Merge branch 'develop' into 'patch-dns-zone-rendering'

# Conflicts:
#   install/sql/incremental/upd_dev_collection.sql

Author: helmo

install/dist/lib/fedora.lib.php

@@ -1227,8 +1227,8 @@ public function install_ispconfig()
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
-			$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
-			$this->db->query($sql, $conf['interface_password']);
+			$sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+			$this->db->query($sql, $this->crypt_password($conf['interface_password']));
 		}
 
 		if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
@@ -1372,6 +1372,7 @@ public function install_ispconfig()
 		//* Create the ispconfig log directory
 		if(!is_dir($conf['ispconfig_log_dir'])) mkdir($conf['ispconfig_log_dir']);
 		if(!is_file($conf['ispconfig_log_dir'].'/ispconfig.log')) exec('touch '.$conf['ispconfig_log_dir'].'/ispconfig.log');
+		chmod($conf['ispconfig_log_dir'].'/ispconfig.log', 0600);
 
 		if(is_user('getmail')) {
 			exec('mv /usr/local/ispconfig/server/scripts/run-getmail.sh /usr/local/bin/run-getmail.sh');

install/dist/lib/gentoo.lib.php

@@ -1115,8 +1115,8 @@ public function install_ispconfig()
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
-			$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
-			$this->db->query($sql, $conf['interface_password']);
+			$sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+			$this->db->query($sql, $this->crypt_password($conf['interface_password']));
 		}
 
 		if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
@@ -1252,6 +1252,7 @@ public function install_ispconfig()
 		if (!is_file($conf['ispconfig_log_dir'].'/ispconfig.log')) {
 			touch($conf['ispconfig_log_dir'].'/ispconfig.log');
 		}
+		chmod($conf['ispconfig_log_dir'].'/ispconfig.log', 0600);
 
 		//* Create the ispconfig auth log file and set uid/gid
 		if(!is_file($conf['ispconfig_log_dir'].'/auth.log')) {

install/dist/lib/opensuse.lib.php

@@ -1215,8 +1215,8 @@ public function install_ispconfig()
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
-			$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
-			$this->db->query($sql, $conf['interface_password']);
+			$sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+			$this->db->query($sql, $this->crypt_password($conf['interface_password']));
 		}
 
 		if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
@@ -1369,6 +1369,7 @@ public function install_ispconfig()
 		//* Create the ispconfig log directory
 		if(!is_dir($conf['ispconfig_log_dir'])) mkdir($conf['ispconfig_log_dir']);
 		if(!is_file($conf['ispconfig_log_dir'].'/ispconfig.log')) exec('touch '.$conf['ispconfig_log_dir'].'/ispconfig.log');
+		chmod($conf['ispconfig_log_dir'].'/ispconfig.log', 0600);
 
 		if(is_user('getmail')) {
 			exec('mv /usr/local/ispconfig/server/scripts/run-getmail.sh /usr/local/bin/run-getmail.sh');

install/lib/installer_base.lib.php

@@ -157,6 +157,34 @@ public function get_php_version() {
 		else return true;
 	}
 
+	public function crypt_password($cleartext_password, $charset = 'UTF-8') {
+		if($charset != 'UTF-8') {
+			$cleartext_password = mb_convert_encoding($cleartext_password, $charset, 'UTF-8');
+		}
+
+		if(defined('CRYPT_SHA512') && CRYPT_SHA512 == 1) {
+			$salt = '$6$rounds=5000$';
+			$salt_length = 16;
+		} elseif(defined('CRYPT_SHA256') && CRYPT_SHA256 == 1) {
+			$salt = '$5$rounds=5000$';
+			$salt_length = 16;
+		} else {
+			$salt = '$1$';
+			$salt_length = 12;
+		}
+
+		if(function_exists('openssl_random_pseudo_bytes')) {
+			$salt .= substr(bin2hex(openssl_random_pseudo_bytes($salt_length)), 0, $salt_length);
+		} else {
+			$base64_alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
+			for($n = 0; $n < $salt_length; $n++) {
+				$salt .= $base64_alphabet[mt_rand(0, 63)];
+			}
+		}
+		$salt .= "$";
+		return crypt($cleartext_password, $salt);
+	}
+
 	//** Detect installed applications
 	public function find_installed_apps() {
 		global $conf;
@@ -3415,8 +3443,8 @@ public function install_ispconfig() {
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
-			$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
-			$this->db->query($sql, $conf['interface_password']);
+			$sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+			$this->db->query($sql, $this->crypt_password($conf['interface_password']));
 		}
 
