Merge branch 'stable-3.1'

Author: Marius Burkard

install/install.php

@@ -559,8 +559,9 @@
 
 	//** Customise the port ISPConfig runs on
 	$ispconfig_vhost_port = $inst->free_query('ISPConfig Port', '8080','ispconfig_port');
-	$conf['interface_password'] = $inst->free_query('Admin password', 'admin','ispconfig_admin_password');
-	if(!AUTOINSTALL && $conf['interface_password'] != 'admin') {
+	$temp_admin_password = str_shuffle(bin2hex(openssl_random_pseudo_bytes(4)));
+	$conf['interface_password'] = $inst->free_query('Admin password', $temp_admin_password, 'ispconfig_admin_password');
+	if($conf['interface_password'] != $temp_admin_password) {
 		$check = false;
 		do {
 			unset($temp_password);
@@ -571,6 +572,7 @@
 	}
 	unset($check);
 	unset($temp_password);
+	unset($temp_admin_password);
 	if($conf['apache']['installed'] == true) $conf['apache']['vhost_port']  = $ispconfig_vhost_port;
 	if($conf['nginx']['installed'] == true) $conf['nginx']['vhost_port']  = $ispconfig_vhost_port;
 	unset($ispconfig_vhost_port);

install/sql/incremental/upd_dev_collection.sql

@@ -1,3 +1,4 @@
+<<<<<<< HEAD
 ALTER TABLE `mail_mailinglist` ADD `list_type` enum('open','closed') NOT NULL DEFAULT 'open';
 ALTER TABLE `mail_mailinglist` ADD `subject_prefix` varchar(50) NOT NULL DEFAULT '';
 ALTER TABLE `mail_mailinglist` ADD `admins` mediumtext;
@@ -86,4 +87,7 @@ INSERT IGNORE INTO `dns_ssl_ca` (`id`, `sys_userid`, `sys_groupid`, `sys_perm_us
 (NULL, 1, 1, 'riud', 'riud', '', 'Y', 'WISeKey', 'wisekey.com', 'Y', '', 0),
 (NULL, 1, 1, 'riud', 'riud', '', 'Y', 'WoSign', 'wosign.com', 'Y', '', 0);
 
-ALTER TABLE `dns_rr` CHANGE `type` `type` ENUM('A','AAAA','ALIAS','CAA','CNAME','DS','HINFO','LOC','MX','NAPTR','NS','PTR','RP','SRV','TXT','TLSA','DNSKEY') CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL;
+ALTER TABLE `dns_rr` CHANGE `type` `type` ENUM('A','AAAA','ALIAS','CAA','CNAME','DS','HINFO','LOC','MX','NAPTR','NS','PTR','RP','SRV','TXT','TLSA','DNSKEY') CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL;
+ALTER TABLE `web_domain` ADD COLUMN `ssl_letsencrypt_exclude` enum('n','y') NOT NULL DEFAULT 'n' AFTER `ssl_letsencrypt`;
+ALTER TABLE `remote_user` ADD `remote_access` ENUM('y','n') NOT NULL DEFAULT 'y' AFTER `remote_password`;
+ALTER TABLE `remote_user` ADD `remote_ips` TEXT AFTER `remote_access`;

install/sql/ispconfig3.sql

@@ -1330,6 +1330,8 @@ CREATE TABLE `remote_user` (
   `sys_perm_other` varchar(5) default NULL,
   `remote_username` varchar(64) NOT NULL DEFAULT '',
   `remote_password` varchar(64) NOT NULL DEFAULT '',
+  `remote_access` enum('y','n') NOT NULL DEFAULT 'y',
+  `remote_ips` TEXT,
   `remote_functions` text,
   PRIMARY KEY  (`remote_userid`)
 ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
@@ -2029,6 +2031,7 @@ CREATE TABLE `web_domain` (
   `rewrite_to_https` ENUM('y','n') NOT NULL DEFAULT 'n',
   `ssl` enum('n','y') NOT NULL default 'n',
   `ssl_letsencrypt` enum('n','y') NOT NULL DEFAULT 'n',
+  `ssl_letsencrypt_exclude` enum('n','y') NOT NULL DEFAULT 'n',
   `ssl_state` varchar(255) NULL,
   `ssl_locality` varchar(255) NULL,
   `ssl_organisation` varchar(255) NULL,

interface/lib/classes/listform.inc.php

@@ -583,7 +583,7 @@ public function encode($record)
 					break;
 
 				case 'CURRENCY':
-					$record[$key] = str_replace(',', '.', $record[$key]);
+					$record[$key] = $app->functions->currency_unformat($record[$key]);
 					break;
 
 				case 'BOOLEAN':

