Merge branch 'stable-3.1' into 'stable-3.1'

Stable 3.1

See merge request ispconfig/ispconfig3!704

Author: Marius Burkard

interface/lib/app.inc.php

@@ -298,14 +298,14 @@ public function tpl_defaults() {
 
 		$this->tpl->setVar('phpsessid', session_id());
 
-		$this->tpl->setVar('theme', $_SESSION['s']['theme']);
+		$this->tpl->setVar('theme', $_SESSION['s']['theme'], true);
 		$this->tpl->setVar('html_content_encoding', $this->_conf['html_content_encoding']);
 
 		$this->tpl->setVar('delete_confirmation', $this->lng('delete_confirmation'));
 		//print_r($_SESSION);
 		if(isset($_SESSION['s']['module']['name'])) {
-			$this->tpl->setVar('app_module', $_SESSION['s']['module']['name']);
-			$this->tpl->setVar('session_module', $_SESSION['s']['module']['name']);
+			$this->tpl->setVar('app_module', $_SESSION['s']['module']['name'], true);
+			$this->tpl->setVar('session_module', $_SESSION['s']['module']['name'], true);
 		}
 		if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') {
 			$this->tpl->setVar('is_admin', 1);
@@ -315,7 +315,7 @@ public function tpl_defaults() {
 		}
 		/* Show username */
 		if(isset($_SESSION['s']['user'])) {
-			$this->tpl->setVar('cpuser', $_SESSION['s']['user']['username']);
+			$this->tpl->setVar('cpuser', $_SESSION['s']['user']['username'], true);
 			$this->tpl->setVar('logout_txt', $this->lng('logout_txt'));
 			/* Show search field only for normal users, not mail users */
 			if(stristr($_SESSION['s']['user']['username'], '@')){
@@ -342,7 +342,7 @@ public function tpl_defaults() {
 // load and enable PHP Intrusion Detection System (PHPIDS)
 $ids_security_config = $app->getconf->get_security_config('ids');
 
-if(is_dir(ISPC_CLASS_PATH.'/IDS') && $ids_security_config['ids_enabled'] == 'yes') {
+if(is_dir(ISPC_CLASS_PATH.'/IDS') && ($ids_security_config['ids_anon_enabled'] == 'yes' || $ids_security_config['ids_user_enabled'] == 'yes' || $ids_security_config['ids_admin_enabled'] == 'yes')) {
 	$app->uses('ids');
 	$app->ids->start();
 }

interface/lib/classes/db_mysql.inc.php

@@ -472,7 +472,7 @@ private function check_utf8($str) {
 	public function escape($sString) {
 		global $app;
 		if(!is_string($sString) && !is_numeric($sString)) {
-			$app->log('NON-String given in escape function! (' . gettype($sString) . ')', LOGLEVEL_INFO);
+			$app->log('NON-String given in escape function! (' . gettype($sString) . ')', LOGLEVEL_DEBUG);
 			//$sAddMsg = getDebugBacktrace();
 			$app->log($sAddMsg, LOGLEVEL_DEBUG);
 			$sString = '';
@@ -481,7 +481,7 @@ public function escape($sString) {
 		$cur_encoding = mb_detect_encoding($sString);
 		if($cur_encoding != "UTF-8") {
 			if($cur_encoding != 'ASCII') {
-				if(is_object($app) && method_exists($app, 'log')) $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_INFO);
+				if(is_object($app) && method_exists($app, 'log')) $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_DEBUG);
 				if($cur_encoding) $sString = mb_convert_encoding($sString, 'UTF-8', $cur_encoding);
 				else $sString = mb_convert_encoding($sString, 'UTF-8');
 			}

interface/lib/classes/ids.inc.php

@@ -118,7 +118,25 @@ public function start()
 
 			$impact = $ids_result->getImpact();
 
