Merge branch 'main' into staging/nginx-conf

Author: jaapmarcus

.drone.yml

@@ -1,3 +1,101 @@
+---
+kind: pipeline
+type: ssh
+name: Ubuntu | Nginx + Apache2  
+
+concurrency:
+  limit: 1
+
+server:
+  host:
+    from_secret: server_address
+  user: 
+    from_secret: username
+  ssh_key: 
+    from_secret: ssh_key
+
+platform:
+  os: linux
+  arch: amd64
+   
+steps:
+- name: Download submodules
+  image: alpine/git
+  commands:
+  - git submodule update --init --recursive
+- name: Build Hestia package and install
+  commands:
+  - ./src/hst_autocompile.sh --hestia --install '~localsrc'
+- name: Run system / user tests
+  commands:
+  - bats ./test/test.bats
+- name: Run restore tests
+  commands:
+  - bats ./test/restore.bats
+- name: Run config tests 
+  commands:
+  - bats ./test/config-tests.bats
+
+trigger:
+  event: [ pull_request, push ]
+  ref:
+  - refs/heads/staging/*
+  - refs/heads/beta
+  - refs/heads/release
+  - refs/heads/main
+  - refs/pull/*/head
+
+---
+kind: pipeline
+type: ssh
+name: Debian | Nginx  
+
+concurrency:
+  limit: 1
+
+server:
+  host:
+    from_secret: server_address2
+  user: 
+    from_secret: username
+  ssh_key: 
+    from_secret: ssh_key
+
+platform:
+  os: linux
+  arch: amd64
+   
+steps:
+- name: Download submodules
+  image: alpine/git
+  commands:
+  - git submodule update --init --recursive
+- name: Build Hestia package install
+  commands:
+  - ./src/hst_autocompile.sh --hestia --install '~localsrc'
+- name: Run system / user tests
+  commands:
+  - bats ./test/test.bats
+- name: Run restore tests
+  commands:
+  - bats ./test/restore.bats
+- name: Run Letsencrypt test against Staging
+  commands:
+  - cp /root/le-env.sh /tmp/hestia-le-env.sh
+  - bats ./test/letsencrypt.bats
+- name: Run config tests 
+  commands:
+  - bats ./test/config-tests.bats
+  
+trigger:
+  event: [ pull_request, push ]
+  ref:
+  - refs/heads/staging/*
+  - refs/heads/beta
+  - refs/heads/release
+  - refs/heads/main
+  - refs/pull/*/head
+
 ---
 kind: pipeline
 type: docker
@@ -8,7 +106,7 @@ concurrency:
 
 steps:
   - name: Shellcheck
-    image: koalaman/shellcheck-alpine
+    image: koalaman/shellcheck-alpine:v0.8.0
     commands:
     - ./test/shellcheck.sh
   - name: PHP 8.1
@@ -18,14 +116,55 @@ steps:
 
 trigger:
       event: [ pull_request, push ]
-      ref:
-      - refs/heads/staging/*
-      - refs/heads/beta
-      - refs/heads/release
-      - refs/heads/main
-      - refs/pull/*/head
 
+---
+kind: pipeline
+type: docker
+name: Push to beta atp server
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+  - name: Build
+    image: debian:bullseye
+    commands:
+    - ln -snf /etc/localtime && echo CET > /etc/timezone
+    - ./src/hst_autocompile.sh --dontinstalldeps --hestia --debug --cross --noinstall --keepbuild --debug '~localsrc'
+    - mkdir -p ./hestia/
+    - mv /tmp/hestiacp-src/deb/*.deb ./hestia/
+  - name: Upload
+    image: appleboy/drone-scp
+    settings:
+      host:
+        from_secret: apt_server
+      user: root
+      key:
+        from_secret: ssh_key
+      port: 22
+      command_timeout: 2m
+      target: /root/
+      source:
+        - ./hestia/*
+  - name: Publish
+    image: appleboy/drone-ssh
+    settings:
+        host:
+          from_secret: apt_server
+        user: root
+        key:
+          from_secret: ssh_key
+        port: 22
+        command_timeout: 2m
+        script:
+            - freight-add ./hestia/*.deb apt/bionic apt/focal apt/jammy apt/stretch apt/buster apt/bullseye
+            - freight-cache
+            - rm -fr ./hestia/
+  
+trigger:
+    event: [ promote] 
 
 ---
 kind: signature
-hmac: 4eec34ee92f63737d6a976140e6e54adf637ebbb4836b17a083c560a4440c54f
+hmac: f89a311b0f023c6ee92dbdb56bcd23ec663ef9242269a6b70c1c222bac4380ee

