made php open_basdir configurable per website.

tbrehm · tbrehm · commit c8cf71f8d56a · 2010-01-22T14:52:22.000Z
Added a global default for the .htaccess allow_override setting.
diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql
@@ -1057,8 +1057,9 @@ CREATE TABLE `web_domain` (
   `ssl_bundle` mediumtext NULL,
   `ssl_action` varchar(16) NULL,
   `stats_password` varchar(255) default NULL,
-  `allow_override` varchar(32) NOT NULL default 'All',
+  `allow_override` varchar(255) NOT NULL default 'All',
   `apache_directives` text,
+  `php_open_basedir` text,
   `active` enum('n','y') NOT NULL default 'y',
   PRIMARY KEY  (`domain_id`)
 ) ENGINE=MyISAM AUTO_INCREMENT=1;
diff --git a/install/tpl/server.ini.master b/install/tpl/server.ini.master
@@ -44,6 +44,8 @@ group=www-data
 apps_vhost_port=8081
 apps_vhost_ip=_default_
 apps_vhost_servername=
+php_open_basedir=[website_path]/web:[website_path]/tmp:/usr/share/php5:/tmp:/usr/share/phpmyadmin
+htaccess_allow_override=All
 
 [dns]
 bind_user=root
diff --git a/interface/web/admin/form/server_config.tform.php b/interface/web/admin/form/server_config.tform.php
@@ -387,6 +387,28 @@
 			'width'		=> '40',
 			'maxlength'	=> '255'
 		),
+		'php_open_basedir' => array (
+			'datatype'	=> 'VARCHAR',
+			'formtype'	=> 'TEXT',
+			'default'	=> '',
+			'validators'	=> array ( 	0 => array (	'type'	=> 'NOTEMPTY',
+														'errmsg'=> 'php_open_basedir_error_empty'),
+									),
+			'value'		=> '',
+			'width'		=> '40',
+			'maxlength'	=> '255'
+		),
+		'htaccess_allow_override' => array (
+			'datatype'	=> 'VARCHAR',
+			'formtype'	=> 'TEXT',
+			'default'	=> '',
+			'validators'	=> array ( 	0 => array (	'type'	=> 'NOTEMPTY',
+														'errmsg'=> 'htaccess_allow_override_error_empty'),
+									),
+			'value'		=> '',
+			'width'		=> '40',
+			'maxlength'	=> '255'
+		),
 		'apps_vhost_port' => array (
 			'datatype'	=> 'VARCHAR',
 			'formtype'	=> 'TEXT',
diff --git a/interface/web/admin/lib/lang/en_server_config.lng b/interface/web/admin/lib/lang/en_server_config.lng
@@ -61,4 +61,8 @@ $wb["named_conf_path_error_empty"] = 'BIND named.conf path is empty.';
 $wb["named_conf_local_path_error_empty"] = 'BIND named.conf.local path is empty.';
 $wb["mail_filter_syntax_txt"] = 'Mailfilter Syntax';
 $wb["pop3_imap_daemon_txt"] = 'POP3/IMAP Daemon';
+$wb["php_open_basedir_txt"] = 'PHP open_basedir';
+$wb["php_open_basedir_error_empty"] = 'PHP open_basedir is empty.';
+$wb["htaccess_allow_override_txt"] = '.htaccess AllowOverride';
+$wb["htaccess_allow_override_error_empty"] = '.htaccess AllowOverride is empty.';
 ?>
diff --git a/interface/web/admin/templates/server_config_web_edit.htm b/interface/web/admin/templates/server_config_web_edit.htm
@@ -16,7 +16,7 @@ <h2><tmpl_var name="list_head_txt"></h2>
       <div class="ctrlHolder">
       	<label for="website_symlinks">{tmpl_var name='website_symlinks_txt'}</label>
         <input name="website_symlinks" id="website_symlinks" value="{tmpl_var name='website_symlinks'}" size="40" maxlength="255" type="text" class="textInput" />
-			</div>
+	  </div>
       <div class="ctrlHolder">
       	<label for="vhost_conf_dir">{tmpl_var name='vhost_conf_dir_txt'}</label>
         <input name="vhost_conf_dir" id="vhost_conf_dir" value="{tmpl_var name='vhost_conf_dir'}" size="40" maxlength="255" type="text" class="textInput" />
@@ -42,6 +42,14 @@ <h2><tmpl_var name="list_head_txt"></h2>
         <input name="group" id="group" value="{tmpl_var name='group'}" size="40" maxlength="255" type="text" class="textInput" />
