set version to 2.1.9 for security bugfix release

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

index.php

@@ -248,7 +248,7 @@ if ($action == '2fa_entercode') {
 				$rstlog = FroxlorLogger::getInstanceOf([
 					'loginname' => $_SERVER['REMOTE_ADDR']
 				]);
-				$rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "Unknown user '" . $loginname . "' tried to login.");
+				$rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "Unknown user tried to login.");
 
 				Response::redirectTo('index.php', [
 					'showmessage' => '2'
@@ -305,7 +305,7 @@ if ($action == '2fa_entercode') {
 			$rstlog = FroxlorLogger::getInstanceOf([
 				'loginname' => $_SERVER['REMOTE_ADDR']
 			]);
-			$rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "User '" . $loginname . "' tried to login with wrong password.");
+			$rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "User tried to login with wrong password.");
 
 			unset($userinfo);
 			Response::redirectTo('index.php', [
@@ -624,7 +624,7 @@ if ($action == 'forgotpwd') {
 							$rstlog = FroxlorLogger::getInstanceOf([
 								'loginname' => 'password_reset'
 							]);
-							$rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!");
+							$rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "Unknown user requested to set a new password, but was not found in database!");
 							$message = lng('login.usernotfound');
 						}
 

install/froxlor.sql.php

@@ -726,7 +726,7 @@ opcache.validate_timestamps'),
 	('panel', 'logo_overridecustom', '0'),
 	('panel', 'settings_mode', '0'),
 	('panel', 'menu_collapsed', '1'),
-	('panel', 'version', '2.1.8'),
+	('panel', 'version', '2.1.9'),
 	('panel', 'db_version', '202312120');
 
 

install/updates/froxlor/update_2.1.inc.php

@@ -299,3 +299,8 @@ if (Froxlor::isFroxlorVersion('2.1.7')) {
 	Update::showUpdateStep("Updating from 2.1.7 to 2.1.8", false);
 	Froxlor::updateToVersion('2.1.8');
 }
+
+if (Froxlor::isFroxlorVersion('2.1.8')) {
+	Update::showUpdateStep("Updating from 2.1.8 to 2.1.9", false);
+	Froxlor::updateToVersion('2.1.9');
+}

lib/Froxlor/Api/Commands/SysLog.php

@@ -90,6 +90,8 @@ class SysLog extends ApiCommand implements ResourceEntity
 		}
 		Database::pexecute($result_stmt, $query_fields, true, true);
 		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
+			// clean log-text
+			$row['text'] = preg_replace("/[^\w @#\"':.()\[\]+\-_\/\\\!]/i", "_", $row['text']);
 			$result[] = $row;
 		}
 		$this->logger()->logAction($this->isAdmin() ? FroxlorLogger::ADM_ACTION : FroxlorLogger::USR_ACTION, LOG_INFO, "[API] list log-entries");

lib/Froxlor/Cron/System/ExportCron.php

@@ -115,30 +115,46 @@ class ExportCron extends FroxlorCron
 
 			$has_dbs = false;
 			$current_dbserver = -1;
-			while ($row = $sel_stmt->fetch()) {
+
-				// Get sql_root data for the specific database-server the database resides on
+			// look for mysqldump
-				if ($current_dbserver != $row['dbserver']) {
+			$section = 'mysqldump';
-					Database::needRoot(true, $row['dbserver']);
+			if (file_exists("/usr/bin/mysqldump")) {
-					Database::needSqlData();
+				$mysql_dump = '/usr/bin/mysqldump';
-					$sql_root = Database::getSqlData();
+			} elseif (file_exists("/usr/local/bin/mysqldump")) {
-					Database::needRoot(false);
+				$mysql_dump = '/usr/local/bin/mysqldump';
-					// create temporary mysql-defaults file for the connection-credentials/details
+			} elseif (file_exists("/usr/bin/mariadb-dump")) {
-					$mysqlcnf_file = tempnam("/tmp", "frx");
+				$mysql_dump = '/usr/bin/mariadb-dump';
-					$mysqlcnf = "[mysqldump]\npassword=" . $sql_root['passwd'] . "\nhost=" . $sql_root['host'] . "\n";
+				$section = 'mariadb-dump';
-					if (!empty($sql_root['port'])) {
+			}
-						$mysqlcnf .= "port=" . $sql_root['port'] . "\n";
+			if (!isset($mysql_dump)) {
-					} elseif (!empty($sql_root['socket'])) {
+				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, 'mysqldump/mariadb-dump executable could not be found. Please install mysql-client/mariadb-client package.');
-						$mysqlcnf .= "socket=" . $sql_root['socket'] . "\n";
+			} else {
+
+				while ($row = $sel_stmt->fetch()) {
+					// Get sql_root data for the specific database-server the database resides on
+					if ($current_dbserver != $row['dbserver']) {
+						Database::needRoot(true, $row['dbserver']);
+						Database::needSqlData();
+						$sql_root = Database::getSqlData();
+						Database::needRoot(false);
+						// create temporary mysql-defaults file for the connection-credentials/details
+						$mysqlcnf_file = tempnam("/tmp", "frx");
+						$mysqlcnf = "[".$section."]\npassword=" . $sql_root['passwd'] . "\nhost=" . $sql_root['host'] . "\n";
+						if (!empty($sql_root['port'])) {
+							$mysqlcnf .= "port=" . $sql_root['port'] . "\n";
+						} elseif (!empty($sql_root['socket'])) {
+							$mysqlcnf .= "socket=" . $sql_root['socket'] . "\n";
+						}
+						file_put_contents($mysqlcnf_file, $mysqlcnf);
 					}
-					file_put_contents($mysqlcnf_file, $mysqlcnf);
+					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, 'shell> '.basename($mysql_dump) . ' -u ' . escapeshellarg($sql_root['user']) . ' -pXXXXX ' . $row['databasename'] . ' > ' . FileDir::makeCorrectFile($tmpdir . '/mysql/' . $row['databasename'] . '_' . date('YmdHi', time()) . '.sql'));
+					$bool_false = false;
+					FileDir::safe_exec($mysql_dump . ' --defaults-file=' . escapeshellarg($mysqlcnf_file) . ' -u ' . escapeshellarg($sql_root['user']) . ' ' . $row['databasename'] . ' > ' . FileDir::makeCorrectFile($tmpdir . '/mysql/' . $row['databasename'] . '_' . date('YmdHi', time()) . '.sql'), $bool_false, [
+						'>'
+					]);
+					$has_dbs = true;
+					$current_dbserver = $row['dbserver'];
 				}
-				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, 'shell> mysqldump -u ' . escapeshellarg($sql_root['user']) . ' -pXXXXX ' . $row['databasename'] . ' > ' . FileDir::makeCorrectFile($tmpdir . '/mysql/' . $row['databasename'] . '_' . date('YmdHi', time()) . '.sql'));
-				$bool_false = false;
-				FileDir::safe_exec('mysqldump --defaults-file=' . escapeshellarg($mysqlcnf_file) . ' -u ' . escapeshellarg($sql_root['user']) . ' ' . $row['databasename'] . ' > ' . FileDir::makeCorrectFile($tmpdir . '/mysql/' . $row['databasename'] . '_' . date('YmdHi', time()) . '.sql'), $bool_false, [
-					'>'
-				]);
-				$has_dbs = true;
-				$current_dbserver = $row['dbserver'];
 			}
 
