Staging/1.5.9 (hestiacp#2443)

* Prepare Release of 1.5.9
* Update translations
* Update versions
* Remove Vesta Filemanger list directory

* Small bugs due to xss changes
* Typo in function name...
* And remove not needed line
* Fix linting error
* Fix mysql error in installer
* Fix error in push to apt script
* Fix multiple more issues
* Consolidate upgrade messages and include version for third party software. (hestiacp#2435)
* Fix bug with $user and escapeshellarg breaking certian features
* Update changelogs

Co-authored-by: Raphael Schneeberger <rs@scit.ch>

Author: jaapmarcus

.drone.yml

@@ -160,7 +160,7 @@ steps:
         port: 22
         command_timeout: 2m
         script:
-            - freight-add ./hestia/*.deb apt/bionic apt/focal apt/strech apt/buster apt/bullseye
+            - freight-add ./hestia/*.deb apt/bionic apt/focal apt/stretch apt/buster apt/bullseye
             - freight-cache
             - rm -fr ./hestia/
 
@@ -169,4 +169,4 @@ trigger:
 
 ---
 kind: signature
-hmac: 31806a1e5357c43d17d24ef797995fb9952a1d883ad282fd152d7d0378112213
+hmac: 07f845f902f859c97c78a346d340f7fb8d4b1242581a242e592b149c13428f50

CHANGELOG.md

@@ -1,6 +1,20 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.5.9] - Service release
+
+### Bugfixes
+
+- Fixed multiple XSS vulnerabilities in the web user interface. [CVE-2022-0752](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0752) / [CVE-2022-0753](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0753)
+- Fixed an issues with mariadb.sys user didn't work properly on MariaDB 10.6.x installs #2427
+- Change ipverse.net urls to new format hosted on Github #2429 and forum
+- Allow PTR to be used on domain.com 
+
+### Dependencies
+
+- Update PHPMailer to 6.6.0 (https://github.com/PHPMailer/PHPMailer/releases/tag/v6.6.0)
+- Update Filegator to 7.7.2 (https://github.com/filegator/filegator/releases/tag/v7.7.2)
+
 ## [1.5.8] - Service release
 
 ### Features

func/upgrade.sh

@@ -556,7 +556,7 @@ upgrade_b2_tool(){
         if version_ge "$b2_version" "$b2_v"; then
             echo "[ * ] Backblaze CLI tool is up to date ($b2_v)..."
         else
-            echo "[ * ] Upgrading Backblaze CLI tool to version v$b2_v..."
+            echo "[ * ] Upgrading Backblaze CLI tool to version $b2_v..."
             rm $b2cli
             wget -O $b2cli $b2lnk > /dev/null 2>&1
             chmod +x $b2cli > /dev/null 2>&1
@@ -581,7 +581,7 @@ upgrade_phpmyadmin() {
             fi
         else
             # Display upgrade information
-            echo "[ * ] Upgrading phpMyAdmin to version v$pma_v..."
+            echo "[ * ] Upgrading phpMyAdmin to version $pma_v..."
             [ -d /usr/share/phpmyadmin ] || mkdir -p /usr/share/phpmyadmin
 
             # Download latest phpMyAdmin release
@@ -629,7 +629,7 @@ upgrade_filemanager() {
             fm_version="1.0.0"
         fi
         if [ "$fm_version" != "$fm_v" ]; then 
-            echo "[ ! ] Updating File Manager..."
+            echo "[ ! ] Upgrading File Manager to version $fm_v..."
             # Reinstall the File Manager
             $HESTIA/bin/v-delete-sys-filemanager quiet yes
             $HESTIA/bin/v-add-sys-filemanager quiet
@@ -657,7 +657,7 @@ upgrade_roundcube(){
         else
             rc_version=$(cat /var/lib/roundcube/index.php | grep -o -E '[0-9].[0-9].[0-9]+' | head -1);
             if [ "$rc_version" != "$rc_v" ]; then
-                echo "[ ! ] Upgrading Roundcube to version v$rc_v..."
+                echo "[ ! ] Upgrading Roundcube to version $rc_v..."
                 $HESTIA/bin/v-add-sys-roundcube
             else
                 echo "[ * ] Roundcube is up to date ($rc_v)..."
@@ -670,7 +670,7 @@ upgrade_rainloop(){
     if [ -n "$(echo "$WEBMAIL_SYSTEM" | grep -w 'rainloop')" ]; then
         rl_version=$(cat /var/lib/rainloop/data/VERSION);
         if [ "$rl_version" != "$rl_v" ]; then
-            echo "[ ! ] Upgrading Rainloop to version v$rl_v..."
+            echo "[ ! ] Upgrading Rainloop to version $rl_v..."
             $HESTIA/bin/v-add-sys-rainloop
         else
             echo "[ * ] Rainloop is up to date ($rl_v)..."
@@ -685,7 +685,7 @@ upgrade_phpmailer(){
     fi
     phpm_version=$(cat $HESTIA/web/inc/vendor/phpmailer/phpmailer/VERSION);
     if [ "$phpm_version" != "$pm_v" ]; then
-    echo "[ ! ] Upgrading PHPmailer..."
+    echo "[ ! ] Upgrading PHPmailer to version $pm_v..."
         $HESTIA/bin/v-add-sys-phpmailer
     else
         echo "[ * ] PHPmailer is up to date ($pm_v)..."

