Merge branch 'stable-3.1'

Author: Marius Burkard

install/dist/lib/fedora.lib.php

@@ -1076,6 +1076,8 @@ public function install_ispconfig()
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 		$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+		$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
+		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		//* Make the global language file directory group writable
 		exec("chmod -R 770 $install_dir/interface/lib/lang");
@@ -1149,6 +1151,11 @@ public function install_ispconfig()
 		$command = "chmod +x $install_dir/server/scripts/*.sh";
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
+		if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
+			$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
+			$this->db->query($sql, $conf['interface_password']);
+		}
+		
 		if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
 			//* Copy the ISPConfig vhost for the controlpanel
 			// TODO: These are missing! should they be "vhost_dist_*_dir" ?

install/dist/lib/gentoo.lib.php

@@ -996,7 +996,9 @@ public function install_ispconfig()
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 		$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+		$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
+		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+		
 		//* Make the global language file directory group writable
 		exec("chmod -R 770 $install_dir/interface/lib/lang");
 
@@ -1076,6 +1078,11 @@ public function install_ispconfig()
 		$command = "chmod +x $install_dir/server/scripts/*.sh";
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
+		if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
+			$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
+			$this->db->query($sql, $conf['interface_password']);
+		}
+		
 		if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
 			//* Copy the ISPConfig vhost for the controlpanel
 			$content = $this->get_template_file("apache_ispconfig.vhost", true);

install/dist/lib/opensuse.lib.php

@@ -1094,7 +1094,9 @@ public function install_ispconfig()
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 		$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+		$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
+		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+		
 		//* Make the global language file directory group writable
 		exec("chmod -R 770 $install_dir/interface/lib/lang");
 
@@ -1170,6 +1172,11 @@ public function install_ispconfig()
 		$command = "chmod +x $install_dir/server/scripts/*.sh";
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
+		if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
+			$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
+			$this->db->query($sql, $conf['interface_password']);
+		}
+		
 		if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
 			//* Copy the ISPConfig vhost for the controlpanel
 			// TODO: These are missing! should they be "vhost_dist_*_dir" ?

install/lib/installer_base.lib.php

@@ -2499,7 +2499,9 @@ public function install_ispconfig() {
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 		$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+		$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
+		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+		
 		//* Make the global language file directory group writable
 		exec("chmod -R 770 $install_dir/interface/lib/lang");
 

interface/lib/app.inc.php

@@ -299,14 +299,14 @@ public function tpl_defaults() {
 
 		$this->tpl->setVar('phpsessid', session_id());
 
-		$this->tpl->setVar('theme', $_SESSION['s']['theme']);
+		$this->tpl->setVar('theme', $_SESSION['s']['theme'], true);
 		$this->tpl->setVar('html_content_encoding', $this->_conf['html_content_encoding']);
 
 		$this->tpl->setVar('delete_confirmation', $this->lng('delete_confirmation'));
 		//print_r($_SESSION);
 		if(isset($_SESSION['s']['module']['name'])) {
-			$this->tpl->setVar('app_module', $_SESSION['s']['module']['name']);
-			$this->tpl->setVar('session_module', $_SESSION['s']['module']['name']);
+			$this->tpl->setVar('app_module', $_SESSION['s']['module']['name'], true);
+			$this->tpl->setVar('session_module', $_SESSION['s']['module']['name'], true);
 		}
 		if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') {
 			$this->tpl->setVar('is_admin', 1);
@@ -316,7 +316,7 @@ public function tpl_defaults() {
 		}
 		/* Show username */
 		if(isset($_SESSION['s']['user'])) {
-			$this->tpl->setVar('cpuser', $_SESSION['s']['user']['username']);
+			$this->tpl->setVar('cpuser', $_SESSION['s']['user']['username'], true);
 			$this->tpl->setVar('logout_txt', $this->lng('logout_txt'));
 			/* Show search field only for normal users, not mail users */
 			if(stristr($_SESSION['s']['user']['username'], '@')){
@@ -343,7 +343,7 @@ public function tpl_defaults() {
 // load and enable PHP Intrusion Detection System (PHPIDS)
 $ids_security_config = $app->getconf->get_security_config('ids');
 
-if(is_dir(ISPC_CLASS_PATH.'/IDS') && $ids_security_config['ids_enabled'] == 'yes') {
+if(is_dir(ISPC_CLASS_PATH.'/IDS') && !defined('REMOTE_API_CALL') && ($ids_security_config['ids_anon_enabled'] == 'yes' || $ids_security_config['ids_user_enabled'] == 'yes' || $ids_security_config['ids_admin_enabled'] == 'yes')) {
 	$app->uses('ids');
 	$app->ids->start();
 }

interface/lib/classes/db_mysql.inc.php

@@ -470,7 +470,7 @@ private function check_utf8($str) {
 	public function escape($sString) {
 		global $app;
 		if(!is_string($sString) && !is_numeric($sString)) {
-			$app->log('NON-String given in escape function! (' . gettype($sString) . ')', LOGLEVEL_INFO);
+			$app->log('NON-String given in escape function! (' . gettype($sString) . ')', LOGLEVEL_DEBUG);
 			//$sAddMsg = getDebugBacktrace();
 			$app->log($sAddMsg, LOGLEVEL_DEBUG);
 			$sString = '';
@@ -479,7 +479,7 @@ public function escape($sString) {
 		$cur_encoding = mb_detect_encoding($sString);
 		if($cur_encoding != "UTF-8") {
 			if($cur_encoding != 'ASCII') {
-				if(is_object($app) && method_exists($app, 'log')) $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_INFO);
+				if(is_object($app) && method_exists($app, 'log')) $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_DEBUG);
 				if($cur_encoding) $sString = mb_convert_encoding($sString, 'UTF-8', $cur_encoding);
 				else $sString = mb_convert_encoding($sString, 'UTF-8');
 			}

interface/lib/classes/ids.inc.php

@@ -118,7 +118,25 @@ public function start()
 
