
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
|
||||
"admin" => $adminchecked ? 1 : 0,
|
||||
"creation" => $timestamp,
|
||||
"activationcode" => $activationcode
|
||||
);
|
||||
Database::pexecute($stmt, $params);
|
||||
|
||||
$rstlog = FroxlorLogger::getInstanceOf(array(
|
||||
'loginname' => 'password_reset'
|
||||
/* Check whether user is banned */
|
||||
if ($user['deactivated']) {
|
||||
\Froxlor\UI\Response::redirectTo('index.php', array(
|
||||
'showmessage' => '8'
|
||||
));
|
||||
$rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $user['loginname'] . "' requested a link for setting a new password.");
|
||||
exit();
|
||||
}
|
||||
|
||||
// Set together our activation link
|
||||
$protocol = empty($_SERVER['HTTPS']) ? 'http' : 'https';
|
||||
// this can be a fixed value to avoid potential exploiting by modifying headers
|
||||
$host = Settings::Get('system.hostname'); // $_SERVER['HTTP_HOST'];
|
||||
$port = $_SERVER['SERVER_PORT'] != 80 ? ':' . $_SERVER['SERVER_PORT'] : '';
|
||||
// don't add :443 when https is used, as it is default (and just looks weird!)
|
||||
if ($protocol == 'https' && $_SERVER['SERVER_PORT'] == '443') {
|
||||
$port = '';
|
||||
}
|
||||
// there can be only one script to handle this so we can use a fixed value here
|
||||
$script = "/index.php"; // $_SERVER['SCRIPT_NAME'];
|
||||
if (Settings::Get('system.froxlordirectlyviahostname') == 0) {
|
||||
$script = \Froxlor\FileDir::makeCorrectFile("/" . basename(__DIR__) . "/" . $script);
|
||||
}
|
||||
$activationlink = $protocol . '://' . $host . $port . $script . '?action=resetpwd&resetcode=' . $activationcode;
|
||||
if (($adminchecked && Settings::Get('panel.allow_preset_admin') == '1') || $adminchecked == false) {
|
||||
if ($user !== false) {
|
||||
// build a activation code
|
||||
$timestamp = time();
|
||||
$first = substr(md5($user['loginname'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), 0, 15);
|
||||
$third = substr(md5($user['email'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), - 15);
|
||||
$activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10);
|
||||
|
||||
$replace_arr = array(
|
||||
'SALUTATION' => \Froxlor\User::getCorrectUserSalutation($user),
|
||||
'NAME' => $user['name'],
|
||||
'FIRSTNAME' => $user['firstname'] ?? "",
|
||||
'COMPANY' => $user['company'] ?? "",
|
||||
'CUSTOMER_NO' => $user['customernumber'] ?? 0,
|
||||
'USERNAME' => $loginname,
|
||||
'LINK' => $activationlink
|
||||
);
|
||||
// Drop all existing activation codes for this user
|
||||
$stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`
|
||||
WHERE `userid` = :userid
|
||||
AND `admin` = :admin");
|
||||
$params = array(
|
||||
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
|
||||
"admin" => $adminchecked ? 1 : 0
|
||||
);
|
||||
Database::pexecute($stmt, $params);
|
||||
|
||||
$def_language = ($user['def_language'] != '') ? $user['def_language'] : Settings::Get('panel.standardlanguage');
|
||||
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
|
||||
WHERE `adminid`= :adminid
|
||||
AND `language`= :lang
|
||||
AND `templategroup`=\'mails\'
|
||||
AND `varname`=\'password_reset_subject\'');
|
||||
Database::pexecute($result_stmt, array(
|
||||
"adminid" => $user['adminid'],
|
||||
"lang" => $def_language
|
||||
));
|
||||
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
|
||||
$mail_subject = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['subject']), $replace_arr));
|
||||
// Add new activation code to database
|
||||
$stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_ACTIVATION . "`
|
||||
(userid, admin, creation, activationcode)
|
||||
VALUES (:userid, :admin, :creation, :activationcode)");
|
||||
$params = array(
|
||||
"userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
|
||||
"admin" => $adminchecked ? 1 : 0,
|
||||
"creation" => $timestamp,
|
||||
"activationcode" => $activationcode
|
||||
);
|
||||
Database::pexecute($stmt, $params);
|
||||
|
||||
