Merge remote-tracking branch 'origin/staging/fixes' into fix/1002-Web_Security_improvements

Author: jaapmarcus

.gitignore

@@ -15,3 +15,4 @@ test/node_modules/
 npm-debug.log
 .phpunit.result.cache
 .vs
+.nova

CHANGELOG.md

@@ -1,9 +1,97 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
-## [CURRENT] - Development
+## [1.3.1] - Service Release
 ### Features
-- Use stronger ciphers and Disable TLS v1.1 for vsftpd.
+- No new features have been introduced in this release.
+
+### Bugfixes
+- Fixed an issue where updates for `hestia-php` were incorrectly being marked as out-of-date in the UI due to a change in our servicing and package versioning scheme.
+- Fixed an issue that occured on the Updates page where the table row color of available updates would be difficult to read.
+- Fixed an issue where an administrator would get stuck in a loop trying to navigate back after adding a SSH key.
+- Fixed an issue where long table entries which exceeded the table length would overlap other UI elements.
+- Fixed an issue where the total amount of items on a page would fail to display correctly.
+- Improved the accuracy and reliability of tooltips throughout the the Control Panel UI:
+    - Removed unnecessary tooltips from buttons and other elements.
+    - Fixed incorrect tags which prevented tooltips from being displayed.
+    - Introduced tooltips to counter items on the Users, Packages, and Statistics pages to help better distinguish statistics.
+- Fixed an issue which caused higher than normal CPU usage during an upgrade due to a duplicate condition in the rebuild process.
+- Fixed minor spelling inconsistencies in command line script comments and output text.
+- Fixed an issue where old configuration files were not cleaned up when moving domains with `v-change-domain-owner`.
+- Fixed an issue where a `no backend template doesn't exist` could potentially would appear after upgrade with older templates (#1322).
+- Introduced caching templates for nginx + php-fpm configurations  - thanks **@cmstew**!
+- Fixed an issue where DNS cluster updates could fail due to the format of a DKIM record in an available zone - thanks **@jrohde**!
+- Improved the behavior of nginx SSL SNI detection to reject connections for domains which have no SSL certificate - thanks **@myrevery**! 
+- Improved the quality of comment formatting in command line scripts - thanks **@bisubus**! 
+- Fixed an issue where the logo was not displayed in the File Manager - thanks **@robothemes**!
+- Fixed an issue in the Control Panel UI which caused databases and additional FTP accounts to be named incorrectly if manually prefaced with the username.
+- Improved the visibility of service availability in the Control Panel UI.
+
+## [1.3.0] - Major Release (Feature / Quality Update)
+### Features
+- Users can now choose to point a domain to a different document root location (similar to domain parking).
+- The software update process will now perform a system health check before proceeding with installation.
+- Administrators now have control over software update notifications through the following settings in `$HESTIA/conf/hestia.conf` and through the Control Panel web interface:
+    - `UPGRADE_SEND_EMAIL` = Sends an email notification to primary admin account's email address
+    - `UPGRADE_SEND_EMAIL_LOG` = Sends installation log output to the primary admin account's email address
+- The upgrade process will now save installation logs to the `/root/hst_backups` directory by default for post-install troubleshooting.
+    - **Note:** We may adjust this path in the future and will document such changes as they happen.
+- We've introduced the ability to assign Administrator rights to other user accounts, enabling them to perform tasks under the Server Settings tab.
+- We've introduced a more robust translation system which will allow us to provide higher quality translations in future releases.
+    - **Note:** Some country codes have been updated, as a result your language setting may default back to English after upgrading.
+- For new installations, MariaDB 10.5 is now the default version.
+    - For existing installations, we've provided a manual post-install upgrade script. Please run `$HESTIA/install/upgrade/manual/upgrade_mariadb.sh` to migrate to MariaDB 10.5).
+- The user interface theme has been set to "Dark" by default. This can be changed from **Server Settings > Configure > Basic Options > Appearance**.
+    - **Note:** The name of the default theme has not been adjusted, and the change to the "dark" theme only applies to new installations at this time. This behavior may be changed in a future release.
+
+### Bugfixes
+- Fixed a security issue where user password reset keys could potentially be gleaned from system process list - thanks **RACK911 LABS**
+- Fixed an issue with passwords containing "`'`" - [Forum](https://forum.hestiacp.com/t/two-factor-authentication-issue-with-standard-user/1652/)
+- Fixed an issue with database backups when the port was not specified (#1068)
+- Fixed an issue where websites without SSL enabled would display the content of the first valid SSL enabled website (#1103)
+- Fixed an issue that would occur when using the `--with-debs` flag with the installer due to an incorrect version check routine (#1110)
+- Fixed an issue with incorrect permissions which would occur when restoring email accounts (#1114)
+- Fixed an issue where the File Manager would apply the wrong permissions on new directories
+- Fixed an issue that prevented successful restoration of SSL-enabled mail domains from a backup archive (#1069)
+- Fixed an issue where the phpMyAdmin button would not work in the Control Panel Web UI (#1078)
+- Fixed an issue where passwords were generated incorrectly (#1184)
+- Fixed an issue in `v-add-sys-ip` to ensure IP configuration is set to the correct port - thanks **@madito**
+- Fixed an issue that resulted in an extended loop condition when running `v-rebuild-all`
+- Improved support for API key usage with the `v-add-remote-dns-host` command (#1265)
+- Improved validation of free disk space when executing backup routine (#1115)
+- Improved support for SSH key types other than RSA / DSA
+- Improved reliability of backup function when removing remote locations (#1083)
+- Improved spam filtering by adding additional known-dangerous file extensions in exim's blacklist (#1138) - thanks **@kpapad904**
+- Updated Apache2 configuration to use Include with IncludeOptional (#1072)
+- Removed the ability to log in as "root" (whic logged to the admin account, deemed no longer necessary)
+- Add ca-certificates, software-properties-common to the dependencies (#1073 + [Forum](https://forum.hestiacp.com/t/hestiscp-fails-on-new-debian-9-vps/1623/8)) - thanks **@daniel-eder**
+- Create .npm directory by default when creating new user accounts (#1113) - thanks **@hahagu** 
+- Improved accuracy of several UI translations (NL, DE, UK, RU, ES, IT, ZH-CN) - thanks **@myrevery** and other contributors for your work!
+- Added `$restart` flag to `v-add-web-domain-backend` command (#1094) (#797) - thanks **@bright-soft**
+- PostgreSQL: forbid the use of upper case (#1084) causing issues with backup / creating database or user
+- Changed WordPress name in Quick Web App installer (#1074)
+- Cleaned up entries used in the Google / Gmail DNS template - thanks **@madito**
+- Enhanced ProFTPd support for TLS
+- Refactored LXD compiler script
+- Updated phpMyAdmin to version 5.0.4
+
+## [1.2.4] - Service Release
+### Features
+- No new features have been introduced in this release.
+
+### Bugfixes
+- Fixes an issue on auto renewing let's encrypt certificates.
+
+## [1.2.3] - Service Release
+### Features
+- No new features have been introduced in this release.
+
+### Bugfixes
+- Fixes an issue where non-ASCII characters were rejected in the password field.
+
+## [1.2.2] - Service Release
+### Features
+- No new features have been introduced in this release.
 