 	  </div>
 	  <div class="ctrlHolder">
+      	<label for="php_open_basedir">{tmpl_var name='php_open_basedir_txt'}</label>
+        <input name="php_open_basedir" id="php_open_basedir" value="{tmpl_var name='php_open_basedir'}" size="40" maxlength="255" type="text" class="textInput" />
+	  </div>
+	  <div class="ctrlHolder">
+      	<label for="htaccess_allow_override">{tmpl_var name='htaccess_allow_override_txt'}</label>
+        <input name="htaccess_allow_override" id="htaccess_allow_override" value="{tmpl_var name='htaccess_allow_override'}" size="40" maxlength="255" type="text" class="textInput" />
+	  </div>
+	  <div class="ctrlHolder">
       	<label for="apps_vhost_port">{tmpl_var name='apps_vhost_port_txt'}</label>
         <input name="apps_vhost_port" id="apps_vhost_port" value="{tmpl_var name='apps_vhost_port'}" size="40" maxlength="255" type="text" class="textInput" />
 	  </div>
diff --git a/interface/web/sites/form/web_domain.tform.php b/interface/web/sites/form/web_domain.tform.php
@@ -403,7 +403,18 @@
 			'datatype'	=> 'VARCHAR',
 			'formtype'	=> 'TEXT',
 			'validators'	=> array ( 	0 => array (	'type'	=> 'NOTEMPTY',
-														'errmsg'=> 'documentroot_error_empty'),
+														'errmsg'=> 'allow_override_error_empty'),
+									),
+			'default'	=> 'All',
+			'value'		=> '',
+			'width'		=> '30',
+			'maxlength'	=> '255'
+		),
+		'php_open_basedir' => array (
+			'datatype'	=> 'VARCHAR',
+			'formtype'	=> 'TEXT',
+			'validators'	=> array ( 	0 => array (	'type'	=> 'NOTEMPTY',
+														'errmsg'=> 'php_open_basedir_error_empty'),
 									),
 			'default'	=> 'All',
 			'value'		=> '',
diff --git a/interface/web/sites/templates/web_domain_advanced.htm b/interface/web/sites/templates/web_domain_advanced.htm
@@ -19,7 +19,11 @@ <h2><tmpl_var name="list_head_txt"></h2>
 	  <div class="ctrlHolder">
       	<label for="allow_override">{tmpl_var name='allow_override_txt'}</label>
         <input name="allow_override" id="allow_override" value="{tmpl_var name='allow_override'}" size="30" maxlength="255" type="text" class="textInput" />
-			</div
+	  </div>
+	  <div class="ctrlHolder">
+      	<label for="php_open_basedir">{tmpl_var name='php_open_basedir_txt'}</label>
+        <input name="php_open_basedir" id="php_open_basedir" value="{tmpl_var name='php_open_basedir'}" size="30" maxlength="255" type="text" class="textInput" />
+	  </div>
       <div class="ctrlHolder">
       	<label for="apache_directives">{tmpl_var name='apache_directives_txt'}</label>
       	<textarea name="apache_directives" id="apache_directives" rows='10' cols='30'>{tmpl_var name='apache_directives'}</textarea>
diff --git a/interface/web/sites/web_domain_edit.php b/interface/web/sites/web_domain_edit.php
@@ -293,11 +293,13 @@ function onAfterInsert() {
 		}
 		
 		// Set the values for document_root, system_user and system_group
-		$system_user = 'web'.$this->id;
-		$system_group = 'client'.$client_id;
-		$document_root = str_replace("[client_id]",$client_id,$document_root);
+		$system_user = $app->db->quote('web'.$this->id);
+		$system_group = $app->db->quote('client'.$client_id);
+		$document_root = $app->db->quote(str_replace("[client_id]",$client_id,$document_root));
+		$php_open_basedir = $app->db->quote(str_replace("[website_path]",$document_root,$web_config["php_open_basedir"]));
+		$htaccess_allow_override = $app->db->quote($web_config["htaccess_allow_override"]);
 		