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
|
||||
WHERE `adminid`= :adminid
|
||||
AND `language`= :lang
|
||||
AND `templategroup`=\'mails\'
|
||||
AND `varname`=\'password_reset_mailbody\'');
|
||||
Database::pexecute($result_stmt, array(
|
||||
"adminid" => $user['adminid'],
|
||||
"lang" => $def_language
|
||||
));
|
||||
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
|
||||
$mail_body = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['mailbody']), $replace_arr));
|
||||
|
||||
$_mailerror = false;
|
||||
$mailerr_msg = "";
|
||||
try {
|
||||
$mail->Subject = $mail_subject;
|
||||
$mail->AltBody = $mail_body;
|
||||
$mail->MsgHTML(str_replace("\n", "<br />", $mail_body));
|
||||
$mail->AddAddress($user['email'], \Froxlor\User::getCorrectUserSalutation($user));
|
||||
$mail->Send();
|
||||
} catch (\PHPMailer\PHPMailer\Exception $e) {
|
||||
$mailerr_msg = $e->errorMessage();
|
||||
$_mailerror = true;
|
||||
} catch (Exception $e) {
|
||||
$mailerr_msg = $e->getMessage();
|
||||
$_mailerror = true;
|
||||
}
|
||||
|
||||
if ($_mailerror) {
|
||||
$rstlog = FroxlorLogger::getInstanceOf(array(
|
||||
'loginname' => 'password_reset'
|
||||
));
|
||||
$rstlog->logAction(\Froxlor\FroxlorLogger::ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
|
||||
$rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $user['loginname'] . "' requested a link for setting a new password.");
|
||||
|
||||
// Set together our activation link
|
||||
$protocol = empty($_SERVER['HTTPS']) ? 'http' : 'https';
|
||||
// this can be a fixed value to avoid potential exploiting by modifying headers
|
||||
$host = Settings::Get('system.hostname'); // $_SERVER['HTTP_HOST'];
|
||||
$port = $_SERVER['SERVER_PORT'] != 80 ? ':' . $_SERVER['SERVER_PORT'] : '';
|
||||
// don't add :443 when https is used, as it is default (and just looks weird!)
|
||||
if ($protocol == 'https' && $_SERVER['SERVER_PORT'] == '443') {
|
||||
$port = '';
|
||||
}
|
||||
// there can be only one script to handle this so we can use a fixed value here
|
||||
$script = "/index.php"; // $_SERVER['SCRIPT_NAME'];
|
||||
if (Settings::Get('system.froxlordirectlyviahostname') == 0) {
|
||||
$script = \Froxlor\FileDir::makeCorrectFile("/" . basename(__DIR__) . "/" . $script);
|
||||
}
|
||||
$activationlink = $protocol . '://' . $host . $port . $script . '?action=resetpwd&resetcode=' . $activationcode;
|
||||
|
||||
$replace_arr = array(
|
||||
'SALUTATION' => \Froxlor\User::getCorrectUserSalutation($user),
|
||||
'NAME' => $user['name'],
|
||||
'FIRSTNAME' => $user['firstname'] ?? "",
|
||||
'COMPANY' => $user['company'] ?? "",
|
||||
'CUSTOMER_NO' => $user['customernumber'] ?? 0,
|
||||
'USERNAME' => $loginname,
|
||||
'LINK' => $activationlink
|
||||
);
|
||||
|
||||
$def_language = ($user['def_language'] != '') ? $user['def_language'] : Settings::Get('panel.standardlanguage');
|
||||
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
|
||||
WHERE `adminid`= :adminid
|
||||
AND `language`= :lang
|
||||
AND `templategroup`=\'mails\'
|
||||
AND `varname`=\'password_reset_subject\'');
|
||||
Database::pexecute($result_stmt, array(
|
||||
"adminid" => $user['adminid'],
|
||||
"lang" => $def_language
|
||||
));
|
||||
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
|
||||
$mail_subject = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['subject']), $replace_arr));
|
||||
|
||||
$result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
|
||||
WHERE `adminid`= :adminid
|
||||
AND `language`= :lang
|
||||
AND `templategroup`=\'mails\'
|
||||
AND `varname`=\'password_reset_mailbody\'');
|
||||
Database::pexecute($result_stmt, array(
|
||||
"adminid" => $user['adminid'],
|
||||
"lang" => $def_language
|
||||
));
|
||||
$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
|
||||
$mail_body = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['mailbody']), $replace_arr));
|
||||
|
||||
$_mailerror = false;
|
||||
$mailerr_msg = "";
|
||||
try {
|
||||
$mail->Subject = $mail_subject;