 			if ($has_dbs) {

lib/Froxlor/Froxlor.php

@@ -31,7 +31,7 @@ final class Froxlor
 {
 
 	// Main version variable
-	const VERSION = '2.1.8';
+	const VERSION = '2.1.9';
 
 	// Database version (YYYYMMDDC where C is a daily counter)
 	const DBVERSION = '202312120';

lib/Froxlor/FroxlorLogger.php

@@ -175,6 +175,9 @@ class FroxlorLogger
 			$this->initMonolog();
 		}
 
+		// clean log-text
+		$text = preg_replace("/[^\w @#\"':.()\[\]+\-_\/\\\!]/i", "_", $text);
+
 		if (self::$crondebug_flag || ($action == FroxlorLogger::CRON_ACTION && $type <= LOG_WARNING)) {
 			echo "[" . $this->getLogLevelDesc($type) . "] " . $text . PHP_EOL;
 		}

lib/Froxlor/Install/Install/Core.php

@@ -176,15 +176,19 @@ class Core
 			$filename = "/tmp/froxlor_backup_" . date('YmdHi') . ".sql";
 
 			// look for mysqldump
+			$section = 'mysqldump';
 			if (file_exists("/usr/bin/mysqldump")) {
 				$mysql_dump = '/usr/bin/mysqldump';
 			} elseif (file_exists("/usr/local/bin/mysqldump")) {
 				$mysql_dump = '/usr/local/bin/mysqldump';
+			} elseif (file_exists("/usr/bin/mariadb-dump")) {
+				$mysql_dump = '/usr/bin/mariadb-dump';
+				$section = 'mariadb-dump';
 			}
 
 			// create temporary .cnf file
 			$cnffilename = "/tmp/froxlor_dump.cnf";
-			$dumpcnf = "[mysqldump]" . PHP_EOL . "password=\"" . $this->validatedData['mysql_root_pass'] . "\"" . PHP_EOL;
+			$dumpcnf = "[".$section."]" . PHP_EOL . "password=\"" . $this->validatedData['mysql_root_pass'] . "\"" . PHP_EOL;
 			file_put_contents($cnffilename, $dumpcnf);
 
 			// make the backup
@@ -195,7 +199,7 @@ class Core
 				@unlink($cnffilename);
 				if (stristr(implode(" ", $output), "error")) {
 					throw new Exception(lng('install.errors.mysqldump_backup_failed'));
-				} else if (!file_exists($filename)) {
+				} elseif (!file_exists($filename)) {
 					throw new Exception(lng('install.errors.sql_backup_file_missing'));
 				}
 			} else {
@@ -379,7 +383,7 @@ class Core
 			$this->updateSetting($upd_stmt, 1, 'system', 'leenabled');
 			$this->updateSetting($upd_stmt, 1, 'system', 'le_froxlor_enabled');
 		}
-		$this->updateSetting($upd_stmt, $this->validatedData['servername'], 'system', 'hostname');
+		$this->updateSetting($upd_stmt, strtolower($this->validatedData['servername']), 'system', 'hostname');
 		$this->updateSetting($upd_stmt, 'en', 'panel', 'standardlanguage'); // TODO: set language
 		$this->updateSetting($upd_stmt, $this->validatedData['mysql_access_host'], 'system', 'mysql_access_host');
 		$this->updateSetting($upd_stmt, $this->validatedData['webserver'], 'system', 'webserver');