Added apache directives check agains regex blacklist in security settings.

Author: Till Brehm

interface/lib/classes/IDS/Monitor.php

@@ -250,7 +250,7 @@ private function detect($key, $value)
         $filterSet = $this->storage->getFilterSet();
 
         if ($tags = $this->tags) {
-            $filterSet = array_filter(
+            $filterSet = @array_filter(
                 $filterSet,
                 function (Filter $filter) use ($tags) {
                     return (bool) array_intersect($tags, $filter->getTags());
@@ -259,7 +259,7 @@ function (Filter $filter) use ($tags) {
         }
 
         $scanKeys = $this->scanKeys;
-        $filterSet = array_filter(
+        $filterSet = @array_filter(
             $filterSet,
             function (Filter $filter) use ($key, $value, $scanKeys) {
                 return $filter->match($value) || $scanKeys && $filter->match($key);

interface/lib/classes/validate_domain.inc.php

@@ -97,6 +97,45 @@ function web_domain_autosub($field_name, $field_value, $validator) {
 		$result = $this->_check_unique($field_value . '.' . $check_domain, true);
 		if(!$result) return $this->get_error('domain_error_autosub');
 	}
+	
+	/* Check apache directives */
+	function web_apache_directives($field_name, $field_value, $validator) {
+		global $app;
+		
+		if(trim($field_value) != '') {
+			$security_config = $app->getconf->get_security_config('ids');
+		
+			if($security_config['apache_directives_scan_enabled'] == 'yes') {
+				
+				// Get blacklist
+				$blacklist_path = '/usr/local/ispconfig/security/apache_directives.blacklist';
+				if(is_file('/usr/local/ispconfig/security/apache_directives.blacklist.custom')) $blacklist_path = '/usr/local/ispconfig/security/apache_directives.blacklist.custom';
+				if(!is_file($blacklist_path)) $blacklist_path = realpath(ISPC_ROOT_PATH.'/../security/apache_directives.blacklist');
+				
+				$directives = explode("\n",$field_value);
+				$regex = explode("\n",file_get_contents($blacklist_path));
+				$blocked = false;
+				$blocked_line = '';
+				
+				if(is_array($directives) && is_array($regex)) {
+					foreach($directives as $directive) {
+						$directive = trim($directive);
+						foreach($regex as $r) {
+							if(preg_match(trim($r),$directive)) {
+								$blocked = true;
+								$blocked_line = $directive;
+							};
+						}
+					}
+				}
+			}
+		}
+		
+		if($blocked === true) {
+			return $this->get_error('apache_directive_blocked_error').' '.$blocked_line;
+		}
+	}
+	
 
 	/* internal validator function to match regexp */
 	function _regex_validate($domain_name, $allow_wildcard = false) {
@@ -175,5 +214,6 @@ function _wildcard_limit() {
 		}
 		return true; // admin may always add wildcard domain
 	}
+	
 
 }

interface/web/sites/form/web_domain.tform.php

@@ -730,6 +730,13 @@
 			'apache_directives' => array (
 				'datatype' => 'TEXT',
 				'formtype' => 'TEXT',
+				'validators' => array (  0 => array(
+							'type' => 'CUSTOM',
+							'class' => 'validate_domain',
+							'function' => 'web_apache_directives',
+							'errmsg' => 'apache_directive_blockd_error'
+						),
+				),
 				'default' => '',
 				'value'  => '',
 				'width'  => '30',

interface/web/sites/form/web_vhost_subdomain.tform.php

@@ -706,6 +706,13 @@
 			'apache_directives' => array (
 				'datatype' => 'TEXT',
 				'formtype' => 'TEXT',
+				'validators' => array (  0 => array(
+							'type' => 'CUSTOM',
+							'class' => 'validate_domain',
+							'function' => 'web_apache_directives',
+							'errmsg' => 'apache_directive_blockd_error'
+						),
+				),
 				'default' => '',
 				'value'  => '',
 				'width'  => '30',

interface/web/sites/lib/lang/ar_web_domain.lng

@@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E
 $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
 $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
 $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
 ?>

interface/web/sites/lib/lang/bg_web_domain.lng

@@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E
 $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
 $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
 $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
 ?>

interface/web/sites/lib/lang/br_web_domain.lng

@@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E
 $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
 $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
 $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
 ?>

interface/web/sites/lib/lang/cz_web_domain.lng

@@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Oddělte více adresářů čárkami. Vzor:
 $wb['backup_excludes_error_regex'] = 'Vyloučené adresáře obsahují neplatné znaky.';
 $wb['invalid_custom_php_ini_settings_txt'] = 'Neplatné nastavení php.ini';
 $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
 ?>

interface/web/sites/lib/lang/de_web_domain.lng

@@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Mehrere Verzeichnisse mit Kommas trennen. Be
 $wb['backup_excludes_error_regex'] = 'Die auszuschließenden Verzeichnisse enthalten ungültige Zeichen.';
 $wb['invalid_custom_php_ini_settings_txt'] = 'Unzulässige php.ini-Einstellungen';
 $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Die Apache Direktive wurde durch die Sicherheitsrichtline blockiert:';
 ?>

interface/web/sites/lib/lang/el_web_domain.lng

@@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E
 $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.';
 $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings';
 $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
+$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:';
 ?>