|
||||
$mail->AltBody = $mail_body;
|
||||
$mail->MsgHTML(str_replace("\n", "<br />", $mail_body));
|
||||
$mail->AddAddress($user['email'], \Froxlor\User::getCorrectUserSalutation($user));
|
||||
$mail->Send();
|
||||
} catch (\PHPMailer\PHPMailer\Exception $e) {
|
||||
$mailerr_msg = $e->errorMessage();
|
||||
$_mailerror = true;
|
||||
} catch (Exception $e) {
|
||||
$mailerr_msg = $e->getMessage();
|
||||
$_mailerror = true;
|
||||
}
|
||||
|
||||
if ($_mailerror) {
|
||||
$rstlog = FroxlorLogger::getInstanceOf(array(
|
||||
'loginname' => 'password_reset'
|
||||
));
|
||||
$rstlog->logAction(\Froxlor\FroxlorLogger::ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
|
||||
\Froxlor\UI\Response::redirectTo('index.php', array(
|
||||
'showmessage' => '4',
|
||||
'customermail' => $user['email']
|
||||
));
|
||||
exit();
|
||||
}
|
||||
|
||||
$mail->ClearAddresses();
|
||||
\Froxlor\UI\Response::redirectTo('index.php', array(
|
||||
'showmessage' => '4',
|
||||
'customermail' => $user['email']
|
||||
'showmessage' => '1'
|
||||
));
|
||||
exit();
|
||||
} else {
|
||||
$rstlog = FroxlorLogger::getInstanceOf(array(
|
||||
'loginname' => 'password_reset'
|
||||
));
|
||||
$rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!");
|
||||
$message = $lng['login']['combination_not_found'];
|
||||
}
|
||||
|
||||
$mail->ClearAddresses();
|
||||
\Froxlor\UI\Response::redirectTo('index.php', array(
|
||||
'showmessage' => '1'
|
||||
));
|
||||
exit();
|
||||
} else {
|
||||
$rstlog = FroxlorLogger::getInstanceOf(array(
|
||||
'loginname' => 'password_reset'
|
||||
));
|
||||
$rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!");
|
||||
$message = $lng['login']['combination_not_found'];
|
||||
unset($user);
|
||||
}
|
||||
|
||||
unset($user);
|
||||
} else {
|
||||
$message = $lng['pwdreminder']['notallowed'];
|
||||
}
|
||||
} else {
|
||||
$message = $lng['login']['usernotfound'];
|
||||
}
|
||||
}
|
||||
|
||||
if ($adminchecked) {
|
||||
if (Settings::Get('panel.allow_preset_admin') != '1') {
|
||||
$message = $lng['pwdreminder']['notallowed'];
|
||||
unset($adminchecked);
|
||||
}
|
||||
} else {
|
||||
if (Settings::Get('panel.allow_preset') != '1') {
|
||||
$message = $lng['pwdreminder']['notallowed'];
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -723,7 +723,7 @@ opcache.validate_timestamps'),
|
||||
('panel', 'logo_image_login', ''),
|
||||
('panel', 'logo_overridetheme', '0'),
|
||||
('panel', 'logo_overridecustom', '0'),
|
||||
('panel', 'version', '0.10.38'),
|
||||
('panel', 'version', '0.10.38.3'),
|
||||
('panel', 'db_version', '202112310');
|
||||
|
||||
|
||||
|
||||
@@ -1006,3 +1006,18 @@ if (\Froxlor\Froxlor::isFroxlorVersion('0.10.37')) {
|
||||
showUpdateStep("Updating from 0.10.37 to 0.10.38", false);
|
||||
\Froxlor\Froxlor::updateToVersion('0.10.38');
|
||||
}
|
||||
|
||||
if (\Froxlor\Froxlor::isFroxlorVersion('0.10.38')) {
|
||||
showUpdateStep("Updating from 0.10.38 to 0.10.38.1", false);
|
||||
\Froxlor\Froxlor::updateToVersion('0.10.38.1');
|
||||
}
|
||||
|
||||
if (\Froxlor\Froxlor::isFroxlorVersion('0.10.38.1')) {
|
||||
showUpdateStep("Updating from 0.10.38.1 to 0.10.38.2", false);
|
||||
\Froxlor\Froxlor::updateToVersion('0.10.38.2');
|
||||
}
|
||||
|
||||
if (\Froxlor\Froxlor::isFroxlorVersion('0.10.38.2')) {
|
||||
showUpdateStep("Updating from 0.10.38.2 to 0.10.38.3", false);
|
||||
\Froxlor\Froxlor::updateToVersion('0.10.38.3');
|
||||
}
|
||||
|
||||
@@ -227,7 +227,7 @@ class Admins extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
|
||||
$ipaddress = $this->getParam('ipaddress', true, - 1);
|
||||
|
||||
// validation
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$idna_convert = new \Froxlor\Idna\IdnaWrapper();
|
||||
$email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true));
|
||||
$def_language = \Froxlor\Validate\Validate::validate($def_language, 'default language', '', '', array(), true);
|
||||
@@ -527,7 +527,7 @@ class Admins extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