 		if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
@@ -3560,6 +3588,7 @@ public function install_ispconfig() {
 			if(!is_dir($conf['ispconfig_log_dir'])) mkdir($conf['ispconfig_log_dir'], 0755);
 			touch($conf['ispconfig_log_dir'].'/ispconfig.log');
 		}
+		chmod($conf['ispconfig_log_dir'].'/ispconfig.log', 0600);
 
 		//* Create the ispconfig auth log file and set uid/gid
 		if(!is_file($conf['ispconfig_log_dir'].'/auth.log')) {

install/sql/incremental/upd_0092.sql

@@ -0,0 +1,8 @@
+-- drop old php column because new installations don't have them (fails in multi-server)
+ALTER TABLE `web_domain` DROP COLUMN `fastcgi_php_version`;
+
+-- add php_fpm_socket_dir column to server_php
+ALTER TABLE `server_php` ADD `php_fpm_socket_dir` varchar(255) DEFAULT NULL AFTER `php_fpm_pool_dir`;
+
+-- fix #5939
+UPDATE `ftp_user` SET `expires` = NULL WHERE `expires` = '0000-00-00 00:00:00';

install/sql/incremental/upd_dev_collection.sql

@@ -1,3 +1,4 @@
+
 -- drop old php column because new installations don't have them (fails in multi-server)
 ALTER TABLE `web_domain` DROP COLUMN `fastcgi_php_version`;
 
@@ -8,3 +9,5 @@ ALTER TABLE `server_php` ADD `php_fpm_socket_dir` varchar(255) DEFAULT NULL AFTE
 UPDATE `ftp_user` SET `expires` = NULL WHERE `expires` = '0000-00-00 00:00:00';
 
 ALTER TABLE `dns_soa` ADD `rendered_zone` MEDIUMTEXT NULL AFTER `dnssec_info`;
+
+ALTER TABLE `remote_user` MODIFY `remote_password` VARCHAR(200) NOT NULL DEFAULT '';

install/sql/ispconfig3.sql

@@ -1326,7 +1326,7 @@ CREATE TABLE `remote_user` (
   `sys_perm_group` varchar(5) default NULL,
   `sys_perm_other` varchar(5) default NULL,
   `remote_username` varchar(64) NOT NULL DEFAULT '',
-  `remote_password` varchar(64) NOT NULL DEFAULT '',
+  `remote_password` varchar(200) NOT NULL DEFAULT '',
   `remote_access` enum('y','n') NOT NULL DEFAULT 'y',
   `remote_ips` TEXT,
   `remote_functions` text,
@@ -2581,7 +2581,7 @@ INSERT INTO `sys_theme` (`var_id`, `tpl_name`, `username`, `logo_url`) VALUES (N
 -- Dumping data for table `sys_user`
 --
 
-INSERT INTO `sys_user` (`userid`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `username`, `passwort`, `modules`, `startmodule`, `app_theme`, `typ`, `active`, `language`, `groups`, `default_group`, `client_id`) VALUES (1, 1, 0, 'riud', 'riud', '', 'admin', '21232f297a57a5a743894a0e4a801fc3', 'dashboard,admin,client,mail,monitor,sites,dns,vm,tools,help', 'dashboard', 'default', 'admin', 1, 'en', '1,2', 1, 0);
+INSERT INTO `sys_user` (`userid`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `username`, `passwort`, `modules`, `startmodule`, `app_theme`, `typ`, `active`, `language`, `groups`, `default_group`, `client_id`) VALUES (1, 1, 0, 'riud', 'riud', '', 'admin', 'xxx', 'dashboard,admin,client,mail,monitor,sites,dns,vm,tools,help', 'dashboard', 'default', 'admin', 1, 'en', '1,2', 1, 0);
 