 ### Bugfixes
 - Create mailhelo.conf if it doesnt exist to prevent a error message during grep.
@@ -18,7 +106,12 @@ All notable changes to this project will be documented in this file.
 - Corrected an issue where tooltips were not displayed when hovering over the top level menu items.
 - Improved handling of APT repository keys during installation.
 - Reworked the Let's Encrypt renew functionality to skip removed aliases.
- 
+- Improved reliability of list handling when using IP lists.
+- Enforce minimum password requirements with visual indication of password strength.
+- Fixed an issue where user display name value was incorrectly set when changing packages.
+- Improved installer version detection.
+- Improved detection of MariaDB and MySQL services.
+
 ## [1.2.1] - Service Release
 ### Features
 - Consolidated First and Last Name fields to a singular name field to simply input.
@@ -58,7 +151,6 @@ All notable changes to this project will be documented in this file.
 - Added BATS system for testing the functionality of Bash scripts (WIP).
 - Added **v-change-sys-db-alias** to change phpMyAdmin and phpPgAdmin access points (`v-change-sys-db-alias pma/pga myCustomURL`).
 
-
 ### Bugfixes
 - Prevent ability to change the password of a non-Hestia user account. Thanks to **Alexandre Zanni**!
 - Adjust Let's Encrypt validation check for IDN domains, thanks to **@zanami**!