|
||||
}
|
||||
|
||||
// validation
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$idna_convert = new \Froxlor\Idna\IdnaWrapper();
|
||||
$email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true));
|
||||
$def_language = \Froxlor\Validate\Validate::validate($def_language, 'default language', '', '', array(), true);
|
||||
|
||||
@@ -404,12 +404,12 @@ class Customers extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resource
|
||||
}
|
||||
|
||||
// validation
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
|
||||
$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', '', '', array(), true);
|
||||
$company = \Froxlor\Validate\Validate::validate($company, 'company', '', '', array(), true);
|
||||
$street = \Froxlor\Validate\Validate::validate($street, 'street', '', '', array(), true);
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$company = \Froxlor\Validate\Validate::validate($company, 'company', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$street = \Froxlor\Validate\Validate::validate($street, 'street', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$zipcode = \Froxlor\Validate\Validate::validate($zipcode, 'zipcode', '/^[0-9 \-A-Z]*$/', '', array(), true);
|
||||
$city = \Froxlor\Validate\Validate::validate($city, 'city', '', '', array(), true);
|
||||
$city = \Froxlor\Validate\Validate::validate($city, 'city', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$phone = \Froxlor\Validate\Validate::validate($phone, 'phone', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
|
||||
$fax = \Froxlor\Validate\Validate::validate($fax, 'fax', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
|
||||
$idna_convert = new \Froxlor\Idna\IdnaWrapper();
|
||||
@@ -998,12 +998,12 @@ class Customers extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resource
|
||||
// validation
|
||||
if ($this->isAdmin()) {
|
||||
$idna_convert = new \Froxlor\Idna\IdnaWrapper();
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
|
||||
$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', '', '', array(), true);
|
||||
$company = \Froxlor\Validate\Validate::validate($company, 'company', '', '', array(), true);
|
||||
$street = \Froxlor\Validate\Validate::validate($street, 'street', '', '', array(), true);
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$company = \Froxlor\Validate\Validate::validate($company, 'company', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$street = \Froxlor\Validate\Validate::validate($street, 'street', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$zipcode = \Froxlor\Validate\Validate::validate($zipcode, 'zipcode', '/^[0-9 \-A-Z]*$/', '', array(), true);
|
||||
$city = \Froxlor\Validate\Validate::validate($city, 'city', '', '', array(), true);
|
||||
$city = \Froxlor\Validate\Validate::validate($city, 'city', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$phone = \Froxlor\Validate\Validate::validate($phone, 'phone', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
|
||||
$fax = \Froxlor\Validate\Validate::validate($fax, 'fax', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
|
||||
$email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true));
|
||||
|
||||
@@ -190,10 +190,16 @@ class Database
|
||||
*/
|
||||
public static function getSqlUsernameLength()
|
||||
{
|
||||
// MySQL user names can be up to 32 characters long (16 characters before MySQL 5.7.8).
|
||||
$mysql_max = 32;
|
||||
if (version_compare(Database::getAttribute(\PDO::ATTR_SERVER_VERSION), '5.7.8', '<')) {
|
||||
$mysql_max = 16;
|
||||
// MariaDB supports up to 80 characters but only 64 for databases and as we use the loginname also for
|
||||
// database names, we set the limit to 64 here
|
||||
if (strpos(strtolower(Database::getAttribute(\PDO::ATTR_SERVER_VERSION)), "mariadb") !== false) {
|
||||
$mysql_max = 64;
|
||||
} else {
|
||||
// MySQL user names can be up to 32 characters long (16 characters before MySQL 5.7.8).
