Merge branch '5643-confidential-issue' into 'stable-3.1'

Till Brehm · Till Brehm · commit 06d0edf626fa · 2020-07-24T13:15:54.000+02:00
- disallow several folders for vhost subdomains and aliasdomains

See merge request ispconfig/ispconfig3!1067
diff --git a/interface/lib/classes/system.inc.php b/interface/lib/classes/system.inc.php
@@ -67,30 +67,42 @@ public function has_service($userid, $service) {
 		}
 	}
 
+	public function is_blacklisted_web_path($path) {
+		$blacklist = array('bin', 'cgi-bin', 'dev', 'etc', 'home', 'lib', 'lib64', 'log', 'ssl', 'usr', 'var', 'proc', 'net', 'sys', 'srv', 'sbin', 'run');
+
+		$path = ltrim($path, '/');
+		$parts = explode('/', $path);
+		if(in_array(strtolower($parts[0]), $blacklist, true)) {
+			return true;
+		}
+
+		return false;
+	}
+
 	public function last_exec_out() {
 		return $this->_last_exec_out;
 	}
-	
+
 	public function last_exec_retcode() {
 		return $this->_last_exec_retcode;
 	}
-	
+
 	public function exec_safe($cmd) {
 		$arg_count = func_num_args();
 		$args = func_get_args();
-		
+
 		if($arg_count != substr_count($cmd, '?') + 1) {
 			trigger_error('Placeholder count not matching argument list.', E_USER_WARNING);
 			return false;
 		}
 		if($arg_count > 1) {
 			array_shift($args);
-			
+
 			$pos = 0;
 			$a = 0;
 			foreach($args as $value) {
 				$a++;
-				
+
 				$pos = strpos($cmd, '?', $pos);
 				if($pos === false) {
 					break;
@@ -100,16 +112,16 @@ public function exec_safe($cmd) {
 				$pos += strlen($value);
 			}
 		}
-		
+
 		$this->_last_exec_out = null;
 		$this->_last_exec_retcode = null;
 		return exec($cmd, $this->_last_exec_out, $this->_last_exec_retcode);
 	}
-	
+
 	public function system_safe($cmd) {
 		call_user_func_array(array($this, 'exec_safe'), func_get_args());
 		return implode("\n", $this->_last_exec_out);
-	}	
+	}
 
     //* Check if a application is installed
     public function is_installed($appname) {
@@ -122,5 +134,5 @@ public function is_installed($appname) {
             return false;
         }
     }
-	
+
 } //* End Class
diff --git a/interface/web/sites/web_vhost_domain_edit.php b/interface/web/sites/web_vhost_domain_edit.php
@@ -1030,11 +1030,7 @@ function onSubmit() {
 				$this->dataRecord['web_folder'] = strtolower($this->dataRecord['web_folder']);
 				if(substr($this->dataRecord['web_folder'], 0, 1) === '/') $this->dataRecord['web_folder'] = substr($this->dataRecord['web_folder'], 1);
 				if(substr($this->dataRecord['web_folder'], -1) === '/') $this->dataRecord['web_folder'] = substr($this->dataRecord['web_folder'], 0, -1);
-				$forbidden_folders = array('', 'cgi-bin', 'log', 'private', 'ssl', 'tmp', 'webdav');
-				$check_folder = strtolower($this->dataRecord['web_folder']);
-				if(substr($check_folder, 0, 1) === '/') $check_folder = substr($check_folder, 1); // strip / at beginning to check against forbidden entries
-				if(strpos($check_folder, '/') !== false) $check_folder = substr($check_folder, 0, strpos($check_folder, '/')); // get the first part of the path to check it
-				if(in_array($check_folder, $forbidden_folders)) {
+				if($app->system->is_blacklisted_web_path($this->dataRecord['web_folder'])) {
 					$app->tform->errorMessage .= $app->tform->lng("web_folder_invalid_txt")."<br>";
 				}
 
diff --git a/server/lib/classes/system.inc.php b/server/lib/classes/system.inc.php
@@ -1787,6 +1787,18 @@ function set_immutable($path, $enable = true, $recursive = false) {
 		}
 	}
 
+	public function is_blacklisted_web_path($path) {
+		$blacklist = array('bin', 'cgi-bin', 'dev', 'etc', 'home', 'lib', 'lib64', 'log', 'ssl', 'usr', 'var', 'proc', 'net', 'sys', 'srv', 'sbin', 'run');
+
+		$path = ltrim($path, '/');
+		$parts = explode('/', $path);
+		if(in_array(strtolower($parts[0]), $blacklist, true)) {
+			return true;
+		}
+
+		return false;
+	}
+
 	function web_folder_protection($document_root, $protect) {
 		global $app, $conf;
 
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
@@ -580,6 +580,11 @@ function update($event_name, $data) {
 			$log_folder .= '/' . $subdomain_host;
 			unset($tmp);
 
+			if($app->system->is_blacklisted_web_path($web_folder)) {
+				$app->log('Vhost is using a blacklisted web folder: ' . $web_folder, LOGLEVEL_ERROR);
+				return 0;
+			}
+
 			if(isset($data['old']['parent_domain_id'])) {
 				// old one
 				$tmp = $app->db->queryOneRecord('SELECT `domain` FROM web_domain WHERE domain_id = ?', $data['old']['parent_domain_id']);
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
@@ -425,6 +425,11 @@ function update($event_name, $data) {
 			$log_folder .= '/' . $subdomain_host;
 			unset($tmp);
 
+			if($app->system->is_blacklisted_web_path($web_folder)) {
+				$app->log('Vhost is using a blacklisted web folder: ' . $web_folder, LOGLEVEL_ERROR);
+				return 0;
+			}
+
 			if(isset($data['old']['parent_domain_id'])) {
 				// old one
 				$tmp = $app->db->queryOneRecord('SELECT `domain` FROM web_domain WHERE domain_id = ?', $data['old']['parent_domain_id']);
