Merge branch 'main' into release

jaapmarcus · jaapmarcus · commit 1b8a2f2ae4eb · 2022-03-03T18:31:32.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,15 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.5.10] - Service release
+
+### Bugfixes
+- Fixed an issue where webmail client options were not displayed in the Web UI (#2445)
+- Fixed an issue where users where not able to create an backup. (#2448 / #2449)
+- Fixed an issue where saving server settings could fail due to an incorrect PHP version check on mod-php servers (#2451)
+- Fixed an issue where MariaDB installations were broken when performing a clean install of HestiaCP v1.5.9 (#2452 | 2446)
+- Fixed recently discovered XSS vulnerabilities (#2453) [CVE-2022-0838](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0838)
+
 ## [1.5.9] - Service release
 
 ### Bugfixes
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.5.9 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
+**Latest stable release:** Version 1.5.10 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.5.9'
+HESTIA_INSTALL_VER='1.5.10'
 # Dependencies
 pma_v='5.1.3'
 rc_v="1.5.2"
@@ -1526,14 +1526,14 @@ if [ "$mysql" = 'yes' ]; then
     
     # Ater root password
     mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '$mpass'; FLUSH PRIVILEGES;"
-    # Remove root login from remote servers 
-    mysql -e "DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
+    # Allow mysql access via socket for startup
+    mysql -e "UPDATE mysql.global_priv SET priv=json_set(priv, '$.password_last_changed', UNIX_TIMESTAMP(), '$.plugin', 'mysql_native_password', '$.authentication_string', 'invalid', '$.auth_or', json_array(json_object(), json_object('plugin', 'unix_socket'))) WHERE User='root';"
     # Disable anonymous users
     mysql -e "DELETE FROM mysql.global_priv WHERE User='';"
     # Drop test database
     mysql -e "DROP DATABASE IF EXISTS test"
     mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
-    
+    # Flush privileges
     mysql -e "FLUSH PRIVILEGES;"
 fi
 
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.5.9'
+HESTIA_INSTALL_VER='1.5.10'
 # Dependencies
 pma_v='5.1.3'
 rc_v="1.5.2"
@@ -1545,14 +1545,14 @@ if [ "$mysql" = 'yes' ]; then
     
     # Ater root password
     mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '$mpass'; FLUSH PRIVILEGES;"
-    # Remove root login from remote servers 
-    mysql -e "DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
+    # Allow mysql access via socket for startup
+    mysql -e "UPDATE mysql.global_priv SET priv=json_set(priv, '$.password_last_changed', UNIX_TIMESTAMP(), '$.plugin', 'mysql_native_password', '$.authentication_string', 'invalid', '$.auth_or', json_array(json_object(), json_object('plugin', 'unix_socket'))) WHERE User='root';"
     # Disable anonymous users
     mysql -e "DELETE FROM mysql.global_priv WHERE User='';"
     # Drop test database
     mysql -e "DROP DATABASE IF EXISTS test"
     mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
-    
+    # Flush privileges
     mysql -e "FLUSH PRIVILEGES;"
 fi
 