CONTRIBUTING.md

@@ -11,9 +11,9 @@ Ways to contribute
 - **New features**:
     - Is there an awesome feature that you'd love to see included? While our development team tries to fulfill all reasonable requests, it can take time to implement new features depending on the amount of work involved. Submit a pull request with your code and if your idea is approved, we'll review and test it for inclusion with an upcoming release.
 - **Translations**:
-    - If you are a non-English speaker and would like to improve the quality of the translations used in Hestia Control Panel's web interface, please review the `.php` files found under `hestiacp/web/inc/i18n` and submit a pull request or open an issue report [GitHub](https://www.github.com/hestiacp/hestiacp/issues) highlighting the issue with the current translation so that it can be corrected.
+    - If you are a non-English speaker and would like to improve the quality of the translations used in Hestia Control Panel's web interface, Please go to [Hestia Translate](https://translate.hestiacp.com/projects/hestiacp/) to review the translations. For more information please read [How to contribute with Translations](https://forum.hestiacp.com/t/how-to-contribute-with-translations/1664).  Or open an issue report [GitHub](https://www.github.com/hestiacp/hestiacp/issues) highlighting the issue with the current translation so that it can be corrected.
 - **Donations**:
-    - If you're not a developer but you still want to make a contribution, you can make a donation to the Hestia Control Panel project to further its development (or if you'd just like to buy our developers a lunch, we'd appreciate that too). We currently accept dontations through [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=ST87LQH2CHGLA).
+    - If you're not a developer but you still want to make a contribution, you can make a donation to the Hestia Control Panel project to further its development (or if you'd just like to buy our developers a lunch, we'd appreciate that too). We currently accept donations through [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=ST87LQH2CHGLA).
 
 Development Guidelines
 -----------------------
@@ -27,17 +27,17 @@ We have three primary or "evergreen" branches, which exist throughout our produc
 
 | Branch        | Description     | Cycle           |
 |---------------|:---------------:|:---------------:|
-| `main`        | Contains a snapshot of the latest development code.<br>**Not intended for production use and may be unstable.** | Daily  |
+| `main`        | Contains a snapshot of the latest development code.<br>**Not intended for production use and contains code from a merge snapshot.** | Daily  |
 | `beta`        | Contains a snapshot of the next version which is currently in testing.<br>**Not intended for production but should be highly stable.**  | Weekly |
-| `release`     | Contains a snapshot of the latest stable release.<br>**Intended for production use. Same code as packages in repository.** | Monthly |
+| `release`     | Contains a snapshot of the latest stable release.<br>**Intended for production use. This repository contains the same code as our compiled packages.** | Monthly |
 
 ### Creating a new branch and submitting pull requests
 The first step is to create a fork of the `hestiacp/hestiacp` repository under your account so that you may submit pull requests and patches via GitHub. 
 
 Once you've created your fork, clone the repository to your computer and make sure that you've checked out the `main` branch. **Always** create a new topic branch for you work. When submitting pull requests it is important that you target the correct branch to ensure that your changes are properly integrated and tested based on our release schedule. When creating a new branch, we ask that you please adhere to the following naming conventions as much as possible:
 
 ### Branch naming convention:
-- **Prefix:** `topic/` (such as **bugfix**, **feature**, **refactor**, etc.)
+- **Prefix:** `topic/` (such as **fix**, **feature**, **refactor**, etc.)
 - **ID**: `888` (GitHub Issue ID if an issue exists) -or- `2020-07` (Year-Month if an issue does not already exist)
 - **Separator:** `_` (underscore)
 - **Title:** `my-awesome-patch`
@@ -49,7 +49,7 @@ Branch name examples:
 * `test/2020-07_mail-domain-ssl`
 
 ### Squashing commits for smaller changes
-When submitting a pull request with multiple smaller commits which are related to the same file or issue, we ask that you please **squash your commits** whenever appropriate in order to keep the project's commit history clean and easy to follow for other developers.
+To aid other developers and keep the project's commit history clean, please **squash your commits** when it's appropriate. For example with smaller commits related to the same piece of code, such as commits labelled "Fixed item 1", "Adjusted color of button XYZ", "Adjusted alignment of button XYZ" can be squashed into one commit with the title "Fixed button issues in item". 
 