 -- --------------------------------------------------------
 

interface/lib/classes/db_mysql.inc.php

@@ -171,14 +171,10 @@ public function _build_query_string($sQuery = '') {
 					} elseif(is_null($sValue) || (is_string($sValue) && (strcmp($sValue, '#NULL#') == 0))) {
 						$sTxt = 'NULL';
 					} elseif(is_array($sValue)) {
-						if(isset($sValue['SQL'])) {
-							$sTxt = $sValue['SQL'];
-						} else {
-							$sTxt = '';
-							foreach($sValue as $sVal) $sTxt .= ',\'' . $this->escape($sVal) . '\'';
-							$sTxt = '(' . substr($sTxt, 1) . ')';
-							if($sTxt == '()') $sTxt = '(0)';
-						}
+						$sTxt = '';
+						foreach($sValue as $sVal) $sTxt .= ',\'' . $this->escape($sVal) . '\'';
+						$sTxt = '(' . substr($sTxt, 1) . ')';
+						if($sTxt == '()') $sTxt = '(0)';
 					} else {
 						$sTxt = '\'' . $this->escape($sValue) . '\'';
 					}
@@ -258,7 +254,7 @@ private function securityScan($string) {
 
 	private function _query($sQuery = '') {
 		global $app;
-		
+
 		$aArgs = func_get_args();
 
 		if ($sQuery == '') {
@@ -354,7 +350,7 @@ public function query($sQuery = '') {
 	 * @return array result row or NULL if none found
 	 */
 	public function queryOneRecord($sQuery = '') {
-		
+
 		$aArgs = func_get_args();
 		if(!empty($aArgs)) {
 			$sQuery = array_shift($aArgs);
@@ -363,7 +359,7 @@ public function queryOneRecord($sQuery = '') {
 		}
 		array_unshift($aArgs, $sQuery);
 		}
-  
+
 		$oResult = call_user_func_array([&$this, 'query'], $aArgs);
 		if(!$oResult) return null;
 
@@ -750,7 +746,7 @@ public function datalogInsert($tablename, $insert_data, $index_field) {
 			foreach($insert_data as $key => $val) {
 				$key_str .= '??,';
 				$params[] = $key;
-				
+
 				$val_str .= '?,';
 				$v_params[] = $val;
 			}
@@ -764,7 +760,7 @@ public function datalogInsert($tablename, $insert_data, $index_field) {
 			$this->query("INSERT INTO ?? $insert_data_str", $tablename);
 			$app->log("deprecated use of passing values to datalogInsert() - table " . $tablename, 1);
 		}
-		
+
 		$old_rec = array();
 		$index_value = $this->insertID();
 		if(!$index_value && isset($insert_data[$index_field])) {
@@ -1112,7 +1108,7 @@ public function mapType($metaType, $typeValue) {
 	 * @access public
 	 * @return string 'mariadb' or string 'mysql'
 	 */
-	
+
 	public function getDatabaseType() {
 		$tmp = $this->queryOneRecord('SELECT VERSION() as version');
 		if(stristr($tmp['version'],'mariadb')) {
@@ -1140,7 +1136,7 @@ public function getDatabaseVersion($major_version_only = false) {
 			return $version[0];
 		}
 	}
-	
+
 	/**
 	 * Get a mysql password hash
 	 *
@@ -1150,9 +1146,9 @@ public function getDatabaseVersion($major_version_only = false) {
 	 */
 
 	public function getPasswordHash($password) {
-		
+
 		$password_type = 'password';
-		
+
 		/* Disabled until caching_sha2_password is implemented
 		if($this->getDatabaseType() == 'mysql' && $this->getDatabaseVersion(true) >= 8) {
 			// we are in MySQL 8 mode
@@ -1162,16 +1158,16 @@ public function getPasswordHash($password) {
 			}
 		}
 		*/
-		
+
 		if($password_type == 'caching_sha2_password') {
 			/*
-				caching_sha2_password hashing needs to be implemented, have not 
+				caching_sha2_password hashing needs to be implemented, have not
 				found valid PHP implementation for the new password hash type.
 			*/
 		} else {
 			$password_hash = '*'.strtoupper(sha1(sha1($password, true)));
 		}
-		
+
 		return $password_hash;
 	}
 