-			if($impact >= $security_config['ids_log_level']) {
+			// Choose level from security config
+			if($app->auth->is_admin()) {
+				// User is admin
+				$ids_log_level = $security_config['ids_admin_log_level'];
+				$ids_warn_level = $security_config['ids_admin_warn_level'];
+				$ids_block_level = $security_config['ids_admin_block_level'];
+			} elseif(is_array($_SESSION['s']['user']) && $_SESSION['s']['user']['userid'] > 0) {
+				// User is Client or Reseller
+				$ids_log_level = $security_config['ids_user_log_level'];
+				$ids_warn_level = $security_config['ids_user_warn_level'];
+				$ids_block_level = $security_config['ids_user_block_level'];
+			} else {
+				// Not logged in
+				$ids_log_level = $security_config['ids_anon_log_level'];
+				$ids_warn_level = $security_config['ids_anon_warn_level'];
+				$ids_block_level = $security_config['ids_anon_block_level'];
+			}
+			
+			if($impact >= $ids_log_level) {
 				$ids_log = ISPC_ROOT_PATH.'/temp/ids.log';
 				if(!is_file($ids_log)) touch($ids_log);
 
@@ -132,11 +150,11 @@ public function start()
 
 			}
 
-			if($impact >= $security_config['ids_warn_level']) {
+			if($impact >= $ids_warn_level) {
 				$app->log("PHP IDS Alert.".$ids_result, 2);
 			}
 
-			if($impact >= $security_config['ids_block_level']) {
+			if($impact >= $ids_block_level) {
 				$app->error("Possible attack detected. This action has been logged.",'', true, 2);
 			}
 

interface/lib/classes/plugin_listview.inc.php

@@ -56,7 +56,7 @@ function onShow() {
 		// $app->listform->listDef["page_params"] = "&id=".$app->tform_actions->id."&next_tab=".$_SESSION["s"]["form"]["tab"];
 		$app->listform->listDef["page_params"] = "&id=".$this->form->id."&next_tab=".$_SESSION["s"]["form"]["tab"];
 		$listTpl->setVar('parent_id', $this->form->id);
-		$listTpl->setVar('theme', $_SESSION['s']['theme']);
+		$listTpl->setVar('theme', $_SESSION['s']['theme'], true);
 
 		// Generate the SQL for searching
 		$sql_where = "";
@@ -193,13 +193,13 @@ function onShow() {
 
 		$listTpl->setVar('phpsessid', session_id());
 
-		$listTpl->setVar('theme', $_SESSION['s']['theme']);
+		$listTpl->setVar('theme', $_SESSION['s']['theme'], true);
 		$listTpl->setVar('html_content_encoding', $app->_conf['html_content_encoding']);
 
 		$listTpl->setVar('delete_confirmation', $app->lng('delete_confirmation'));
 		//print_r($_SESSION);
 		if(isset($_SESSION['s']['module']['name'])) {
-			$listTpl->setVar('app_module', $_SESSION['s']['module']['name']);
+			$listTpl->setVar('app_module', $_SESSION['s']['module']['name'], true);
 		}
 		if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') {
 			$listTpl->setVar('is_admin', 1);
@@ -209,7 +209,7 @@ function onShow() {
 		}
 		/* Show username */
 		if(isset($_SESSION['s']['user'])) {
-			$listTpl->setVar('cpuser', $_SESSION['s']['user']['username']);
+			$listTpl->setVar('cpuser', $_SESSION['s']['user']['username'], true);
 			$listTpl->setVar('logout_txt', $app->lng('logout_txt'));
 			/* Show search field only for normal users, not mail users */
 			if(stristr($_SESSION['s']['user']['username'], '@')){

interface/lib/classes/tform.inc.php

@@ -115,11 +115,18 @@ function getNextTab() {
 			// Show the same tab again in case of an error
 			$active_tab = $_SESSION["s"]["form"]["tab"];
 		}
+		
+		if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$active_tab)) {
+			die('Invalid next tab name.');
+		}
 
 		return $active_tab;
 	}
 
 	function getCurrentTab() {
+		if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$_SESSION["s"]["form"]["tab"])) {
+			die('Invalid current tab name.');
+		}
 		return $_SESSION["s"]["form"]["tab"];
 	}
 

interface/lib/classes/tform_actions.inc.php

@@ -287,7 +287,7 @@ function onError() {
 		global $app, $conf;
 