 ### What happens when I submit a pull request?
 - Our internal development team will review your work and validate your request.

ISSUE_TEMPLATE.md

@@ -8,8 +8,8 @@
 Please enter your answer here (e.g. When I try adding a web domain, an error message appeared stating that the php-fpm pool did not exist).
 
 ### What steps did you take when the issue occured? 
-1. Ex.: Click on the Web tab
-2. Ex.: Click on Add Web Domain
+1. Ex.: Click on the "Web" tab.
+2. Ex.: Click on "Add Web Domain".
 3. Ex.: Attempted to add a domain and received an Internal Server Error.
 
 ### Expected behavior:
@@ -19,7 +19,7 @@ Please enter your answer here (e.g. the web domain should have been added succes
 Please enter your answer here (e.g. Ubuntu 20.04 LTS)
 
 ### Hestia Control Panel version:
-Please enter your answer here (e.g. 1.2.0). 
+Please enter your answer here (e.g. 1.3.0). 
 
 ### Additional notes:
-If there is anything else that you'd like us to know about this issue, feel free to share here.
+If there is anything else that you'd like us to know about this issue that will help us diagnose and troubleshoot more effectively, such as links to forum posts or other discussions, please feel free to share here.

README.md

@@ -2,13 +2,13 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.2.0 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md)<br>
-**Latest beta release:** Version 1.2.1 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/beta/CHANGELOG.md)<br>
-**Latest unstable development snapshot:** Version 1.2.2 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/main/CHANGELOG.md)<br>
+**Latest stable release:** Version 1.3.0 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md)<br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>
-**Forums:** [forum.hestiacp.com](https://forum.hestiacp.com/)<br><br>
+**Forums:** [forum.hestiacp.com](https://forum.hestiacp.com/)<br>
+**Discord:** [Join the discussion](https://discord.gg/nXRUZch)<br />
+<br>
 [![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=ST87LQH2CHGLA)
 <br>
 

SECURITY.md

@@ -2,6 +2,9 @@
 
 ## Reporting a Vulnerability
 
-If you have discovered a vulnerability in Hestia Control Panel,
-let our development team know via e-mail at info@hestiacp.com and
-we will respond as soon as possible.
+If you believe that you have have discovered a vulnerability in Hestia Control Panel,
+please let our development team know via email at info@hestiacp.com. 
+
+We ask that you please include a detailed description of the vulnerability,
+a list of services involved (e.g. exim, dovecot) and the versions which you've tested,
+full steps to reproduce the vulnerability, and include your findings and expected results.

bin/v-acknowledge-user-notification

@@ -1,6 +1,7 @@
 #!/bin/bash
 # info: update user notification
 # options: USER NOTIFICATION
+# labels: 
 #
 # The function updates user notification.
 

bin/v-add-backup-host

@@ -1,6 +1,9 @@
 #!/bin/bash
 # info: add backup host
 # options: TYPE HOST USERNAME PASSWORD [PATH] [PORT]
+# labels: 
+#
+# example: v-add-backup-host sftp backup.acme.com admin p4$$w@Rd
 #
 # This function adds a backup host
 
@@ -13,7 +16,8 @@
 type=$1
 host=$2
 user=$3
-password=$4; HIDE=4
+raw_password=$4; HIDE=4
+password=$(perl -e 'print quotemeta shift(@ARGV)' "${raw_password}")
 path=${5-/backup}
 port=$6
 

bin/v-add-cron-hestia-autoupdate

@@ -1,6 +1,7 @@
 #!/bin/bash
 # info: add cron job for hestia autoupdates
 # options: MODE
+# labels: 
 #
 # The function adds cronjob for hestia autoupdate from apt or git.
 

bin/v-add-cron-job

@@ -1,9 +1,12 @@
 #!/bin/bash
 # info: add cron job
 # options: USER MIN HOUR DAY MONTH WDAY COMMAND [JOB] [RESTART]
+# labels: 
+#
+# example: v-add-cron-job admin * * * * * sudo /usr/local/hestia/bin/v-backup-users
 #
 # The function adds a job to cron daemon. When executing commands, any output
-# is  mailed to user's email if parameter REPORTS is set to 'yes'.
+# is mailed to user's email if parameter REPORTS is set to 'yes'.
 
 
 #----------------------------------------------------------#