|
||||
$mysql_max = 32;
|
||||
if (version_compare(Database::getAttribute(\PDO::ATTR_SERVER_VERSION), '5.7.8', '<')) {
|
||||
$mysql_max = 16;
|
||||
}
|
||||
}
|
||||
return $mysql_max;
|
||||
}
|
||||
|
||||
@@ -7,7 +7,7 @@ final class Froxlor
|
||||
{
|
||||
|
||||
// Main version variable
|
||||
const VERSION = '0.10.38';
|
||||
const VERSION = '0.10.38.3';
|
||||
|
||||
// Database version (YYYYMMDDC where C is a daily counter)
|
||||
const DBVERSION = '202112310';
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
<?php
|
||||
|
||||
namespace Froxlor\Settings;
|
||||
|
||||
use Froxlor\Database\Database;
|
||||
@@ -63,9 +64,9 @@ class Store
|
||||
if (count($ids) > 0) {
|
||||
$defaultips_new = explode(',', $newfieldvalue);
|
||||
|
||||
if (! empty($defaultips_old) && ! empty($newfieldvalue)) {
|
||||
if (!empty($defaultips_old) && !empty($newfieldvalue)) {
|
||||
$in_value = $defaultips_old . ", " . $newfieldvalue;
|
||||
} elseif (! empty($defaultips_old) && empty($newfieldvalue)) {
|
||||
} elseif (!empty($defaultips_old) && empty($newfieldvalue)) {
|
||||
$in_value = $defaultips_old;
|
||||
} else {
|
||||
$in_value = $newfieldvalue;
|
||||
@@ -280,11 +281,11 @@ class Store
|
||||
if ($returnvalue !== false && is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] == 'system' && isset($fielddata['varname']) && $fielddata['varname'] == 'mysql_access_host') {
|
||||
$mysql_access_host_array = array_map('trim', explode(',', $newfieldvalue));
|
||||
|
||||
if (in_array('127.0.0.1', $mysql_access_host_array) && ! in_array('localhost', $mysql_access_host_array)) {
|
||||
if (in_array('127.0.0.1', $mysql_access_host_array) && !in_array('localhost', $mysql_access_host_array)) {
|
||||
$mysql_access_host_array[] = 'localhost';
|
||||
}
|
||||
|
||||
if (! in_array('127.0.0.1', $mysql_access_host_array) && in_array('localhost', $mysql_access_host_array)) {
|
||||
if (!in_array('127.0.0.1', $mysql_access_host_array) && in_array('localhost', $mysql_access_host_array)) {
|
||||
$mysql_access_host_array[] = '127.0.0.1';
|
||||
}
|
||||
|
||||
@@ -306,8 +307,8 @@ class Store
|
||||
|
||||
private static function cleanMySQLAccessHost($value)
|
||||
{
|
||||
if (substr($value, 0, 1) == '[' && substr($value, - 1) == ']') {
|
||||
return substr($value, 1, - 1);
|
||||
if (substr($value, 0, 1) == '[' && substr($value, -1) == ']') {
|
||||
return substr($value, 1, -1);
|
||||
}
|
||||
return $value;
|
||||
}
|
||||
@@ -370,66 +371,85 @@ class Store
|
||||
}
|
||||
|
||||
public static function storeSettingImage($fieldname, $fielddata)
|
||||
{
|
||||
if (isset($fielddata['settinggroup'], $fielddata['varname']) && is_array($fielddata) && $fielddata['settinggroup'] !== '' && $fielddata['varname'] !== '') {
|
||||
$save_to = null;
|
||||
$path = \Froxlor\Froxlor::getInstallDir().'/img/';
|
||||
$path = \Froxlor\FileDir::makeCorrectDir($path);
|
||||
{
|
||||
if (isset($fielddata['settinggroup'], $fielddata['varname']) && is_array($fielddata) && $fielddata['settinggroup'] !== '' && $fielddata['varname'] !== '') {
|
||||
$save_to = null;
|
||||
$path = \Froxlor\Froxlor::getInstallDir() . '/img/';
|
||||
$path = \Froxlor\FileDir::makeCorrectDir($path);
|
||||
|
||||
// New file?