-		$sql = "UPDATE web_domain SET system_user = '$system_user', system_group = '$system_group', document_root = '$document_root' WHERE domain_id = ".$this->id;
+		$sql = "UPDATE web_domain SET system_user = '$system_user', system_group = '$system_group', document_root = '$document_root', allow_override = '$htaccess_allow_override', php_open_basedir = '$php_open_basedir'  WHERE domain_id = ".$this->id;
 		$app->db->query($sql);
 	}
 	
@@ -372,9 +374,9 @@ function onAfterUpdate() {
 		
 		if(($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) &&  isset($this->dataRecord["client_group_id"]) && $this->dataRecord["client_group_id"] != $this->oldDataRecord["client_group_id"]) {
 			// Set the values for document_root, system_user and system_group
-			$system_user = 'web'.$this->id;
-			$system_group = 'client'.$client_id;
-			$document_root = str_replace("[client_id]",$client_id,$document_root);
+			$system_user = $app->db->quote('web'.$this->id);
+			$system_group = $app->db->quote('client'.$client_id);
+			$document_root = $app->db->quote(str_replace("[client_id]",$client_id,$document_root));
 		
 			$sql = "UPDATE web_domain SET system_user = '$system_user', system_group = '$system_group', document_root = '$document_root' WHERE domain_id = ".$this->id;
 			//$sql = "UPDATE web_domain SET system_user = '$system_user', system_group = '$system_group' WHERE domain_id = ".$this->id;
@@ -393,6 +395,17 @@ function onAfterUpdate() {
 			unset($subdomain);
 		}
 		
+		//* Set allow_override and php_open_basedir if empty
+		if($web_rec['allow_override'] == '') {
+			$sql = "UPDATE web_domain SET allow_override = '".$app->db->quote($web_config["htaccess_allow_override"])."' WHERE domain_id = ".$this->id;
+			$app->db->query($sql);
+		}
+		if($web_rec['php_open_basedir'] == '') {
+			$php_open_basedir = $app->db->quote(str_replace("[website_path]",$document_root,$web_config["php_open_basedir"]));
+			$sql = "UPDATE web_domain SET php_open_basedir = '$php_open_basedir' WHERE domain_id = ".$this->id;
+			$app->db->query($sql);
+		}
+		
 	}
 	
 	function onAfterDelete() {
diff --git a/server/conf/php-cgi-starter.master b/server/conf/php-cgi-starter.master
@@ -2,6 +2,6 @@
 
 exec <tmpl_var name='php_cgi_bin'> \
 -d open_basedir=<tmpl_var name='open_basedir'> \
--d upload_tmp_dir=<tmpl_var name='open_basedir'>/tmp \
--d session.save_path=<tmpl_var name='open_basedir'>/tmp
+-d upload_tmp_dir=<tmpl_var name='document_root'>/tmp \
+-d session.save_path=<tmpl_var name='document_root'>/tmp
 # -d safe_mode=${SAFE_MODE}
diff --git a/server/conf/php-fcgi-starter.master b/server/conf/php-fcgi-starter.master
@@ -10,7 +10,7 @@ export PHP_DOCUMENT_ROOT
 PHP_FCGI_MAX_REQUESTS=<tmpl_var name='php_fcgi_max_requests'>
 export PHP_FCGI_MAX_REQUESTS
 exec <tmpl_var name='php_fcgi_bin'> \
-<tmpl_if name="security_level" op="==" value="20"> -d open_basedir="<tmpl_var name='document_root'>:/usr/share/php5:/tmp:/usr/share/phpmyadmin" \
+<tmpl_if name="security_level" op="==" value="20"> -d open_basedir="<tmpl_var name='open_basedir'>" \
 -d upload_tmp_dir=<tmpl_var name='document_root'>/tmp \
 -d session.save_path=<tmpl_var name='document_root'>/tmp \
 </tmpl_if> $1
diff --git a/server/conf/vhost.conf.master b/server/conf/vhost.conf.master
@@ -96,7 +96,7 @@
     php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
     php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
 <tmpl_if name='security_level' op='==' value='20'>
-    php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5:/tmp:/usr/share/phpmyadmin
+    php_admin_value open_basedir <tmpl_var name='php_open_basedir'>
 </tmpl_if>
 </tmpl_if>
 <tmpl_if name='php' op='==' value='suphp'>
@@ -257,7 +257,7 @@
     php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
     php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
 <tmpl_if name='security_level' op='==' value='20'>
-    php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5:/tmp:/usr/share/phpmyadmin
+    php_admin_value open_basedir <tmpl_var name='php_open_basedir'>
 </tmpl_if>
 </tmpl_if>
 <tmpl_if name='php' op='==' value='suphp'>
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
@@ -555,6 +555,7 @@ function update($event_name,$data) {
 		$vhost_data["web_basedir"] = $web_config["website_basedir"];
 		$vhost_data["security_level"] = $web_config["security_level"];
 		$vhost_data["allow_override"] = ($data["new"]["allow_override"] == '')?'All':$data["new"]["allow_override"];
+		$vhost_data["php_open_basedir"] = ($data["new"]["php_open_basedir"] == '')?$data["new"]["document_root"]:$data["new"]["php_open_basedir"];
 		
