Skip to content

Commit 1034fed

Browse files
jaapmarcusjaapmarcus
authored
Merge pull request hestiacp#1016 from hestiacp/fix/1002-Web_Security_improvements
hestiacp#1002 web security improvements
2 parents eaf1bdf + 80292af commit 1034fed

25 files changed

+523
-53
lines changed

bin/v-delete-user-auth-log

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
#!/bin/bash
2+
# info: Delete auth log file for user
3+
#
4+
# The function for deleting a users auth log file
5+
6+
# Argument definition
7+
user=$1
8+
date=$(date "+%F %T")
9+
10+
# Includes
11+
source $HESTIA/func/main.sh
12+
source $HESTIA/conf/hestia.conf
13+
14+
# Perform verification if read-only mode is enabled
15+
check_hestia_demo_mode
16+
17+
#----------------------------------------------------------#
18+
# Verifications #
19+
#----------------------------------------------------------#
20+
21+
check_args '1' "$#" 'USER'
22+
is_format_valid 'user'
23+
is_object_valid 'user' 'USER' "$user"
24+
25+
if [ ! -f $USER_DATA/auth.log ]; then
26+
touch $USER_DATA/auth.log
27+
fi
28+
29+
#----------------------------------------------------------#
30+
# Action #
31+
#----------------------------------------------------------#
32+
33+
rm $USER_DATA/auth.log
34+
35+
log_history "Authentication log for $user was cleared on $date."
36+
log_event "$OK" "$ARGUMENTS"
37+
38+
exit

bin/v-list-sys-config

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
#!/bin/bash
22
# info: list system configuration
33
# options: [FORMAT]
4-
# labels:
4+
# labels:
55
#
66
# example: v-list-sys-config json
77
#
@@ -61,6 +61,7 @@ json_list() {
6161
"DB_PMA_ALIAS": "'$DB_PMA_ALIAS'",
6262
"DB_PGA_ALIAS": "'$DB_PGA_ALIAS'",
6363
"LOGIN_STYLE": "'$LOGIN_STYLE'",
64+
"INACTIVE_SESSION_TIMEOUT": "'$INACTIVE_SESSION_TIMEOUT'",
6465
"SOFTACULOUS": "'$SOFTACULOUS'"
6566
}
6667
}'

bin/v-list-user-auth-log

Lines changed: 118 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,118 @@
1+
#!/bin/bash
2+
# info: list user log
3+
# options: USER [FORMAT]
4+
#
5+
# The function of obtaining the list of 10 last users commands.
6+
7+
8+
#----------------------------------------------------------#
9+
# Variable&Function #
10+
#----------------------------------------------------------#
11+
12+
# Argument definition
13+
user=$1
14+
format=${2-shell}
15+
16+
# Includes
17+
source $HESTIA/func/main.sh
18+
19+
# JSON list function
20+
json_list() {
21+
IFS=$'\n'
22+
i=1
23+
objects=$(echo "$logs" |wc -l)
24+
echo "{"
25+
for str in $logs; do
26+
IP=$(echo "$str" |cut -f 2 -d \')
27+
FINGERPRINT=$(echo "$str" |cut -f 4 -d \')
28+
DATE=$(echo "$str" |cut -f 6 -d \')
29+
TIME=$(echo "$str" |cut -f 8 -d \')
30+
ACTIVE=$(echo "$str" |cut -f 10 -d \')
31+
echo -n ' "'$i'": {
32+
"IP": "'$IP'",
33+
"FINGERPRINT": "'$FINGERPRINT'",
34+
"TIME": "'$TIME'",
35+
"DATE": "'$DATE'",
36+
"ACTIVE": "'$ACTIVE'"
37+
}'
38+
if [ "$i" -lt "$objects" ]; then
39+
echo ','
40+
else
41+
echo
42+
fi
43+
((i++))
44+
done
45+
echo '}'
46+
}
47+
48+
shell_list() {
49+
IFS=$'\n'
50+
echo "DATE~TIME~IP~FINGERPRINT~ACTIVE"
51+
echo "----~----~--~-----------~------"
52+
for str in $logs; do
53+
IP=$(echo "$str" |cut -f 2 -d \')
54+
FINGERPRINT=$(echo "$str" |cut -f 4 -d \')
55+
DATE=$(echo "$str" |cut -f 6 -d \')
56+
TIME=$(echo "$str" |cut -f 8 -d \')
57+
ACTIVE=$(echo "$str" |cut -f 10 -d \')
58+
echo "$DATE~$TIME~$IP~$FINGERPRINT~$ACTIVE"
59+
done
60+
}
61+
62+
# PLAIN list function
63+
plain_list() {
64+
IFS=$'\n'
65+
for str in $logs; do
66+
IP=$(echo "$str" |cut -f 2 -d \')
67+
FINGERPRINT=$(echo "$str" |cut -f 4 -d \')
68+
DATE=$(echo "$str" |cut -f 6 -d \')
69+
TIME=$(echo "$str" |cut -f 8 -d \')
70+
ACTIVE=$(echo "$str" |cut -f 10 -d \')
71+
echo -e "$DATE\t$TIME\t$IP\t$FINGERPRINT\t$ACTIVE"
72+
done
73+
}
74+
75+
# CSV list function
76+
csv_list() {
77+
IFS=$'\n'
78+
echo "ID,CMD,UNDO,TIME,DATE"
79+
for str in $logs; do
80+
IP=$(echo "$str" |cut -f 2 -d \')
81+
FINGERPRINT=$(echo "$str" |cut -f 4 -d \')
82+
DATE=$(echo "$str" |cut -f 6 -d \')
83+
TIME=$(echo "$str" |cut -f 8 -d \')
84+
ACTIVE=$(echo "$str" |cut -f 10 -d \')
85+
echo "$DATE,$TIME,$IP,$FINGERPRINT,$ACTIVE"
86+
87+
done
88+
}
89+
90+
#----------------------------------------------------------#
91+
# Verifications #
92+
#----------------------------------------------------------#
93+
94+
check_args '1' "$#" 'USER [FORMAT]'
95+
is_format_valid 'user'
96+
is_object_valid 'user' 'USER' "$user"
97+
98+
99+
#----------------------------------------------------------#
100+
# Action #
101+
#----------------------------------------------------------#
102+
103+
# Parsing history log
104+
logs=$(tail -n 10 $USER_DATA/auth.log 2>/dev/null)
105+
106+
case $format in
107+
json) json_list ;;
108+
plain) plain_list ;;
109+
csv) csv_list ;;
110+
shell) shell_list |column -t -s '~';;
111+
esac
112+
113+
114+
#----------------------------------------------------------#
115+
# Hestia #
116+
#----------------------------------------------------------#
117+
118+
exit