 		$app->tpl->setVar("error", "<li>".$app->tform->errorMessage."</li>");
-		$app->tpl->setVar($this->dataRecord);
+		$app->tpl->setVar($this->dataRecord, null, true);
 		$this->onShow();
 	}
 

interface/lib/classes/tform_base.inc.php

@@ -245,7 +245,7 @@ protected function _decode($record, $tab = '', $api = false) {
 	 */
 	function decode($record, $tab) {
 		global $conf, $app;
-		if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab does not exist or the tab is empty (TAB: $tab).");
+		if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab does not exist or the tab is empty (TAB: ".$app->functions->htmlentities($tab).").");
 		return $this->_decode($record, $tab, false);
 	}
 
@@ -416,7 +416,7 @@ function getHTML($record, $tab, $action = 'NEW') {
 		$this->action = $action;
 
 		if(!is_array($this->formDef)) $app->error("No form definition found.");
-		if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: $tab).");
+		if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).").");
 
 		/* CSRF PROTECTION */
 		// generate csrf protection id and key
@@ -868,7 +868,7 @@ protected function _encode($record, $tab, $dbencode = true, $api = false) {
 	function encode($record, $tab, $dbencode = true) {
 		global $app;
 
-		if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab is empty or does not exist (TAB: $tab).");
+		if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).").");
 		return $this->_encode($record, $tab, $dbencode, false);
 	}
 
@@ -1437,7 +1437,7 @@ function getSQL($record, $tab, $action = 'INSERT', $primary_id = 0, $sql_ext_whe
 		}
 
 		if(!is_array($this->formDef)) $app->error("Form definition not found.");
-		if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: $tab).");
+		if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).").");
 
 		return $this->_getSQL($record, $tab, $action, $primary_id, $sql_ext_where, false);
 	}

interface/lib/classes/tpl.inc.php

@@ -226,21 +226,26 @@ public function newTemplate($tmplfile)
 		 * using the keys as variable names and the values as variable values.
 		 * @param mixed $k key to define variable name
 		 * @param mixed $v variable to assign to $k
+		 * @param bool $encode if set to true use htmlentities on values
 		 * @return boolean true/false
 		 * @access public
 		 */
-		public function setVar($k, $v = null)
+		public function setVar($k, $v = null, $encode = false)
 		{
+			global $app;
+			
 			if (is_array($k)) {
 				foreach($k as $key => $value){
 					$key = ($this->OPTIONS['CASELESS']) ? strtolower(trim($key)) : trim($key);
 					if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $key) && $value !== null ) {
+						if($encode == true) $value = $app->functions->htmlentities($value);
 						$this->_vars[$key] = $value;
 					}
 				}
 			} else {
 				if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $k) && $v !== null) {
 					if ($this->OPTIONS['CASELESS']) $k = strtolower($k);
+					if($encode == true) $v = $app->functions->htmlentities($v);
 					$this->_vars[trim($k)] = $v;
 				} else {
 					return false;

interface/web/admin/directive_snippets_edit.php

@@ -70,9 +70,9 @@ function onShowEnd() {
 		if($this->id > 0){
 			if($this->dataRecord['master_directive_snippets_id'] > 0){
 				$is_master = true;
-				$app->tpl->setVar("name", $this->dataRecord['name']);
-				$app->tpl->setVar("type", $this->dataRecord['type']);
-				$app->tpl->setVar("snippet", $this->dataRecord['snippet']);
+				$app->tpl->setVar("name", $this->dataRecord['name'], true);
+				$app->tpl->setVar("type", $this->dataRecord['type'], true);
+				$app->tpl->setVar("snippet", $this->dataRecord['snippet'], true);
 			}
 		}
 		$app->tpl->setVar("is_master", $is_master);

interface/web/admin/firewall_edit.php

@@ -57,7 +57,7 @@ function onShowEnd() {
 		if($this->id ==0) { //* new record
 			$server_list = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE server_id NOT IN (SELECT server_id FROM firewall) ORDER BY server_name");
 			if(is_array($server_list)) {
-				foreach( $server_list as $server) $server_select .= "<option value='$server[server_id]' >$server[server_name]</option>\r\n";
+				foreach( $server_list as $server) $server_select .= "<option value='$server[server_id]' >" . $app->functions->htmlentities($server['server_name']) . "</option>\r\n";
 			}
 			$app->tpl->setVar('server_id', $server_select);
 		}