Fix/xss vulnrebility (hestiacp#4013)

* Fix XSS in edit server and add package

* Also update RHEL templates for Gitea

Author: jaapmarcus

install/rpm/templates/web/nginx/php-fpm/gitea.stpl

@@ -24,8 +24,9 @@ server {
 
 	include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
 
-	location ~ /.well-known {
-		allow all;
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
 	}
 
 	location / {

install/rpm/templates/web/nginx/php-fpm/gitea.tpl

@@ -15,8 +15,9 @@ server {
 
 	include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;
 
-	location ~ /.well-known {
-		allow all;
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
 	}
 
 	location / {

web/edit/server/index.php

@@ -358,7 +358,9 @@
 					$return_var,
 				);
 				check_return_code($return_var, $output);
-				$v_timezone = $_POST["v_timezone"];
+				if (in_array($_POST["v_timezone"], $v_timezones)) {
+					$v_timezone = $_POST["v_timezone"];
+				}
 				unset($output);
 			}
 		}

web/templates/includes/js.php

@@ -9,7 +9,7 @@
 			NOTIFICATIONS_EMPTY: '<?= _("No notifications") ?>',
 			NOTIFICATIONS_DELETE_ALL: '<?= _("Delete all notifications") ?>',
 			CONFIRM_LEAVE_PAGE: '<?= _("Are you sure you want to leave the page?") ?>',
-			ERROR_MESSAGE: '<?= !empty($_SESSION["error_msg"]) ? htmlentities($_SESSION["error_msg"]) : "" ?>',
+			ERROR_MESSAGE: '<?= !empty($_SESSION["error_msg"]) ? htmlentities($_SESSION["error_msg"],ENT_QUOTES) : "" ?>',
 			BLACKLIST: '<?= _("BLACKLIST") ?>',
 			IPVERSE: '<?= _("IPVERSE") ?>'
 		});

web/templates/pages/add_package.php

@@ -117,7 +117,6 @@ class="fas icon-dim icon-maroon js-section-toggle-icon"
 						<select class="form-select" name="v_backend_template" id="v_backend_template">
 							<?php
 								foreach ($backend_templates as $key => $value) {
-								echo $v_backend_template;
 									echo "\t\t\t\t<option value=\"".$value."\"";
 									if ((!empty($v_backend_template)) && ( $value == trim($v_backend_template, "'"))){
 										echo ' selected' ;