interface/lib/classes/remoting.inc.php

@@ -77,33 +77,30 @@ public function login($username, $password, $client_login = false)
 		$app->uses('ini_parser,getconf');
 		$server_config_array = $app->getconf->get_global_config('misc');
 		if($server_config_array['maintenance_mode'] == 'y'){
-			throw new SoapFault('maintenance_mode', 'This ISPConfig installation is currently under maintenance. We should be back shortly. Thank you for your patience.');
-			return false;
-		}
-
-		if(empty($username)) {
-			$error = array('faultcode' => 'login_username_empty', 'faultstring' => 'The login username is empty.');
-		}
+			$error = array('faultcode' => 'maintenance_mode', 'faultstring' => 'This ISPConfig installation is currently under maintenance. We should be back shortly. Thank you for your patience.');
+		} else {
+			if(empty($username)) {
+				$error = array('faultcode' => 'login_username_empty', 'faultstring' => 'The login username is empty.');
+			}
 
-		if(empty($password)) {
-			$error = array('faultcode' => 'login_password_empty', 'faultstring' => 'The login password is empty.');
-		}
+			if(empty($password)) {
+				$error = array('faultcode' => 'login_password_empty', 'faultstring' => 'The login password is empty.');
+			}
 
-		//* Delete old remoting sessions
-		$sql = "DELETE FROM remote_session WHERE tstamp < UNIX_TIMESTAMP()";
-		$app->db->query($sql);
+			//* Delete old remoting sessions
+			$sql = "DELETE FROM remote_session WHERE tstamp < UNIX_TIMESTAMP()";
+			$app->db->query($sql);
 
-		$ip = md5($_SERVER['REMOTE_ADDR']);
-		$sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND  `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1";
-		$alreadyfailed = $app->db->queryOneRecord($sql, $ip);
+			$ip = md5($_SERVER['REMOTE_ADDR']);
+			$sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND  `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1";
+			$alreadyfailed = $app->db->queryOneRecord($sql, $ip);
 
-		if($alreadyfailed['times'] > 5) {
-				throw new SoapFault('error_user_too_many_logins', 'Too many failed logins');
-				return false;
+			if($alreadyfailed['times'] > 5) {
+				$error = array('faultcode' => 'error_user_too_many_logins', 'faultstring' => 'Too many failed logins.');
+			}
 		}
 
 		if (empty($error)) {
-
 			if($client_login == true) {
 				$sql = "SELECT * FROM sys_user WHERE USERNAME = ?";
 				$user = $app->db->queryOneRecord($sql, $username);
@@ -135,20 +132,50 @@ public function login($username, $password, $client_login = false)
 				if(!$client || $client['can_use_api'] != 'y') {
 					$error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. Client may not use api.');
 				}
-
-				//* Create a remote user session
-				//srand ((double)microtime()*1000000);
-				$remote_session = md5(mt_rand().uniqid('ispco'));
-				$remote_userid = $remote_user['remote_userid'];
-				$remote_functions = $remote_user['remote_functions'];
-				$tstamp = time() + $this->session_timeout;
-				$sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,tstamp'
-					.') VALUES (?, ?, ?, ?)';
-				$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp);
 			} else {
 				$sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = md5(?)";
 				$remote_user = $app->db->queryOneRecord($sql, $username, $password);
 				if($remote_user['remote_userid'] > 0) {
+					$allowed_ips = explode(',',$remote_user['remote_ips']);
+					foreach($allowed_ips as $i => $allowed) { 
+						if(!filter_var($allowed, FILTER_VALIDATE_IP)) { 
+							// get the ip for a hostname
+							unset($allowed_ips[$i]);
+							$temp=dns_get_record($allowed, DNS_A+DNS_AAAA);
+							foreach($temp as $t) {
+								if(isset($t['ip'])) $allowed_ips[] = $t['ip'];
+								if(isset($t['ipv6'])) $allowed_ips[] = $t['ipv6'];
+							}
+							unset($temp);
+						}
+					}
+					$allowed_ips[] = '127.0.0.1';
+					$allowed_ips[] = '::1';
+					$allowed_ips=array_unique($allowed_ips);
+					$ip = $_SERVER['REMOTE_ADDR'];
+					$remote_allowed = @($ip == '::1' || $ip == '127.0.0.1')?true:false;
+					if(!$remote_allowed && $remote_user['remote_access'] == 'y') {
+						if(trim($remote_user['remote_ips']) == '') {
+							$remote_allowed=true;
+						} else {
+							$ip = inet_pton($_SERVER['REMOTE_ADDR']);
+							foreach($allowed_ips as $allowed) {
+								if($ip == inet_pton(trim($allowed))) {
+									$remote_allowed=true;
+									break;
+								}
+							}
+						}
+					}
+					if(!$remote_allowed) {
+						$error = array('faultcode' => 'login_failed', 'faultstring' => 'The login is not allowed from '.$_SERVER['REMOTE_ADDR']);
+					}
+				} else {
+					$error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. Username or password wrong.');
+				}
+			}
+			
+			if(empty($error) && isset($remote_user['remote_userid'])) {
 					//* Create a remote user session
 					//srand ((double)microtime()*1000000);
 					$remote_session = md5(mt_rand().uniqid('ispco'));
@@ -158,13 +185,9 @@ public function login($username, $password, $client_login = false)
 					$sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,tstamp'
 						.') VALUES (?, ?, ?, ?)';
 					$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp);
-				} else {
-					$error = array('faultcode' => 'login_failed', 'faultstring' => 'The login failed. Username or password wrong.');
 				}
 			}
 