diff --git a/install/upgrade/versions/1.5.10.sh b/install/upgrade/versions/1.5.10.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.5.9
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+####### Pass through information to the end user in case of a issue or problem  #######
+#######                                                                         #######
+####### Use add_upgrade_message "My message here" to include a message          #######
+####### in the upgrade notification email. Example:                             #######
+#######                                                                         #######
+####### add_upgrade_message "My message here"                                   #######
+#######                                                                         #######
+####### You can use \n within the string to create new lines.                   #######
+#######################################################################################
+
+upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
+
+# shellcheck source=/usr/local/hestia/func/db.sh
+source $HESTIA/func/db.sh
+
+if [ -n "$(echo $DB_SYSTEM | grep -w mysql)" ]; then
+    mysql_connect 'localhost'
+    version=$(mysql --defaults-file=/usr/local/hestia/conf/.mysql.localhost -e 'SELECT VERSION()')
+    mysql_version=$(echo $version | grep -o -E '[0-9]*.[0-9].[0-9]+' | head -n1);
+    mysql_version2=$(echo $mysql_version | grep -o -E '[0-9]*.[0-9]' | head -n1 );
+    
+    if [ "$mysql_version2" = "10.6" ]; then 
+        test=$(mysql -e "select * from mysql.global_priv;" | grep root | grep unix_socket);
+        if [ -z "$test" ]; then 
+            echo "[ ! ] Updating MariaDB permissions to fix startup issue "
+            mysql --defaults-file=/usr/local/hestia/conf/.mysql.localhost -e "UPDATE mysql.global_priv SET priv=json_set(priv, '$.password_last_changed', UNIX_TIMESTAMP(), '$.plugin', 'mysql_native_password', '$.authentication_string', 'invalid', '$.auth_or', json_array(json_object(), json_object('plugin', 'unix_socket'))) WHERE User='root';"
+        fi
+    fi
+fi
diff --git a/src/deb/hestia/control b/src/deb/hestia/control
@@ -1,7 +1,7 @@
 Source: hestia
 Package: hestia
 Priority: optional
-Version: 1.5.9
+Version: 1.5.10
 Section: admin
 Maintainer: HestiaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com
diff --git a/web/add/db/index.php b/web/add/db/index.php
@@ -121,7 +121,7 @@
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = sprintf(_('DATABASE_CREATED_OK'), htmlentities($user)."_".htmlentities($_POST['v_database']), htmlentities($user)."_".htmlentities($_POST['v_database']));
+        $_SESSION['ok_msg'] = sprintf(_('DATABASE_CREATED_OK'), htmlentities($user_plain)."_".htmlentities($_POST['v_database']), htmlentities($user_plain)."_".htmlentities($_POST['v_database']));
         $_SESSION['ok_msg'] .= " / <a href=".$db_admin_link." target='_blank'>" . sprintf(_('open %s'), $db_admin) . "</a>";
         unset($v_database);
         unset($v_dbuser);
diff --git a/web/edit/mail/index.php b/web/edit/mail/index.php
@@ -22,7 +22,11 @@
 // List mail domain
 if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
     $v_domain = $_GET['domain'];
-
+    
+    exec(HESTIA_CMD."v-list-sys-webmail json", $output, $return_var);
+    $webmail_clients = json_decode(implode('', $output), true);
+    unset($output);
+    
     exec(HESTIA_CMD."v-list-mail-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     check_return_code_redirect($return_var, $output, '/list/mail/');
diff --git a/web/edit/server/index.php b/web/edit/server/index.php
@@ -242,47 +242,48 @@
         unset($output);
         $v_hostname = $_POST['v_hostname'];
     }
-
-    // Install/remove php versions
-    if (empty($_SESSION['error_msg'])) {
-        if (!empty($v_php_versions)) {
-            $post_php = $_POST['v_php_versions'];
-            if(empty($post_php)){
-                $post_php = array();
-            }
-
-            array_map(function ($php_version) use ($post_php) {
-                if (array_key_exists($php_version->tpl, $post_php)) {
-                    if (!$php_version->installed) {
-                        exec(HESTIA_CMD . "v-add-web-php " . escapeshellarg($php_version->version), $output, $return_var);
-                        check_return_code($return_var, $output);
-                        unset($output);
-                        if (empty($_SESSION['error_msg'])) {
-                            $php_version->installed = true;
+    
+    if($_SESSION['WEB_BACKEND'] == "php-fpm"){
+        // Install/remove php versions
+        if (empty($_SESSION['error_msg'])) {
+            if (!empty($v_php_versions)) {
+                $post_php = $_POST['v_php_versions'];
+                if(empty($post_php)){
+                    $post_php = array();
+                }
+                array_map(function ($php_version) use ($post_php) {
+                    if (array_key_exists($php_version->tpl, $post_php)) {
+                        if (!$php_version->installed) {
+                            exec(HESTIA_CMD . "v-add-web-php " . escapeshellarg($php_version->version), $output, $return_var);
+                            check_return_code($return_var, $output);
+                            unset($output);
+                            if (empty($_SESSION['error_msg'])) {
+                                $php_version->installed = true;
+                            }
                         }
-                    }
-                } else {
-                    if ($php_version->installed && !$php_version->protected) {
-                        exec(HESTIA_CMD . "v-delete-web-php " . escapeshellarg($php_version->version), $output, $return_var);
-                        check_return_code($return_var, $output);
-                        unset($output);
-                        if (empty($_SESSION['error_msg'])) {
-                            $php_version->installed = false;
+                    } else {
+                        if ($php_version->installed && !$php_version->protected) {
+                            exec(HESTIA_CMD . "v-delete-web-php " . escapeshellarg($php_version->version), $output, $return_var);
+                            check_return_code($return_var, $output);
+                            unset($output);
+                            if (empty($_SESSION['error_msg'])) {
+                                $php_version->installed = false;
+                            }
                         }
                     }
-                }
-
-                return $php_version;
-            }, $v_php_versions);
-        }
-    }
     