|
||||
if (isset($_FILES[$fieldname]) && $_FILES[$fieldname]['tmp_name']) {
|
||||
// Make sure upload directory exists
|
||||
if (!is_dir($path) && !mkdir($path, 0775)) {
|
||||
throw new \Exception("img directory does not exist and cannot be created");
|
||||
}
|
||||
// New file?
|
||||
if (isset($_FILES[$fieldname]) && $_FILES[$fieldname]['tmp_name']) {
|
||||
// Make sure upload directory exists
|
||||
if (!is_dir($path) && !mkdir($path, 0775)) {
|
||||
throw new \Exception("img directory does not exist and cannot be created");
|
||||
}
|
||||
|
||||
// Make sure we can write to the upload directory
|
||||
if (!is_writable($path)) {
|
||||
if (!chmod($path, 0775)) {
|
||||
throw new \Exception("Cannot write to img directory");
|
||||
}
|
||||
}
|
||||
// Make sure we can write to the upload directory
|
||||
if (!is_writable($path)) {
|
||||
if (!chmod($path, 0775)) {
|
||||
throw new \Exception("Cannot write to img directory");
|
||||
}
|
||||
}
|
||||
|
||||
// Make sure mime-type matches an image
|
||||
if (!in_array(mime_content_type($_FILES[$fieldname]['tmp_name']), ['image/jpeg','image/jpg','image/png','image/gif'])) {
|
||||
throw new \Exception("Uploaded file not a valid image");
|
||||
}
|
||||
// Make sure mime-type matches an image
|
||||
if (function_exists('finfo_open')) {
|
||||
$finfo = finfo_open(FILEINFO_MIME_TYPE);
|
||||
$mimetype = finfo_file($finfo, $_FILES[$fieldname]['tmp_name']);
|
||||
finfo_close($finfo);
|
||||
} else {
|
||||
$mimetype = mime_content_type($_FILES[$fieldname]['tmp_name']);
|
||||
}
|
||||
if (empty($mimetype)) {
|
||||
$mimetype = 'application/octet-stream';
|
||||
}
|
||||
if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
|
||||
throw new \Exception("Uploaded file is not a valid image");
|
||||
}
|
||||
|
||||
// Determine file extension
|
||||
$spl = explode('.', $_FILES[$fieldname]['name']);
|
||||
$file_extension = strtolower(array_pop($spl));
|
||||
unset($spl);
|
||||
// Determine file extension
|
||||
$spl = explode('.', $_FILES[$fieldname]['name']);
|
||||
$file_extension = strtolower(array_pop($spl));
|
||||
unset($spl);
|
||||
|
||||
// Move file
|
||||
if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path.$fielddata['image_name'].'.'.$file_extension)) {
|
||||
throw new \Exception("Unable to save image to img folder");
|
||||
}
|
||||
if (!in_array($file_extension, [
|
||||
'jpeg',
|
||||
'jpg',
|
||||
'png',
|
||||
'gif'
|
||||
])) {
|
||||
throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
|
||||
}
|
||||
|
||||
$save_to = 'img/'.$fielddata['image_name'].'.'.$file_extension.'?v='.time();
|
||||
}
|
||||
// Move file
|
||||
if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path . $fielddata['image_name'] . '.' . $file_extension)) {
|
||||
throw new \Exception("Unable to save image to img folder");
|
||||
}
|
||||
|
||||
// Delete file?
|
||||
if ($fielddata['value'] !== "" && array_key_exists($fieldname.'_delete', $_POST) && $_POST[$fieldname.'_delete']) {
|
||||
@unlink(\Froxlor\Froxlor::getInstallDir() . '/' . explode('?', $fielddata['value'], 2)[0]);
|
||||
$save_to = '';
|
||||
}
|
||||
$save_to = 'img/' . $fielddata['image_name'] . '.' . $file_extension . '?v=' . time();
|
||||
}
|
||||
|
||||
// Nothing changed
|
||||
if ($save_to === null) {
|
||||
return array(
|
||||
$fielddata['settinggroup'] . '.' . $fielddata['varname'] => $fielddata['value']
|
||||
);
|
||||
}
|
||||
// Delete file?
