Merge branch 'staging/fixes' into main

Author: Kristan Kenney

bin/v-add-firewall-ipset

@@ -89,7 +89,9 @@ if [ ! -f "${IPSET_PATH}/${IPSET_FILE}.iplist" ] || [ "$force" = "yes" ]; then
         # Advanced: execute script with the same basename for aditional pre-processing
         # ex: 
         if [ -x "${IPSET_PATH}/${IPSET_FILE}.sh" ]; then 
-            setpriv --clear-groups --reuid nobody --regid nogroup -- ${IPSET_PATH}/${IPSET_FILE}.sh "$ip_name" "$iplist_tempfile"
+            preprocess_output="$(cat "$iplist_tempfile" | setpriv --clear-groups --reuid nobody --regid nogroup -- ${IPSET_PATH}/${IPSET_FILE}.sh "$ip_name" "$iplist_tempfile")"
+            check_result $? "Preprocessing script failed (${IPSET_FILE}.sh)"
+            [[ "$preprocess_output" ]] && echo "$preprocess_output" > "$iplist_tempfile"
         fi
 
     elif [[ "$data_source" =~ ^script:/ ]]; then
@@ -113,6 +115,14 @@ if [ ! -f "${IPSET_PATH}/${IPSET_FILE}.iplist" ] || [ "$force" = "yes" ]; then
 
     fi
 
+    # Cleanup ip list
+    sed -r -i -e 's/[;#].*$//' -e 's/[ \t]*$//' -e '/^$/d' "$iplist_tempfile"
+    if [[ $ip_version == 'v4' ]]; then
+        sed -i -r -n -e '/^((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])/p' "$iplist_tempfile"
+    elif [[ $ip_version == 'v6' ]]; then
+        sed -i -r -n -e '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/p' "$iplist_tempfile"
+    fi
+
     # Validate iplist file size
     iplist_size=$(sed -r -e '/^#|^$/d' "$iplist_tempfile" | wc -l)
     [[ "$iplist_size" -le $IPSET_MIN_SIZE ]] && check_result $E_INVALID "iplist file too small (<${IPSET_MIN_SIZE}), ignoring"

bin/v-add-letsencrypt-host

@@ -11,8 +11,9 @@
 #----------------------------------------------------------#
 
 # Argument definition
-user="admin"
 domain=$HOSTNAME
+user="$($HESTIA/bin/v-search-domain-owner "$domain" web)"
+[[ -z "$user" ]] && user="admin"
 
 # Includes
 source $HESTIA/func/main.sh

bin/v-add-web-domain-ssl-hsts

@@ -54,7 +54,6 @@ else
 fi
 
 echo 'add_header Strict-Transport-Security "max-age=15768000;" always;' > $hstsconf
-echo "HTTP Strict Transport Security (HSTS) turned on for $domain."
 
 
 #----------------------------------------------------------#

bin/v-delete-web-domain-ssl-hsts

@@ -49,7 +49,7 @@ else
 fi
 
 rm -f $hstsconf
-echo "HTTP Strict Transport Security (HSTS) turned off for $domain."
+
 
 #----------------------------------------------------------#
 #                       Hestia                             #

func/rebuild.sh

@@ -527,14 +527,9 @@ rebuild_mail_domain_conf() {
         # Setting HELO for mail domain
         if [ ! -z "$local_ip" ]; then
             IP_RDNS=$(is_ip_rdns_valid "$local_ip")
+            sed -i "/^${domain}:/d" /etc/exim4/mailhelo.conf >/dev/null 2>&1
             if [ ! -z "$IP_RDNS" ]; then
-                if [ -f /etc/exim4/mailhelo.conf ] && [ $(grep -s "^${domain}:" /etc/exim4/mailhelo.conf) ]; then
-                    sed -i "/^${domain}:/c\\${domain}:${IP_RDNS}" /etc/exim4/mailhelo.conf
-                else
-                    echo ${domain}:${IP_RDNS} >> /etc/exim4/mailhelo.conf
-                fi
-            else
-                sed -i "/^${domain}:/d" /etc/exim4/mailhelo.conf >/dev/null 2>&1
+                echo ${domain}:${IP_RDNS} >> /etc/exim4/mailhelo.conf
             fi
         fi
 