 		// Check if a SSL cert exists
 		$ssl_dir = $data["new"]["document_root"]."/ssl";
@@ -706,12 +707,15 @@ function update($event_name,$data) {
 			$fcgi_tpl = new tpl();
 			$fcgi_tpl->newTemplate("php-fcgi-starter.master");
 				
-			$fcgi_tpl->setVar('php_ini_path',$fastcgi_config["fastcgi_phpini_path"]);
-			$fcgi_tpl->setVar('document_root',$data["new"]["document_root"]);
-			$fcgi_tpl->setVar('php_fcgi_children',$fastcgi_config["fastcgi_children"]);
-			$fcgi_tpl->setVar('php_fcgi_max_requests',$fastcgi_config["fastcgi_max_requests"]);
-			$fcgi_tpl->setVar('php_fcgi_bin',$fastcgi_config["fastcgi_bin"]);
-			$fcgi_tpl->setVar('security_level',$web_config["security_level"]);
+			$fcgi_tpl->setVar('php_ini_path',escapeshellcmd($fastcgi_config["fastcgi_phpini_path"]));
+			$fcgi_tpl->setVar('document_root',escapeshellcmd($data["new"]["document_root"]));
+			$fcgi_tpl->setVar('php_fcgi_children',escapeshellcmd($fastcgi_config["fastcgi_children"]));
+			$fcgi_tpl->setVar('php_fcgi_max_requests',escapeshellcmd($fastcgi_config["fastcgi_max_requests"]));
+			$fcgi_tpl->setVar('php_fcgi_bin',escapeshellcmd($fastcgi_config["fastcgi_bin"]));
+			$fcgi_tpl->setVar('security_level',intval($web_config["security_level"]));
+			
+			$php_open_basedir = ($data["new"]["php_open_basedir"] == '')?$data["new"]["document_root"]:$data["new"]["php_open_basedir"];
+			$cgi_tpl->setVar('open_basedir', escapeshellcmd($php_open_basedir));
 				
 			$fcgi_starter_script = escapeshellcmd($fastcgi_starter_path.$fastcgi_config["fastcgi_starter_script"]);
 			file_put_contents($fcgi_starter_script,$fcgi_tpl->grab());
@@ -759,7 +763,10 @@ function update($event_name,$data) {
 			$cgi_tpl->newTemplate("php-cgi-starter.master");
 
 			// This works, because php "rewrites" a symlink to the physical path
-			$cgi_tpl->setVar('open_basedir', $data["new"]["document_root"]); 
+			$php_open_basedir = ($data["new"]["php_open_basedir"] == '')?$data["new"]["document_root"]:$data["new"]["php_open_basedir"];
+			$cgi_tpl->setVar('open_basedir', escapeshellcmd($php_open_basedir)); 
+			$cgi_tpl->setVar('document_root', escapeshellcmd($data["new"]["document_root"]));
+			
 			// This will NOT work!
 			//$cgi_tpl->setVar('open_basedir', "/var/www/" . $data["new"]["domain"]);
 			$cgi_tpl->setVar('php_cgi_bin',$cgi_config["cgi_bin"]);