|
||||
if ($fielddata['value'] !== "" && array_key_exists($fieldname . '_delete', $_POST) && $_POST[$fieldname . '_delete']) {
|
||||
@unlink(\Froxlor\Froxlor::getInstallDir() . '/' . explode('?', $fielddata['value'], 2)[0]);
|
||||
$save_to = '';
|
||||
}
|
||||
|
||||
if (Settings::Set($fielddata['settinggroup'] . '.' . $fielddata['varname'], $save_to) === false) {
|
||||
return false;
|
||||
}
|
||||
// Nothing changed
|
||||
if ($save_to === null) {
|
||||
return array(
|
||||
$fielddata['settinggroup'] . '.' . $fielddata['varname'] => $fielddata['value']
|
||||
);
|
||||
}
|
||||
|
||||
return array(
|
||||
$fielddata['settinggroup'] . '.' . $fielddata['varname'] => $save_to
|
||||
);
|
||||
}
|
||||
if (Settings::Set($fielddata['settinggroup'] . '.' . $fielddata['varname'], $save_to) === false) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
return array(
|
||||
$fielddata['settinggroup'] . '.' . $fielddata['varname'] => $save_to
|
||||
);
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -59,7 +59,7 @@ header('Expires: ' . gmdate('D, d M Y H:i:s \G\M\T', time()));
|
||||
// Inline-JS is no longer allowed and used
|
||||
// See: http://people.mozilla.org/~bsterne/content-security-policy/index.html
|
||||
// New stuff see: https://www.owasp.org/index.php/List_of_useful_HTTP_headers and https://www.owasp.org/index.php/Content_Security_Policy
|
||||
$csp_content = "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self';";
|
||||
$csp_content = "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; object-src 'self'; frame-src 'self'; frame-ancestors 'self';";
|
||||
header("Content-Security-Policy: " . $csp_content);
|
||||
header("X-Content-Security-Policy: " . $csp_content);
|
||||
header("X-WebKit-CSP: " . $csp_content);
|
||||
|
||||
@@ -673,6 +673,7 @@ $lng['admin']['message'] = 'Write a Message';
|
||||
$lng['admin']['text'] = 'Message';
|
||||
$lng['menu']['message'] = 'Messages';
|
||||
$lng['error']['errorsendingmail'] = 'The message to "%s" failed';
|
||||
$lng['error']['errorsendingmailpub'] = 'The message to the given email-address failed';
|
||||
$lng['error']['cannotreaddir'] = 'Unable to read directory "%s"';
|
||||
$lng['message']['success'] = 'Successfully sent message to %s recipients';
|
||||
$lng['message']['norecipients'] = 'No e-mail has been sent because there are no recipients in the database';
|
||||
@@ -760,7 +761,7 @@ $lng['pwdreminder']['success'] = 'Password reset successfully requested. Please
|
||||
// ADDED IN 1.2.19-svn18
|
||||
|
||||
$lng['serversettings']['allow_password_reset']['title'] = 'Allow password reset by customers';
|
||||
$lng['pwdreminder']['notallowed'] = 'Password reset is disabled';
|
||||
$lng['pwdreminder']['notallowed'] = 'Unknown user or password reset is disabled';
|
||||
|
||||
// ADDED IN 1.2.19-svn21
|
||||
|
||||
@@ -2139,4 +2140,7 @@ $lng['error']['pathmustberelative'] = 'The user does not have the permission to
|
||||
$lng['serversettings']['acmeshpath']['title'] = 'Path to acme.sh';
|
||||
$lng['serversettings']['acmeshpath']['description'] = 'Set this to where acme.sh is installed to, including the acme.sh script<br>Default is <b>/root/.acme.sh/acme.sh</b>';
|
||||
|
||||
$lng['question']['api_reallydelete'] = 'Do you really want to delete the api-key #%d?';
|
||||
$lng['question']['api_reallydelete'] = 'Do you really want to delete the api-key?';
|
||||
$lng['question']['api_reallyadd'] = 'Do you really want to create a new api-key?';
|
||||
$lng['question']['dnsentry_reallydelete'] = 'Do you really want to delete the dns entry?';
|
||||
$lng['question']['certificate_reallydelete'] = 'Do you really want to delete the certificate?';
|
||||
|
||||
@@ -666,6 +666,7 @@ $lng['admin']['message'] = 'Rundmail senden';
|
||||