interface/lib/classes/remoting.inc.php

@@ -128,13 +128,26 @@ public function login($username, $password, $client_login = false)
 			$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp);
 			return $remote_session;
 		} else {
-			$sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = md5(?)";
-			$remote_user = $app->db->queryOneRecord($sql, $username, $password);
-			if($remote_user['remote_userid'] > 0) {
+			$sql = "SELECT * FROM remote_user WHERE remote_username = ?";
+			$remote_user = $app->db->queryOneRecord($sql, $username);
+			if($remote_user) {
+				if(substr($remote_user['remote_password'], 0, 1) === '$') {
+					if(crypt(stripslashes($password), $remote_user['remote_password']) != $remote_user['remote_password']) {
+						$remote_user = null;
+					}
+				} elseif(md5($password) == $remote_user['remote_password']) {
+					// update hash algo
+					$sql = 'UPDATE `remote_user` SET `remote_password` = ? WHERE `remote_username` = ?';
+					$app->db->query($sql, $app->auth->crypt_password($password), $username);
+				} else {
+					$remote_user = null;
+				}
+			}
+			if($remote_user && $remote_user['remote_userid'] > 0) {
 				if (trim($remote_user['remote_ips']) != '') {
 					$allowed_ips = explode(',',$remote_user['remote_ips']);
-					foreach($allowed_ips as $i => $allowed) { 
-						if(!filter_var($allowed, FILTER_VALIDATE_IP)) { 
+					foreach($allowed_ips as $i => $allowed) {
+						if(!filter_var($allowed, FILTER_VALIDATE_IP)) {
 							// get the ip for a hostname
 							unset($allowed_ips[$i]);
 							$temp=dns_get_record($allowed, DNS_A+DNS_AAAA);
@@ -169,7 +182,7 @@ public function login($username, $password, $client_login = false)
 				if(!$remote_allowed) {
 					throw new SoapFault('login_failed', 'The login is not allowed from '.$_SERVER['REMOTE_ADDR']);
 					return false;
-				}	
+				}
 				//* Create a remote user session
 				//srand ((double)microtime()*1000000);
 				$remote_session = md5(mt_rand().uniqid('ispco'));
@@ -368,22 +381,22 @@ protected function updateQueryPrepare($formdef_file, $client_id, $primary_id, $p
 
 		//* Load the form definition
 		$app->remoting_lib->loadFormDef($formdef_file);
-		
+
 		//* get old record and merge with params, so only new values have to be set in $params
                $old_rec = $app->remoting_lib->getDataRecord($primary_id, $client_id);
-		
+
 		foreach ($app->remoting_lib->formDef['fields'] as $fieldName => $fieldConf)
         {
             if ($fieldConf['formtype'] === 'PASSWORD' && empty($params[$fieldName])) {
                 unset($old_rec[$fieldName]);
             }
         }
-		
+
 		$params = $app->functions->array_merge($old_rec,$params);
 
 		//* Get the SQL query
 		$sql = $app->remoting_lib->getSQL($params, 'UPDATE', $primary_id);
-		
+
 		// throw new SoapFault('debug', $sql);
 		if($app->remoting_lib->errorMessage != '') {
 			throw new SoapFault('data_processing_error', $app->remoting_lib->errorMessage);
@@ -546,7 +559,7 @@ public function server_get($session_id, $server_id = null, $section ='') {
 			return false;
 		}
 	}
-	
+
 	/**
 	    Gets a list of all servers
 	    @param int session_id

interface/web/admin/form/remote_user.tform.php

@@ -109,7 +109,7 @@
 					'errmsg' => 'weak_password_txt'
 				)
 			),
-			'encryption' => 'MD5',
+			'encryption' => 'CRYPT',
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -124,11 +124,11 @@
 		'remote_ips' => array (
 			'datatype'  => 'TEXT',
 			'formtype'  => 'TEXT',
-			'validators'  => array (  
+			'validators'  => array (
 				0 => array (
-					'type' => 'CUSTOM', 
-					'class' => 'validate_remote_user', 
-					'function' => 'valid_remote_ip', 
+					'type' => 'CUSTOM',
+					'class' => 'validate_remote_user',
+					'function' => 'valid_remote_ip',
 					'errmsg' => 'remote_user_error_ips'),
 			),
 			'default' => '',