bin/v-log-user-login

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
#!/bin/bash
2+
# info: add user login
3+
# options: USER IP [FINGERPRINT]
4+
5+
# Argument definition
6+
user=$1
7+
ip=$2
8+
fingerprint=${3}
9+
10+
# Includes
11+
source $HESTIA/func/main.sh
12+
source $HESTIA/conf/hestia.conf
13+
14+
#----------------------------------------------------------#
15+
# Verifications #
16+
#----------------------------------------------------------#
17+
18+
check_args '2' "$#" 'USER IP [FINGERPRINT]'
19+
is_format_valid 'user' 'ip'
20+
is_object_valid 'user' 'USER' "$user"
21+
22+
browser=$(echo $browser | sed -e "s/\'//g");
23+
24+
# Generating timestamp
25+
time_n_date=$(date +'%T %F')
26+
time=$(echo "$time_n_date" |cut -f 1 -d \ )
27+
date=$(echo "$time_n_date" |cut -f 2 -d \ )
28+
29+
if [ ! -f $USER_DATA/auth.log ]; then
30+
touch $USER_DATA/auth.log
31+
fi
32+
33+
#----------------------------------------------------------#
34+
# Action #
35+
#----------------------------------------------------------#
36+
37+
awk -i inplace -v finger="FINGERPRINT='$fingerprint'" -v active="active='no'" '$2 == finger {$5=active}1' $USER_DATA/auth.log
38+
39+
echo "IP='$ip' FINGERPRINT='$fingerprint' DATE='$date' TIME='$time' active='yes'" >> $USER_DATA/auth.log
40+
41+
#----------------------------------------------------------#
42+
# Hestia #
43+
#----------------------------------------------------------#
44+
45+
exit

bin/v-log-user-logout

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
#!/bin/bash
2+
# info: Log User logout event
3+
# options: USER FINGERPRINT
4+
5+
# Argument definition
6+
user=$1
7+
fingerprint=$2
8+
9+
# Includes
10+
source $HESTIA/func/main.sh
11+
source $HESTIA/conf/hestia.conf
12+
13+
#----------------------------------------------------------#
14+
# Verifications #
15+
#----------------------------------------------------------#
16+
17+
check_args '2' "$#" 'USER FINGERPRINT'
18+
is_format_valid 'user'
19+
is_object_valid 'user' 'USER' "$user"
20+
21+
if [ ! -f $USER_DATA/auth.log ]; then
22+
touch $USER_DATA/auth.log
23+
fi
24+
25+
#----------------------------------------------------------#
26+
# Action #
27+
#----------------------------------------------------------#
28+
29+
awk -i inplace -v finger="FINGERPRINT='$fingerprint'" -v active="active='no'" '$2 == finger {$5=active}1' $USER_DATA/auth.log
30+
31+
#----------------------------------------------------------#
32+
# Hestia #
33+
#----------------------------------------------------------#
34+
35+
exit