install/hst-install-debian.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.5.9~alpha'
+HESTIA_INSTALL_VER='1.5.9'
 # Dependencies
 pma_v='5.1.3'
 rc_v="1.5.2"
@@ -1532,7 +1532,7 @@ if [ "$mysql" = 'yes' ]; then
     mysql -e "DELETE FROM mysql.global_priv WHERE User='';"
     # Drop test database
     mysql -e "DROP DATABASE IF EXISTS test"
-    mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%"
+    mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
 
     mysql -e "FLUSH PRIVILEGES;"
 fi

install/hst-install-ubuntu.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.5.9~alpha'
+HESTIA_INSTALL_VER='1.5.9'
 # Dependencies
 pma_v='5.1.3'
 rc_v="1.5.2"
@@ -1551,7 +1551,7 @@ if [ "$mysql" = 'yes' ]; then
     mysql -e "DELETE FROM mysql.global_priv WHERE User='';"
     # Drop test database
     mysql -e "DROP DATABASE IF EXISTS test"
-    mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%"
+    mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
 
     mysql -e "FLUSH PRIVILEGES;"
 fi

install/upgrade/manual/migrate_ngnix_apache_nginx-php-fpm.sh

@@ -8,6 +8,8 @@
 #----------------------------------------------------------#
 
 # Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
 # shellcheck source=/usr/local/hestia/func/main.sh
 source $HESTIA/func/main.sh
 # shellcheck source=/usr/local/hestia/conf/hestia.conf

install/upgrade/upgrade.conf

@@ -50,10 +50,10 @@ rl_v='1.16.0'
 # UPGRADE_UPDATE_FILEMANAGER_CONFIG: Updates only the configuration file if changes are made but now new issue has been issued!
 UPGRADE_UPDATE_FILEMANAGER_CONFIG='false'
 # Set version of File manager to update during upgrade if not already installed
-fm_v='7.7.1'
+fm_v='7.7.2'
 
 # Set version of PHPMailer to update during upgrade if not already installed
-pm_v='6.5.3'
+pm_v='6.6.0'
 
 # Backblaze
 b2_v='3.2.0'

src/deb/hestia/control

@@ -1,7 +1,7 @@
 Source: hestia
 Package: hestia
 Priority: optional
-Version: 1.5.9~alpha
+Version: 1.5.9
 Section: admin
 Maintainer: HestiaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com

web/add/db/index.php

@@ -115,7 +115,7 @@
         $hostname = exec('hostname');
         $from = "noreply@".$hostname;
         $from_name = _('Hestia Control Panel');
-        $mailtext = sprintf(_('DATABASE_READY'), $user."_".$_POST['v_database'], $user."_".$_POST['v_dbuser'], $_POST['v_password'], $db_admin_link);
+        $mailtext = sprintf(_('DATABASE_READY'), $user_plain."_".$_POST['v_database'], $user_plain."_".$_POST['v_dbuser'], $_POST['v_password'], $db_admin_link);
         send_email($to, $subject, $mailtext, $from, $from_name);
     }
 

web/add/key/index.php

@@ -16,11 +16,9 @@
     }
 
     if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-        $user = $_GET['user'];
+        $user = escapeshellarg($_GET['user']);
     }
 
-    $user = escapeshellarg($user);
-
     if (!$_SESSION['error_msg']) {
         if ($_POST) {
             //key if key already exists