-    if (empty($_SESSION['error_msg'])) {
-        if($_POST['v_php_default_version'] != DEFAULT_PHP_VERSION) {
-            exec(HESTIA_CMD . "v-change-sys-php " . escapeshellarg($_POST['v_php_default_version']), $output, $return_var);
-            check_return_code($return_var, $output);
-            unset($output);
-        }   
+                    return $php_version;
+                }, $v_php_versions);
+            }
+        }
+        
+        if (empty($_SESSION['error_msg'])) {
+            if($_POST['v_php_default_version'] != DEFAULT_PHP_VERSION) {
+                exec(HESTIA_CMD . "v-change-sys-php " . escapeshellarg($_POST['v_php_default_version']), $output, $return_var);
+                check_return_code($return_var, $output);
+                unset($output);
+            }   
+        }
     }
     
     // Change timezone
diff --git a/web/js/app.js b/web/js/app.js
@@ -63,7 +63,6 @@ $.fn.scrollTo = function( target, options, callback ){
  * The mask defaults to dateFormat.masks.default.
  */
 
-
 var dateFormat = function () {
     var token = /d{1,4}|m{1,4}|yy(?:yy)?|([HhMsTt])\1?|[LloSZ]|"[^"]*"|'[^']*'/g,
         timezone = /\b(?:[PMCEA][SDP]T|(?:Pacific|Mountain|Central|Eastern|Atlantic) (?:Standard|Daylight|Prevailing) Time|(?:GMT|UTC)(?:[-+]\d{4})?)\b/g,
diff --git a/web/js/pages/add_db.js b/web/js/pages/add_db.js
@@ -3,7 +3,7 @@
 // Updates database username dynamically, showing its prefix
 App.Actions.DB.update_db_username_hint = function(elm, hint) {
     if (hint.trim() == '') {
-        $(elm).parent().find('.hint').html('');
+        $(elm).parent().find('.hint').text('');
     } 
     $(elm).parent().find('.hint').text(GLOBAL.DB_USER_PREFIX + hint);
 }
@@ -13,7 +13,7 @@ App.Actions.DB.update_db_username_hint = function(elm, hint) {
 // Updates database name dynamically, showing its prefix
 App.Actions.DB.update_db_databasename_hint = function(elm, hint) {
     if (hint.trim() == '') {
-        $(elm).parent().find('.hint').html('');
+        $(elm).parent().find('.hint').text('');
     } 
     $(elm).parent().find('.hint').text(GLOBAL.DB_DBNAME_PREFIX + hint);
 }
diff --git a/web/js/pages/add_dns_rec.js b/web/js/pages/add_dns_rec.js
@@ -4,7 +4,7 @@
 App.Actions.DB.update_dns_record_hint = function(elm, hint) {
     // clean hint
     if (hint.trim() == '') {
-        $(elm).parent().find('.hint').html('');
+        $(elm).parent().find('.hint').text('');
     }
 
     // set domain name without rec in case of @ entries
diff --git a/web/js/pages/add_mail_acc.js b/web/js/pages/add_mail_acc.js
@@ -141,7 +141,7 @@ generate_mail_credentials = function() {
     var div = $('.mail-infoblock').clone();
     div.find('#mail_configuration').remove();
     var pass=div.find('#v_password').text();
-    if (pass=="") div.find('#v_password').html(' ');
+    if (pass=="") div.find('#v_password').text(' ');
     var output = div.text();
     output=output.replace(/(?:\r\n|\r|\n|\t)/g, "|");
     output=output.replace(/  /g, "");
@@ -188,29 +188,29 @@ $(document).ready(function() {
 
         switch(opt.attr('v_type')){
             case 'hostname':
-                $('#td_imap_hostname').html(opt.attr('domain'));
-                $('#td_smtp_hostname').html(opt.attr('domain'));
+                $('#td_imap_hostname').text(opt.attr('domain'));
+                $('#td_smtp_hostname').text(opt.attr('domain'));
                 break;
             case 'starttls':
-                $('#td_imap_port').html('143');
-                $('#td_imap_encryption').html('STARTTLS');
-                $('#td_smtp_port').html('587');
-                $('#td_smtp_encryption').html('STARTTLS');
+                $('#td_imap_port').text('143');
+                $('#td_imap_encryption').text('STARTTLS');
+                $('#td_smtp_port').text('587');
+                $('#td_smtp_encryption').text('STARTTLS');
                 break;
             case 'ssl':
-                $('#td_imap_port').html('993');
-                $('#td_imap_encryption').html('SSL / TLS');
-                $('#td_smtp_port').html('465');
-                $('#td_smtp_encryption').html('SSL / TLS');
+                $('#td_imap_port').text('993');
+                $('#td_imap_encryption').text('SSL / TLS');
+                $('#td_smtp_port').text('465');
+                $('#td_smtp_encryption').text('SSL / TLS');
                 break;
             case 'no_encryption':
-                $('#td_imap_hostname').html(opt.attr('domain'));
-                $('#td_smtp_hostname').html(opt.attr('domain'));
+                $('#td_imap_hostname').text(opt.attr('domain'));
+                $('#td_smtp_hostname').text(opt.attr('domain'));
 