CHANGELOG.md

@@ -1,6 +1,52 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.6.7] - Service release 
+
+### Bugfixes
+
+- Fixed an issue with upgrade script Roundcube that caused issues with upgrade of new installs 
+- Fixed an bug with DNS templates #2827
+- Update v-update-sys-hestia-git
+
+## [1.6.6] - Service release 
+
+### Bugfixes
+
+- Update DNS templates with CNAME for ftp, www and webmail (#2808)
+- Fix name server A record validation error (#2807)
+- Fixed issue with renaming domains and config files not properly removed (#2803)
+- Add loading indicator after clicking save button (#2740)
+- Improve hostname detection in mail-wrapper (#2805 @clarkchentw)
+
+### Security
+
+- Fixed an vulnerability in v-add-web-domain-redirect (CVE-2022-2636)
+- Fixed an vulnerability in Ubuntu that can lead in privilege escalation for admin to root user (CVE-2022-2626)
+
+### Dependencies
+
+- Update Roundcube to 1.6.0
+- Update Dokuwiki to "2022-07-31" Igor (#2811)
+
+## [1.6.5] - Service release 
+
+### Bugfixes
+
+- Add missing translation strings (#2778 @myrevery)
+- Add check if folder exists in v-change-web-domain-docroot (#2778)
+
+### Security
+
+- Improve random bytes generator (#2774)
+- Don't allow /inc/2fa/secret.php called from the web browser directly (#2784 @mayappear)
+- Improve CSRF Origin Check Bypass (#2785 @mayappear)
+- Fix vulnerability in Docuwiki Quick Install App @redstarp2 (CVE-2022-2550)
+
+### Dependencies
+
+- Update Filegator to 7.8.2
+
 ## [1.6.4] - Service release 
 
 ### Bugfixes

README.md

@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.6.4 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
+**Latest stable release:** Version 1.6.7 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>

bin/v-add-dns-record

@@ -73,6 +73,10 @@ if [ "$rtype" != "CAA" ]; then
     fi
 fi
 
+if [ "$record" = "@" ] && [ "$rtype" = "CNAME" ]; then
+    check_result $E_INVALID "CNAME on root is not allowed"
+fi
+
 # Additional argument formatting
 format_domain
 format_domain_idn

bin/v-add-firewall-chain

@@ -20,12 +20,6 @@ protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
 # Defining absolute path to iptables
 iptables="/sbin/iptables"
 
-# Get hestia port by reading nginx.conf
-hestiaport=$(grep 'listen' $HESTIA/nginx/conf/nginx.conf | awk '{print $2}' | sed "s|;||")
-if [ -z "$hestiaport" ]; then
-    hestiaport=8083
-fi
-
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
 source /etc/hestiacp/hestia.conf
@@ -36,6 +30,12 @@ source $HESTIA/func/firewall.sh
 # load config file
 source_conf "$HESTIA/conf/hestia.conf"
 
+# Get hestia port by reading nginx.conf
+hestiaport=$(grep 'listen' $HESTIA/nginx/conf/nginx.conf | awk '{print $2}' | sed "s|;||")
+if [ -z "$hestiaport" ]; then
+    hestiaport=8083
+fi
+
 #----------------------------------------------------------#
 #                    Verifications                         #
 #----------------------------------------------------------#

bin/v-add-letsencrypt-host

@@ -11,14 +11,6 @@
 #                Variables & Functions                     #
 #----------------------------------------------------------#
 
-# Argument definition
-domain=$(hostname -f);
-if [ -z $domain ]; then 
-    domain=$HOSTNAME;
-fi
-user="$($HESTIA/bin/v-search-domain-owner "$domain" web)"
-[[ -z "$user" ]] && user="admin"
-
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
 source /etc/hestiacp/hestia.conf
@@ -32,6 +24,14 @@ source_conf "$HESTIA/conf/hestia.conf"
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
 
+# Argument definition
+domain=$(hostname -f);
+if [ -z $domain ]; then 
+    domain=$HOSTNAME;
+fi
+user="$($HESTIA/bin/v-search-domain-owner "$domain" web)"
+[[ -z "$user" ]] && user="admin"
+
 #----------------------------------------------------------#
 #                    Verifications                         #
 #----------------------------------------------------------#

bin/v-add-sys-roundcube

@@ -46,7 +46,7 @@ if [ -z "$HESTIA" ]; then
     HESTIA="/usr/local/hestia"
 fi
 
-if [ -z "$HOMEDIR" ] || [ -z "$HESTIA_INSTALL_DIR" ]; then
+if [ -z "$HOMEDIR" ] || [ -z "$HESTIA_COMMON_DIR" ]; then
     echo "ERROR: Environment variables not present, installation aborted."
     exit 2
 fi
@@ -97,21 +97,21 @@ if [ "$UPDATE" == "no" ]; then
     rm -f -r $RC_INSTALL_DIR/config/
     ln -s $RC_CONFIG_DIR/ ./config
     # Replace with Hestia config
-    cp -f $HESTIA_INSTALL_DIR/roundcube/main.inc.php $RC_CONFIG_DIR/config.inc.php
-    cp -f $HESTIA_INSTALL_DIR/roundcube/mimetypes.php $RC_CONFIG_DIR/mimetypes.php
+    cp -f $HESTIA_COMMON_DIR/roundcube/main.inc.php $RC_CONFIG_DIR/config.inc.php
+    cp -f $HESTIA_COMMON_DIR/roundcube/mimetypes.php $RC_CONFIG_DIR/mimetypes.php
     chmod 644 $RC_CONFIG_DIR/*.php
 