 			$impact = $ids_result->getImpact();
 
-			if($impact >= $security_config['ids_log_level']) {
+			// Choose level from security config
+			if($app->auth->is_admin()) {
+				// User is admin
+				$ids_log_level = $security_config['ids_admin_log_level'];
+				$ids_warn_level = $security_config['ids_admin_warn_level'];
+				$ids_block_level = $security_config['ids_admin_block_level'];
+			} elseif(is_array($_SESSION['s']['user']) && $_SESSION['s']['user']['userid'] > 0) {
+				// User is Client or Reseller
+				$ids_log_level = $security_config['ids_user_log_level'];
+				$ids_warn_level = $security_config['ids_user_warn_level'];
+				$ids_block_level = $security_config['ids_user_block_level'];
+			} else {
+				// Not logged in
+				$ids_log_level = $security_config['ids_anon_log_level'];
+				$ids_warn_level = $security_config['ids_anon_warn_level'];
+				$ids_block_level = $security_config['ids_anon_block_level'];
+			}
+			
+			if($impact >= $ids_log_level) {
 				$ids_log = ISPC_ROOT_PATH.'/temp/ids.log';
 				if(!is_file($ids_log)) touch($ids_log);
 
@@ -132,11 +150,11 @@ public function start()
 
 			}
 
-			if($impact >= $security_config['ids_warn_level']) {
+			if($impact >= $ids_warn_level) {
 				$app->log("PHP IDS Alert.".$ids_result, 2);
 			}
 
-			if($impact >= $security_config['ids_block_level']) {
+			if($impact >= $ids_block_level) {
 				$app->error("Possible attack detected. This action has been logged.",'', true, 2);
 			}
 

interface/lib/classes/plugin_listview.inc.php

@@ -56,7 +56,7 @@ function onShow() {
 		// $app->listform->listDef["page_params"] = "&id=".$app->tform_actions->id."&next_tab=".$_SESSION["s"]["form"]["tab"];
 		$app->listform->listDef["page_params"] = "&id=".$this->form->id."&next_tab=".$_SESSION["s"]["form"]["tab"];
 		$listTpl->setVar('parent_id', $this->form->id);
-		$listTpl->setVar('theme', $_SESSION['s']['theme']);
+		$listTpl->setVar('theme', $_SESSION['s']['theme'], true);
 
 		// Generate the SQL for searching
 		$sql_where = "";
@@ -193,13 +193,13 @@ function onShow() {
 
 		$listTpl->setVar('phpsessid', session_id());
 
-		$listTpl->setVar('theme', $_SESSION['s']['theme']);
+		$listTpl->setVar('theme', $_SESSION['s']['theme'], true);
 		$listTpl->setVar('html_content_encoding', $app->_conf['html_content_encoding']);
 
 		$listTpl->setVar('delete_confirmation', $app->lng('delete_confirmation'));
 		//print_r($_SESSION);
 		if(isset($_SESSION['s']['module']['name'])) {
-			$listTpl->setVar('app_module', $_SESSION['s']['module']['name']);
+			$listTpl->setVar('app_module', $_SESSION['s']['module']['name'], true);
 		}
 		if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') {
 			$listTpl->setVar('is_admin', 1);
@@ -209,7 +209,7 @@ function onShow() {
 		}
 		/* Show username */
 		if(isset($_SESSION['s']['user'])) {
-			$listTpl->setVar('cpuser', $_SESSION['s']['user']['username']);
+			$listTpl->setVar('cpuser', $_SESSION['s']['user']['username'], true);
 			$listTpl->setVar('logout_txt', $app->lng('logout_txt'));
 			/* Show search field only for normal users, not mail users */
 			if(stristr($_SESSION['s']['user']['username'], '@')){

interface/lib/classes/tform.inc.php

@@ -115,11 +115,18 @@ function getNextTab() {
 			// Show the same tab again in case of an error
 			$active_tab = $_SESSION["s"]["form"]["tab"];
 		}
+		
+		if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$active_tab)) {
+			die('Invalid next tab name.');
+		}
 
 		return $active_tab;
 	}
 
 	function getCurrentTab() {
+		if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$_SESSION["s"]["form"]["tab"])) {
+			die('Invalid current tab name.');
+		}
 		return $_SESSION["s"]["form"]["tab"];
 	}
 

interface/lib/classes/tform_actions.inc.php

@@ -287,7 +287,7 @@ function onError() {
 		global $app, $conf;
 
 		$app->tpl->setVar("error", "<li>".$app->tform->errorMessage."</li>");
-		$app->tpl->setVar($this->dataRecord);
+		$app->tpl->setVar($this->dataRecord, null, true);
 		$this->onShow();
 	}