-                $('#td_imap_port').html('143');
-                $('#td_imap_encryption').html(opt.attr('no_encryption'));
-                $('#td_smtp_port').html('25');
-                $('#td_smtp_encryption').html(opt.attr('no_encryption'));
+                $('#td_imap_port').text('143');
+                $('#td_imap_encryption').text(opt.attr('no_encryption'));
+                $('#td_smtp_port').text('25');
+                $('#td_smtp_encryption').text(opt.attr('no_encryption'));
                 break;
         }
         generate_mail_credentials();
diff --git a/web/js/pages/add_web.js b/web/js/pages/add_web.js
@@ -3,7 +3,7 @@
     var domain = $('select[name="v-custom-doc-domain"]').val();
     var folder = $('input[name="v-custom-doc-folder"]').val();
     console.log(domain, folder);
-    $('.custom_docroot_hint').html(prepath+domain+'/public_html/'+folder);
+    $('.custom_docroot_hint').text(prepath+domain+'/public_html/'+folder);
 }
 App.Listeners.DB.keypress_custom_folder = function() {
     var ref = $('input[name="v-custom-doc-folder"]');
@@ -40,7 +40,7 @@ App.Listeners.DB.change_custom_doc();
 
 App.Actions.WEB.update_ftp_username_hint = function(elm, hint) {
     if (hint.trim() == '') {
-        $(elm).parent().find('.hint').html('');
+        $(elm).parent().find('.hint').text('');
     }
     
     hint = hint.replace(/[^\w\d]/gi, '');
@@ -88,7 +88,7 @@ App.Listeners.WEB.keypress_domain_name = function() {
 
 App.Actions.WEB.update_ftp_path_hint = function(elm, hint) {
     if (hint.trim() == '') {
-        $(elm).parent().find('.v-ftp-path-hint').html('');
+        $(elm).parent().find('.v-ftp-path-hint').text('');
     }
 
     if (hint[0] != '/') {
diff --git a/web/js/pages/edit_db.js b/web/js/pages/edit_db.js
@@ -3,7 +3,7 @@
 // Updates database username dynamically, showing its prefix
 App.Actions.DB.update_db_username_hint = function(elm, hint) {
     if (hint.trim() == '') {
-        $(elm).parent().find('.hint').html('');
+        $(elm).parent().find('.hint').text('');
     } 
     $(elm).parent().find('.hint').text(GLOBAL.DB_USER_PREFIX + hint);
 }
@@ -13,7 +13,7 @@ App.Actions.DB.update_db_username_hint = function(elm, hint) {
 // Updates database name dynamically, showing its prefix
 App.Actions.DB.update_db_databasename_hint = function(elm, hint) {
     if (hint.trim() == '') {
-        $(elm).parent().find('.hint').html('');
+        $(elm).parent().find('.hint').text('');
     } 
     $(elm).parent().find('.hint').text(GLOBAL.DB_DBNAME_PREFIX + hint);
 }
diff --git a/web/js/pages/edit_dns_rec.js b/web/js/pages/edit_dns_rec.js
@@ -4,7 +4,7 @@
 App.Actions.DB.update_dns_record_hint = function(elm, hint) {
     // clean hint
     if (hint.trim() == '') {
-        $(elm).parent().find('.hint').html('');
+        $(elm).parent().find('.hint').text('');
     }
 
     // set domain name without rec in case of @ entries
diff --git a/web/js/pages/edit_mail_acc.js b/web/js/pages/edit_mail_acc.js
diff --git a/web/schedule/backup/index.php b/web/schedule/backup/index.php
diff --git a/web/templates/pages/add_db.html b/web/templates/pages/add_db.html
diff --git a/web/templates/pages/edit_db.html b/web/templates/pages/edit_db.html