-		}
-
 			if (! empty($error)) {
 				if(! $alreadyfailed['times']) {
 					//* user login the first time wrong

interface/lib/classes/tform_base.inc.php

@@ -808,7 +808,7 @@ protected function _encode($record, $tab, $dbencode = true, $api = false) {
 					$new_record[$key] = $record[$key];
 					break;
 				case 'CURRENCY':
-					$new_record[$key] = str_replace(",", ".", $record[$key]);
+					$new_record[$key] = $app->functions->currency_unformat($record[$key]);
 					break;
 
 				case 'DATETIME':

interface/lib/classes/validate_remote_user.inc.php

@@ -0,0 +1,61 @@
+<?php
+
+/*
+Copyright (c) 2017, Florian Schaal , schaal @it UG
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class validate_remote_user {
+
+	function valid_remote_ip($field_name, $field_value, $validator) {
+		global $app;
+
+		if(trim($field_value) == '') return;
+
+		$values = explode(',', $field_value);
+		$regex = '/^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/';
+		foreach($values as $cur_value) {
+			$cur_value = trim($cur_value);
+			$valid = true;
+			if(function_exists('filter_var')) {
+				if(!filter_var($cur_value, FILTER_VALIDATE_IP)) {
+					$valid = false;
+					if(preg_match($regex, $cur_value)) $valid = true;
+				}
+			} else return "function filter_var missing <br />\r\n";
+
+			if($valid == false) {
+				$errmsg = $validator['errmsg'];
+				if(isset($app->tform->wordbook[$errmsg])) {
+					return $app->tform->wordbook[$errmsg]."<br>\r\n";
+				} else {
+					return $errmsg."<br>\r\n";
+				}
+			}
+		}
+	}
+
+}

interface/lib/classes/validate_server.inc.php

@@ -46,11 +46,15 @@ function get_error($errmsg) {
 	 * Validator function for server-ip
 	*/
 	function check_server_ip($field_name, $field_value, $validator) {
-		if($_POST['ip_type'] == 'IPv4') {
+		global $app;
+
+		$type=(isset($app->remoting_lib->dataRecord['ip_type']))?$app->remoting_lib->dataRecord['ip_type']:$_POST['ip_type'];
+		
+		if($type == 'IPv4') {
 			if(!filter_var($field_value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
 				return $this->get_error($validator['errmsg']);
 			}
-		} elseif ($_POST['ip_type'] == 'IPv6') {
+		} elseif ($type == 'IPv6') {
 			if(!filter_var($field_value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
 				return $this->get_error($validator['errmsg']);
 			}

interface/lib/lang/br.lng

@@ -39,7 +39,7 @@ $wb['top_menu_billing'] = 'Faturas';
 $wb['top_menu_domain'] = 'Domínios';
 $wb['top_menu_dashboard'] = 'Início';
 $wb['latest_news_txt'] = 'Últimas notícias';
-$wb['top_menu_vm'] = 'VM';
+$wb['top_menu_vm'] = 'VPS';
 $wb['daynamesmin_su'] = 'Do';
 $wb['daynamesmin_mo'] = 'Se';
 $wb['daynamesmin_tu'] = 'Te';
@@ -160,4 +160,3 @@ $wb['datalog_status_i_xmpp_user'] = 'Adicionar usuário XMPP';
 $wb['datalog_status_u_xmpp_user'] = 'Atualizar usuário XMPP';
 $wb['datalog_status_d_xmpp_user'] = 'Remover usuário XMPP';
 ?>
-

interface/web/admin/form/remote_user.tform.php

@@ -115,6 +115,27 @@
 			'width'  => '30',
 			'maxlength' => '255'
 		),
+		'remote_access' => array (
+ 			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'n',
+			'value'  => array(0 => 'n', 1 => 'y')
+        ),
+		'remote_ips' => array (
+			'datatype'  => 'TEXT',
+			'formtype'  => 'TEXT',
+			'validators'  => array (  
+				0 => array (
+					'type' => 'CUSTOM', 
+					'class' => 'validate_remote_user', 
+					'function' => 'valid_remote_ip', 
+					'errmsg' => 'remote_user_error_ips'),
+			),
+			'default' => '',
+			'value'   => '',
+			'width'   => '60',
+			'searchable' => 2
+		),
 		'remote_functions' => array (
 			'datatype' => 'TEXT',
 			'formtype' => 'CHECKBOXARRAY',