-    cp -f $HESTIA_INSTALL_DIR/roundcube/hestia.php $RC_INSTALL_DIR/plugins/password/drivers/
+    cp -f $HESTIA_COMMON_DIR/roundcube/hestia.php $RC_INSTALL_DIR/plugins/password/drivers/
     mkdir -p $RC_CONFIG_DIR/plugins/password
     mkdir -p $RC_CONFIG_DIR/plugins/newmail_notifier
     mkdir -p $RC_CONFIG_DIR/plugins/zipdownload
 
     # Allow changes to the respective config / Create symlinks to /etc/roundcube/ 
-    cp -f $HESTIA_INSTALL_DIR/roundcube/config.inc.php $RC_CONFIG_DIR/plugins/password/config.inc.php
+    cp -f $HESTIA_COMMON_DIR/roundcube/config.inc.php $RC_CONFIG_DIR/plugins/password/config.inc.php
     ln -s $RC_CONFIG_DIR/plugins/password/config.inc.php ./plugins/password/config.inc.php
-    cp -f $HESTIA_INSTALL_DIR/roundcube/plugins/config_newmail_notifier.inc.php $RC_CONFIG_DIR/plugins/newmail_notifier/config.inc.php
+    cp -f $HESTIA_COMMON_DIR/roundcube/plugins/config_newmail_notifier.inc.php $RC_CONFIG_DIR/plugins/newmail_notifier/config.inc.php
     ln -s $RC_CONFIG_DIR/plugins/newmail_notifier/config.inc.php ./plugins/newmail_notifier/config.inc.php
-    cp -f $HESTIA_INSTALL_DIR/roundcube/plugins/config_zipdownload.inc.php $RC_CONFIG_DIR/plugins/zipdownload/config.inc.php
+    cp -f $HESTIA_COMMON_DIR/roundcube/plugins/config_zipdownload.inc.php $RC_CONFIG_DIR/plugins/zipdownload/config.inc.php
     ln -s $RC_CONFIG_DIR/plugins/zipdownload/config.inc.php ./plugins/zipdownload/config.inc.php
 
     # Set up correct permissions roundcube    

bin/v-add-user

@@ -31,8 +31,9 @@ source_conf "$HESTIA/conf/hestia.conf"
 
 is_user_free() {
     # these names may cause issues with MariaDB/MySQL database names and should be reserved:
+    # sudo has been added due to Privilege escalation as sudo group has always sudo permission
     check_sysuser=$(php -r '$reserved_names=array("aria", "aria_log", "mysql", "mysql_upgrade", "ib", "ib_buffer",
- "ddl", "ddl_recovery", "performance"); if(in_array(strtolower($argv[1]), $reserved_names, true)){echo implode(", ", $reserved_names);}' "$user" );
+ "ddl", "ddl_recovery", "performance", "sudo"); if(in_array(strtolower($argv[1]), $reserved_names, true)){echo implode(", ", $reserved_names);}' "$user" );
     if [ -n "$check_sysuser" ]; then
         check_result "$E_INVALID" "The user name '$user' is reserved and cannot be used. List of reserved names: $check_sysuser"
         return

bin/v-add-web-domain-backend

@@ -49,6 +49,10 @@ check_hestia_demo_mode
 prepare_web_backend
 get_domain_values 'web'
 
+if [[ -n "$BACKEND" && "$BACKEND" != "$template" ]];then
+    check_result "$E_EXISTS" "Pool already exists"
+fi
+
 # Allocating backend port
 backend_port=9000
 ports=$(grep -v '^;' $pool/* 2>/dev/null |grep listen |grep -o :[0-9].*)

bin/v-add-web-domain-redirect

@@ -42,21 +42,18 @@ is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'web' 'DOMAIN' "$domain"
 is_object_unsuspended 'web' 'DOMAIN' "$domain"
 
-scheme=0
 if [[ "$3" =~ http://|https:// ]]; then
     scheme=1
-    regex='(https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]'
-    if ! [[ "$3" =~ $regex ]]; then
-        echo "Invalid redirect"
-        exit 2;
+    isValidUrl=$(php -r '$url=$argv[1]; $url=filter_var($url,FILTER_VALIDATE_URL); echo $url;' "$3")
+    if  [ -z "$isValidUrl" ]; then
+        check_result $E_INVALID "Invalid redirect"
     fi
 else
-    regex='[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]'
-    if ! [[ "$3" =~ $regex ]]; then
-        echo "Invalid redirect"
-        exit 2;
+    isValidUrl=$(php -r '$url=$argv[1]; $url=filter_var($url,FILTER_VALIDATE_URL); echo $url;' "http://$3")
+    if  [ -z "$isValidUrl" ]; then
+        check_result $E_INVALID "Invalid redirect"
     fi
-fi
+fi 
 
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode