ghzhost
diff --git a/‎CHANGELOG.md‎
Lines changed: 51 additions & 15 deletions b/‎CHANGELOG.md‎
Lines changed: 51 additions & 15 deletions
diff --git a/‎ISSUE_TEMPLATE.md‎
Lines changed: 14 additions & 16 deletions b/‎ISSUE_TEMPLATE.md‎
Lines changed: 14 additions & 16 deletions
diff --git a/‎README.md‎
Lines changed: 21 additions & 4 deletions b/‎README.md‎
Lines changed: 21 additions & 4 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 7 additions & 0 deletions b/‎SECURITY.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎bin/v-add-dns-record‎
Lines changed: 7 additions & 3 deletions b/‎bin/v-add-dns-record‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎bin/v-add-firewall-chain‎
Lines changed: 1 addition & 0 deletions b/‎bin/v-add-firewall-chain‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎bin/v-add-letsencrypt-domain‎
Lines changed: 18 additions & 4 deletions b/‎bin/v-add-letsencrypt-domain‎
Lines changed: 18 additions & 4 deletions
diff --git a/‎bin/v-add-web-domain-ssl‎
Lines changed: 3 additions & 1 deletion b/‎bin/v-add-web-domain-ssl‎
Lines changed: 3 additions & 1 deletion
@@ -3,29 +3,60 @@ All notable changes to this project will be documented in this file.
 
 ## [CURRENT] - Development
 ### Features
+- Added support for configuring individual TTL per DNS record. Thanks to @jaapmarcus
+
+### Bugfixes
+- Disable Apache2 Server Status Module by default.
+- Do not allow to change the password of a non-hestia user. Thanks to Alexandre Zanni!
+- Use sury repository for Apache2 packages.
+- Check whether Nginx, Apache2 and MariaDB are selected for installation prior to adding third party repositories.
+- Remove duplicated set-cookie line in default fpm config.
+- Adjust let's encrypt validation check for idn domains, thanks to @zanami!
+- Set backup download location on restore for ftp/sftp, thanks to @Daniyal-Javani!
+- Ignore empty lines when listing firewall rules.
+- Changing email account password would fail when similar account names are found.
+- Preserve email quota when (un)suspending and rebuilding mail account.
+- Cleanup temporary file after running v-list-sys-services.
+- Don't calculate /home folder size in v-list-sys-info.
+- Cleanup temporary files when uploading custom SSL cert from WebUi.
+- Cleanup temporary files when adding/renewing letsencrypt SSL cert.
+
+## [1.1.1] - 2020-03-24 - Hotfix
+### Features
+- No new features introduced with v1.1.1, this is strictly a security/bug fix release.
+
+### Bugfixes
+- Fixed phpMyAdmin blowfish and tmp directory issues.
+- Added additional verification of host domain in password reset. Thanks to @FalzoMAD and @mmetince!
+- Fixed issue with rc.local not executing properly.
+- Rework of Let's Encrypt routine to use progressive delay between validation retries.
+- Fixed syntax issue in v-list-sys-db-status which prevented main functions from loading.
+- Removed /home size reporting when running v-list-sys-info due to performance issues.
+- Updated installer to use Ubuntu key server for Hestia APT repository.
+- Fixed duplicate demo mode check in v-change-user-password.
+
+## [1.1.0] - 2020-03-11 - Major Release (Feature / Quality Update)
+### Features
 - Added support for custom user interface themes.
-- Adjusted default font size for improved readability.
-- Added read only/demo mode function if DEMO_MODE is set to yes in hestia.conf.
+- Introduced official Dark and Flat themes.
+- Added read-only/demo mode - DEMO_MODE must be set to yes in hestia.conf to enable.
 - Added php-imagick module to installer and upgrade scripts.
 - Added recidive filter function to fail2ban.
-- Refactored MultiPHP functionality. MultiPHP will be enabled by default on new installations.
-- Allowed admin user to add or remove PHP versions from webui (edit/server->"Web Server" page).
+- Improved and refactored Multi-PHP functionality. 
+- Multi-PHP will be enabled by default on new installations.
+- Allow admin user to add/remove PHP versions from Web UI (Server -> Configure -> Web Server).
 - Extended v-extract-fs-archive to allow archive testing and extracting only specific paths (for tar)
 - Allow renaming of existing packages from console (v-rename-package).
-- Webmail IP address is now inherited from web domain when using multiple IPs.
-- Exim now uses the web domain IP if it exists.
-- Public IP is now used when updating webmail DNS record.
-- Added PHP 7.4 to MultiPHP.
-- Add Support for Debian 10 (Buster).
+- Added PHP 7.4 to Multi-PHP.
+- Addded official support for Debian 10 (Buster).
 
 ### Bugfixes
 - Added a detection of web root for add .well-known ACME challenge.
 - Reworked Let's Encrypt ACME staging to use Hestia code standards.
 - Fixed issues with incorrect font rendering on Windows and Linux.
 - Fixed issues with Let's Encrypt - use Nginx for Let's Encrypt ACME request if present.
-- Reworked v-add-sys-ip, removed CentOS/Red Hat support and reworked conditions.
+- Reworked v-add-sys-ip, removed deprecated CentOS/Red Hat code and reworked conditions.
 - Enabled HSTS and force SSL on v-add-letsencrypt-host.
-- Prevented login action for webmail in list user view.
 - Removed hardcoded mail in HELO data (cosmetic fix).
 - Fixed SFTP server validation check - thanks @dbannik.
 - Implemented security warning message when creating web domains with the default admin account.
@@ -57,18 +88,23 @@ All notable changes to this project will be documented in this file.
 - Fixed MultiPHP upgrade script to update all web templates.
 - Fixed report issue link in installer scripts.
 - Fixed database user authentification on backup restore.
-- Added robots.txt for roundcube webmail to prevent search bot crawling.
+- Added robots.txt for Roundcube webmail to prevent search bot crawling.
 - Re-Enable force ssl function on let's encrypt certification renew.
-- Added official postgresql repository to be up to date.
+- Added official PostgreSQL repository so system stays up-to-date with latest available upstream packages.
 - Hardening MySQL configuration, prevent local infile.
 - Fixed lograte bug and cleans up the messed up nginx/apache2 log permissions.
 - Fixed IfModule mpm_itk.c for apache2 templates.
-- Added mpm_itk for Deb10 single php installation only.
-- Hardening nginx configuration, drop TLSv1.1 support.
+- Added mpm_itk for Debian 10 (non Multi-PHP installations only.)
+- Hardening nginx configuration, dropped support for TLSv1.1.
 - Fixed excluding folders named "logs" from restore backup, thanks to @davidgolsen.
 - Fixed typo in delete psql database part, thanks to @joshbmarshall.
 - Split long txt records to 255 chunks to prevent bind issues, thanks to @setiseta.
 - Fixed missing restart routine for vsftp on v-add-letsencrypt-host.
+- Show amount of disk space consumed by /home when running v-list-sys-info.
+- Remove broken /webmail alias from previous versions.
+- Webmail IP address is now inherited from web domain when using multiple IPs.
+- Exim now uses the web domain IP if it exists.
+- Fix incorrect MX record for DNS domains using the Office 365 template.
 
 ## [1.0.6] - 2019-09-24 - Hotfix
 ### Bugfixes
 
@@ -1,11 +1,13 @@
-### The content below is simply a template. 
+### Please fill in the relevant sections below and remove those which do not apply.
 
-**To better assist in troubleshooting and aid with our debugging processes, we ask that you please delete any unnecessary sections below when filling out your issue report.**
+**To help aid our developers in debugging your issue we ask that you include as much information as possible, including the configuration of your server and troubleshooting steps already performed.**
 
-**Important: Please DO NOT include any personal or sensitive information in your issue reports, including usernames, passwords, or email addresses.**
+**Please DO NOT include any personal or sensitive information in your issue reports, including usernames or passwords!**
+
+===
 
 ### In a few words, please describe the issue that you're experiencing:
-Please enter your response here (e.g. When I try adding a web domain, an error message appeared stating that the php-fpm pool did not exist).
+Please enter your answer here (e.g. When I try adding a web domain, an error message appeared stating that the php-fpm pool did not exist).
 
 ### What steps did you take when the issue occured? 
 1. Ex.: Log into the Hestia Control Panel using Firefox
@@ -14,22 +16,25 @@ Please enter your response here (e.g. When I try adding a web domain, an error m
 4. Ex.: Attempted to add a domain and received an error.
 
 ### Expected behavior:
-Please enter your response here (e.g. the web domain should have been added successfully).
+Please enter your answer here (e.g. the web domain should have been added successfully).
+
+### Does this issue always occur, or is it intermittent?
+Please enter your answer here (e.g. it happens every time I try to perform the steps above).
 
 ### Operating system distribution and release:
-Please enter your response here (e.g. Ubuntu 18.04.3 LTS)
+Please enter your answer here (e.g. Ubuntu 18.04.3 LTS)
 
 ### Which version of Hestia Control Panel is currently installed?
 You can find this information in $HESTIA/conf/hestia.conf by running the following command:
 `grep VERSION $HESTIA/conf/hestia.conf`
 
-Please enter your response here (e.g. 1.0.6)
+Please enter your answer here (e.g. 1.1.0)
 
 ### Which branch are you using?
-Please enter your response here (e.g release, master, etc.)
+Please enter your answer here (e.g release, master, etc.)
 
 ### When did this issue occur? After a clean installation, or after an upgrade?
-Please enter your response here (e.g the feature stopped working after upgrading to the latest release)
+Please enter your answer here (e.g the feature stopped working after upgrading to the latest release)
 
 **Note:** If you have upgraded from an older release on an existing server, please let us know which version was previously installed if at all possible.
 
@@ -40,13 +45,6 @@ Please enter your response here (e.g the feature stopped working after upgrading
 - PHP-FPM + Multi-PHP
 - Other (please specify)
 
-### Which of the following server roles are installed on your server?
-- DNS
-- Mail (Dovecot + Exim)
-- Mail (Exim only)
-- MySQL (MariaDB)
-- PostgreSQL
-
 ### In order to better assist, please post any relevant log information below:
 Tip: Most log files can be found under ***/var/log/***.
 
 
@@ -1,7 +1,12 @@
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Current stable release:** Version 1.0.6, released on September 26th, 2019.<br>
-**Current development release:** Version 1.1.0, release date yet to be determined.
+**Current stable release:** Version 1.1.1, released on March 26th, 2020.<br>
+**Current development release:** Version 1.1.2.
+<br><br>
+**Due to a change of the repository infrastructure, please install the new key before you upgrade your existing installations:**
+```bash
+wget -qO - https://gpg.hestiacp.com/deb_signing.key | sudo apt-key add -
+```
 
 **Welcome!**
 ---------------------------- 
@@ -29,15 +34,15 @@ What does Hestia Control Panel support?
 ----------------------------
 * Standard Web Server (Apache/NGINX) with PHP
 * PHP Web Application Server (NGINX + PHP-FPM)
-* Multiple PHP versions (5.6 - 7.3)
+* Multiple PHP versions (5.6 - 7.4, with 7.3 currently as default for optimal compatibility)
 * DNS Server (Bind) with clustering capabilities
 * Mail Server (Exim/Dovecot) with Anti-Virus and Anti-Spam (ClamAV and SpamAssassin)
 * Database functionality (MariaDB/PostgreSQL)
 * Let's Encrypt SSL with wildcard certificates
 
 Supported operating systems:
 ----------------------------
-* Debian 8 or 9
+* Debian 8, 9, 10
 * Ubuntu 16.04 LTS or Ubuntu 18.04 LTS (the latest LTS release is recommended)
 * **NOTE:** Hestia Control Panel must be installed on top of a fresh operating system installation to ensure proper functionality.
 
@@ -116,3 +121,15 @@ If you would like to help our developers cover their time and infrastucture cost
 License
 =============================
 Hestia Control Panel is licensed under [GPL v3](https://github.com/hestiacp/hestiacp/blob/master/LICENSE) license, and is based on the [VestaCP](https://www.vestacp.com/) project.<br>
+
+Copyright
+=============================
+"Hestia Control Panel", "HestiaCP", and the Hestia logo are original copyright of hestiacp.com and the following restrictions apply:
+
+**You are allowed to:**
+- use the names "Hestia Control Panel", "HestiaCP", or the Hestia logo in any context directly related to the application or the project. This includes the application itself, local communities and news or blog posts.
+
+**You are not allowed to:**
+- sell or redistribute the application under the name "Hestia Control Panel", "HestiaCP", or similar derivatives, including the use of the Hestia logo in any brand or marketing materials related to revenue generating activities,
+- use the names "Hestia Control Panel", "HestiaCP", or the Hestia logo in any context that is not related to the project,
+- alter the name "Hestia Control Panel", "HestiaCP", or the Hestia logo in any way.
@@ -0,0 +1,7 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you have discovered a vulnerability in Hestia Control Panel,
+let our development team know via e-mail at info@hestiacp.com and
+we will respond as soon as possible.
@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: add dns record
-# options: USER DOMAIN RECORD TYPE VALUE [PRIORITY] [ID] [RESTART]
+# options: USER DOMAIN RECORD TYPE VALUE [PRIORITY] [ID] [RESTART] [TTL]
 #
 # The call is used for adding new DNS record. Complex records of TXT, MX and
 # SRV types can be used by a filling in the 'value' argument. The function also
@@ -23,6 +23,8 @@ dvalue=$(idn -t --quiet -u "$5" )
 priority=$6
 id=$7
 restart=$8
+ttl=$9
+
 if [ -z "$priority" ]; then
     priority=10
 fi
@@ -69,7 +71,7 @@ format_domain_idn
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '5' "$#" 'USER DOMAIN RECORD TYPE VALUE [PRIORITY] [ID] [RESTART]'
+check_args '5' "$#" 'USER DOMAIN RECORD TYPE VALUE [PRIORITY] [ID] [RESTART] [TTL]'
 is_format_valid 'user' 'domain' 'record' 'rtype' 'dvalue'
 is_system_enabled "$DNS_SYSTEM" 'DNS_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
@@ -82,6 +84,7 @@ is_format_valid 'id'
 is_object_new "dns/$domain" 'ID' "$id"
 is_dns_fqnd "$rtype" "$dvalue"
 is_dns_nameserver_valid "$domain" "$rtype" "$dvalue"
+is_format_valid 'ttl'
 
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
@@ -100,7 +103,8 @@ date=$(echo "$time_n_date" |cut -f 2 -d \ )
 zone="$USER_DATA/dns/$domain.conf"
 dns_rec="ID='$id' RECORD='$record' TYPE='$rtype' PRIORITY='$priority'"
 dns_rec="$dns_rec VALUE='$dvalue' SUSPENDED='no' TIME='$time' DATE='$date'"
-echo "$dns_rec" >> $zone
+[ ! -z "$ttl" ] && dns_rec="$dns_rec TTL='$ttl'"
+echo "$dns_rec" >> $zone;
 chmod 660 $zone
 
 # Sorting records
 
@@ -62,6 +62,7 @@ case $chain in
     WEB)        port='80,443'; protocol=TCP  ;;
     DB)         port='3306,5432'; protocol=TCP  ;;
     HESTIA)     port=$hestiaport; protocol=TCP  ;;
+    RECIDIVE)   port='1:65535'; protocol=TCP  ;;
     *)          check_args '2' "$#" 'CHAIN PORT' ;;
 esac
 
 
@@ -134,7 +134,10 @@ fi
 # Check if dns records exist for requested domain/aliases
 if [ "$proto" = "http-01" ]; then
     for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
-        if ! nslookup "${identifier}" >/dev/null 2>&1 ; then
+        if [[ "$identifier" = *[![:ascii:]]* ]]; then
+            identifier=$(idn -t --quiet -a $identifier)
+        fi
+        if ! nslookup "${identifier}" > /dev/null 2>&1 ; then
             check_result $E_NOTEXIST "DNS record for $identifier doesn't exist"
         fi
     done
@@ -285,6 +288,7 @@ for auth in $authz; do
         validation='valid'
     else
         validation='pending'
+        sleep 5
     fi
 
     # Doing pol check on status
@@ -326,7 +330,7 @@ for auth in $authz; do
             fi
             check_result $E_CONNECT "Let's Encrypt domain validation timeout"
         fi
-        sleep 1
+        sleep $((i*2))
     done
     if [ "$validation" = 'invalid' ]; then
         # Delete DNS CAA record
@@ -339,7 +343,7 @@ for auth in $authz; do
                     $BIN/v-delete-dns-record $user $domain $caa_record
                 fi
             fi
-        fi    
+        fi
         check_result $E_CONNECT "Let's Encrypt domain verification failed"
     fi
 done
@@ -356,13 +360,15 @@ nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
 status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
 certificate=$(echo "$answer"|grep 'certificate":' |cut -f4 -d '"')
 if [[ "$status" -ne 200 ]]; then
+    [ -d "$ssl_dir" ] && rm -rf "$ssl_dir"
     check_result $E_CONNECT "Let's Encrypt finalize bad status $status"
 fi
 
 # Downloading signed certificate / STEP 7
 answer=$(query_le_v2 "$certificate" "" "$nonce" "$ssl_dir/$domain.pem")
 status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
 if [[ "$status" -ne 200 ]]; then
+    [ -d "$ssl_dir" ] && rm -rf "$ssl_dir"
     check_result $E_NOTEXIST "Let's Encrypt downloading signed cert failed status:$status"
 fi
 
@@ -399,11 +405,12 @@ if [ -z "$mail" ]; then
     [[ "$ssl_force" = "yes" ]] && $BIN/v-add-web-domain-ssl-force $user $domain > /dev/null 2>&1
 else
     ssl_enabled="$(get_object_value 'mail' 'DOMAIN' "$root_domain" '$SSL')"
-    [[ "$ssl_enabled" = "yes" ]] && $BIN/v-delete-mail-domain-ssl $user $root_domain >/dev/null 2>&1
+    [[ "$ssl_enabled" = "yes" ]] && $BIN/v-delete-mail-domain-ssl $user $root_domain > /dev/null 2>&1
     $BIN/v-add-mail-domain-ssl $user $root_domain $ssl_dir
 fi
 
 if [ "$?" -ne '0' ]; then
+    [ -d "$ssl_dir" ] && rm -rf "$ssl_dir"
     touch $HESTIA/data/queue/letsencrypt.pipe
     sed -i "/ $domain /d" $HESTIA/data/queue/letsencrypt.pipe
     send_notice 'LETSENCRYPT' "$domain certificate installation failed"
@@ -422,20 +429,27 @@ fi
 if [ -z "$mail" ]; then
     if [ -z "$LETSENCRYPT" ]; then
         add_object_key "web" 'DOMAIN' "$domain" 'LETSENCRYPT' 'FTP_USER'
+        add_object_key "web" 'DOMAIN' "$domain" 'LETSENCRYPT_FAIL_COUNT' 'LETSENCRYPT'
     fi
     update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT' 'yes'
+    update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT_FAIL_COUNT' "0"
 else
     if [ -z "$LETSENCRYPT" ]; then
         add_object_key "mail" 'DOMAIN' "$root_domain" 'LETSENCRYPT'
+        add_object_key "mail" 'DOMAIN' "$root_domain" 'LETSENCRYPT_FAIL_COUNT' 'LETSENCRYPT'
     fi
     update_object_value 'mail' 'DOMAIN' "$root_domain" '$LETSENCRYPT' 'yes'
+    update_object_value 'mail' 'DOMAIN' "$root_domain" '$LETSENCRYPT_FAIL_COUNT' "0"
 fi
 
 # Remove challenge folder if exist
 if [ ! -z "$well_known" ]; then
     rm -fr $well_known
 fi
 
+# Remove temporary SSL folder
+[ -d "$ssl_dir" ] && rm -rf "$ssl_dir"
+
 #----------------------------------------------------------#
 #                        Hestia                            #
 #----------------------------------------------------------#
 
@@ -109,7 +109,6 @@ if [ ! -z "$PROXY_SYSTEM" ] && [ ! -z "$PROXY" ]; then
     add_web_config "$PROXY_SYSTEM" "$PROXY.stpl"
 fi
 
-
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#
@@ -121,6 +120,9 @@ increase_user_value "$user" '$U_WEB_SSL'
 update_object_value 'web' 'DOMAIN' "$domain" '$SSL_HOME' "$SSL_HOME"
 update_object_value 'web' 'DOMAIN' "$domain" '$SSL' "yes"
 
+# Enabling automatic SSL redirection
+$BIN/v-add-web-domain-ssl-force "$user" "$domain"
+
 # Restarting web server
 $BIN/v-restart-web $restart
 check_result $? "Web restart failed" >/dev/null