install/deb/templates/web/nginx/php-fpm/sendy.stpl

@@ -87,5 +87,5 @@ server {
 
     include     /etc/nginx/conf.d/phpmyadmin.inc*;
     include     /etc/nginx/conf.d/phppgadmin.inc*;
-    include     %home%/%user%/conf/web/%domain%/nginx.conf_*;
+    include     %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
 }

install/deb/templates/web/nginx/php-fpm/wordpress.stpl

@@ -73,5 +73,5 @@ server {
     include     /etc/nginx/conf.d/phppgadmin.inc*;
     include     /etc/nginx/conf.d/webmail.inc*;
 
-    include     %home%/%user%/conf/web/%domain%/nginx.conf_*;
+    include     %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
 }

install/hst-install-debian.sh

@@ -42,9 +42,9 @@ if [ "$release" -eq 9 ]; then
         mariadb-client mariadb-common mariadb-server postgresql
         postgresql-contrib phppgadmin phpmyadmin mc flex whois rssh git idn zip
         sudo bc ftp lsof rrdtool quota e2fslibs bsdutils e2fsprogs curl
-        imagemagick fail2ban dnsutils bsdmainutils cron hestia hestia-nginx
+        imagemagick fail2ban dnsutils bsdmainutils cron hestia=${HESTIA_INSTALL_VER} hestia-nginx
         hestia-php expect libmail-dkim-perl unrar-free vim-common acl sysstat
-        rsyslog ssh setpriv ipset libapache2-mod-ruid2"
+        rsyslog openssh-server ssh setpriv ipset libapache2-mod-ruid2"
 elif [ "$release" -eq 10 ]; then
     software="nginx apache2 apache2-utils apache2-suexec-custom
         apache2-suexec-pristine libapache2-mod-fcgid libapache2-mod-php$fpm_v
@@ -60,8 +60,8 @@ elif [ "$release" -eq 10 ]; then
         phppgadmin mc flex whois git idn zip sudo bc ftp lsof rrdtool
         quota e2fslibs bsdutils e2fsprogs curl imagemagick fail2ban dnsutils
         bsdmainutils cron hestia hestia-nginx hestia-php expect
-        libmail-dkim-perl unrar-free vim-common acl sysstat rsyslog ssh util-linux
-        ipset libapache2-mpm-itk"
+        libmail-dkim-perl unrar-free vim-common acl sysstat rsyslog openssh-server
+        ssh util-linux ipset libapache2-mpm-itk"
 fi
 
 installer_dependencies="apt-transport-https curl dirmngr gnupg wget"

install/hst-install-ubuntu.sh

@@ -42,9 +42,9 @@ software="apache2 apache2.2-common apache2-suexec-custom apache2-utils
     php$fpm_v-imagick php$fpm_v-intl php$fpm_v-json php$fpm_v-mbstring
     php$fpm_v-opcache php$fpm_v-pspell php$fpm_v-readline php$fpm_v-xml
     postgresql postgresql-contrib proftpd-basic quota roundcube-core
-    roundcube-mysql roundcube-plugins rrdtool rssh spamassassin sudo hestia
+    roundcube-mysql roundcube-plugins rrdtool rssh spamassassin sudo hestia=${HESTIA_INSTALL_VER}
     hestia-nginx hestia-php vim-common vsftpd whois zip acl sysstat setpriv
-    ipset libonig5 libzip5"
+    ipset libonig5 libzip5 openssh-server ssh"
 
 installer_dependencies="apt-transport-https curl dirmngr gnupg wget"
 

web/add/db/index.php

@@ -42,8 +42,7 @@
 
     // Check password length
     if (empty($_SESSION['error_msg'])) {
-        $pw_len = strlen($_POST['v_password']);
-        if ($pw_len < 6 ) $_SESSION['error_msg'] = __('Password is too short.',$error_msg);
+        if (!preg_match('/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$/', $_POST['v_password'])) { $_SESSION['error_msg'] = __('Password does not match the minimum requirements'); }
     }
 
     // Protect input