func/upgrade.sh

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,6 +126,13 @@ upgrade_health_check() {
126126
echo "[ ! ] Adding missing variable to hestia.conf: LOGIN_STYLE ('default')"
127127
$BIN/v-change-sys-config-value "LOGIN_STYLE" "default"
128128
fi
129+
130+
# Inactive session timeout
131+
if [ -z "$INACTIVE_SESSION_TIMEOUT" ]; then
132+
echo "[ ! ] Adding missing variable to hestia.conf: INACTIVE_SESSION_TIMEOUT ('60')"
133+
$BIN/v-change-sys-config-value "INACTIVE_SESSION_TIMEOUT" "60"
134+
fi
135+
129136

130137
echo "[ * ] Health check complete. Starting upgrade from $VERSION to $new_version..."
131138
echo "============================================================================="

install/hst-install-debian.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1089,6 +1089,9 @@ echo "LANGUAGE='$lang'" >> $HESTIA/conf/hestia.conf
10891089
# Login in screen
10901090
echo "LOGIN_STYLE='default'" >> $HESTIA/conf/hestia.conf
10911091

1092+
# Inactive session timeout
1093+
echo "INACTIVE_SESSION_TIMEOUT='60'" >> $HESTIA/conf/hestia.conf
1094+
10921095
# Version & Release Branch
10931096
echo "VERSION='${HESTIA_INSTALL_VER}'" >> $HESTIA/conf/hestia.conf
10941097
echo "RELEASE_BRANCH='release'" >> $HESTIA/conf/hestia.conf
@@ -1687,7 +1690,6 @@ if [ "$mysql" = 'yes' ]; then
16871690
source $HESTIA_INSTALL_DIR/phpmyadmin/pma.sh > /dev/null 2>&1
16881691
fi
16891692

1690-
16911693
#----------------------------------------------------------#
16921694
# Configure Admin User #
16931695
#----------------------------------------------------------#

install/hst-install-ubuntu.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1140,6 +1140,9 @@ echo "LANGUAGE='$lang'" >> $HESTIA/conf/hestia.conf
11401140
# Login in screen
11411141
echo "LOGIN_STYLE='default'" >> $HESTIA/conf/hestia.conf
11421142

1143+
# Inactive session timeout
1144+
echo "INACTIVE_SESSION_TIMEOUT='60'" >> $HESTIA/conf/hestia.conf
1145+
11431146
# Version & Release Branch
11441147
echo "VERSION='${HESTIA_INSTALL_VER}'" >> $HESTIA/conf/hestia.conf
11451148
echo "RELEASE_BRANCH='release'" >> $HESTIA/conf/hestia.conf
@@ -1722,7 +1725,6 @@ else
17221725
echo "API='no'" >> $HESTIA/conf/hestia.conf
17231726
fi
17241727

1725-
17261728
#----------------------------------------------------------#
17271729
# Fix phpmyadmin #
17281730
#----------------------------------------------------------#

install/upgrade/versions/1.2.2.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,4 +45,4 @@ if [ -f "$apt/postgresql.list" ]; then
4545
echo " ----- PostgreSQL"
4646
sed -i "s/http\:\/\/apt.postgresql.org/https\:\/\/apt.postgresql.org/g" $apt/postgresql.list
4747
fi
48-
fi
48+
fi

web/delete/user/log/index.php

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
<?php
2+
// Init
3+
error_reporting(NULL);
4+
session_start();
5+
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
6+
7+
// Check token
8+
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
9+
header('location: /login/');
10+
exit();
11+
}
12+
13+
// Clear log
14+
$v_username = escapeshellarg($user);
15+
exec (HESTIA_CMD."v-delete-user-auth-log ".$v_username, $output, $return_var);
16+
//check_return_code($return_var,$output);
17+
//unset($output);
18+
19+
20+
$ip = $_SERVER['REMOTE_ADDR'];
21+
if(isset($_SERVER['HTTP_CF_CONNECTING_IP'])){
22+
if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){
23+
$ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
24+
}
25+
}
26+
$v_ip = escapeshellarg($ip);
27+
28+
$v_murmur = escapeshellarg($_SESSION['MURMUR']);
29+
exec(HESTIA_CMD."v-log-user-login ".$v_username." ".$v_ip." ".$v_murmur, $output, $return_var);
30+
31+
// Render page
32+
//render_page($user, $TAB, 'list_auth');
33+
34+
// Flush session messages
35+
unset($_SESSION['error_msg']);
36+
unset($_SESSION['ok_msg']);
37+
38+
header("Location: /edit/user/log/?user=".$_SESSION['user']);
39+
40+
exit;

0 commit comments

Comments
 (0)