$lng['admin']['text'] = 'Nachricht';
|
||||
$lng['menu']['message'] = 'Nachrichten';
|
||||
$lng['error']['errorsendingmail'] = 'Das Versenden der Nachricht an "%s" schlug fehl.';
|
||||
$lng['error']['errorsendingmailpub'] = 'Das Versenden der Nachricht an die angegebene E-Mail Adresse schlug fehl.';
|
||||
$lng['error']['cannotreaddir'] = 'Der Ordner "%s" kann nicht gelesen werden';
|
||||
$lng['message']['success'] = 'Nachricht erfolgreich an "%s" Empfänger gesendet';
|
||||
$lng['message']['norecipients'] = 'Es wurde keine E-Mail versendet, da sich keine Empfänger in der Datenbank befinden';
|
||||
@@ -753,7 +754,7 @@ $lng['pwdreminder']['success'] = 'Das Zurücksetzen des Passworts wurde erfolgre
|
||||
// ADDED IN 1.2.19-svn18
|
||||
|
||||
$lng['serversettings']['allow_password_reset']['title'] = 'Erlaube das Zurücksetzen des Kundenpassworts.';
|
||||
$lng['pwdreminder']['notallowed'] = 'Das Zurücksetzen des Passworts ist deaktiviert.';
|
||||
$lng['pwdreminder']['notallowed'] = 'Unbekannter Benutzer oder Zurücksetzen des Passworts ist deaktiviert.';
|
||||
|
||||
// ADDED IN 1.2.19-svn21
|
||||
|
||||
@@ -1785,4 +1786,7 @@ $lng['error']['pathmustberelative'] = 'Der Benutzer hat nicht die benötigten Be
|
||||
$lng['serversettings']['acmeshpath']['title'] = 'Pfad zu acme.sh';
|
||||
$lng['serversettings']['acmeshpath']['description'] = 'Installationspfad zu acme.sh, inklusive acme.sh Script<br>Standard ist <b>/root/.acme.sh/acme.sh</b>';
|
||||
|
||||
$lng['question']['api_reallydelete'] = 'Api-Key #%d wirklich löschen?';
|
||||
$lng['question']['api_reallydelete'] = 'Api-Key wirklich löschen?';
|
||||
$lng['question']['api_reallyadd'] = 'Einen neuen Api-Key erstellen?';
|
||||
$lng['question']['dnsentry_reallydelete'] = 'Zonen-Eintrag wirklich löschen?';
|
||||
$lng['question']['certificate_reallydelete'] = 'Zertifikat wirklich löschen?';
|
||||
|
||||
@@ -29,15 +29,23 @@ $success_message = "";
|
||||
|
||||
// do the delete and then just show a success-message and the certificates list again
|
||||
if ($action == 'delete') {
|
||||
$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
|
||||
$id = isset($_POST['id']) ? (int) $_POST['id'] : (isset($_GET['id']) ? (int) $_GET['id'] : 0);
|
||||
if ($id > 0) {
|
||||
try {
|
||||
$json_result = Certificates::getLocal($userinfo, array(
|
||||
if (isset($_POST['send']) && $_POST['send'] == 'send') {
|
||||
try {
|
||||
$json_result = Certificates::getLocal($userinfo, array(
|
||||
'id' => $id
|
||||
))->delete();
|
||||
$success_message = sprintf($lng['domains']['ssl_certificate_removed'], $id);
|
||||
} catch (Exception $e) {
|
||||
\Froxlor\UI\Response::dynamic_error($e->getMessage());
|
||||
}
|
||||
} else {
|
||||
\Froxlor\UI\HTML::askYesNo('certificate_reallydelete', $filename, array(
|
||||
'page' => $page,
|
||||
'action' => $action,
|
||||
'id' => $id
|
||||
))->delete();
|
||||
$success_message = sprintf($lng['domains']['ssl_certificate_removed'], $id);
|
||||
} catch (Exception $e) {
|
||||
\Froxlor\UI\Response::dynamic_error($e->getMessage());
|
||||
), $id);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -198,7 +198,7 @@ class ValidateTest extends TestCase
|
||||
$result = Validate::validateUsername('web123sql2', true, $mysql_max);
|
||||
$this->assertTrue($result);
|
||||
// too long
|
||||
$result = Validate::validateUsername('myperfectsuperduperwebuser123sql2', true, $mysql_max);
|
||||
$result = Validate::validateUsername('myperfectsuperduperwebuserwhosnameisenormouslylongandprettyandshouldinnowaybeaccepted123sql2', true, $mysql_max);
|
||||
$this->assertFalse($result);
|
||||
// not unix-conform
|
||||
$result = Validate::validateUsername('web123-sql2', true, $mysql_max);
|
||||
|
||||
Reference in New Issue
Block a user