Merge branch 'main' into feature/427-redirect

Author: Kristan Kenney

CHANGELOG.md

@@ -3,17 +3,70 @@ All notable changes to this project will be documented in this file.
 
 ## [DEVELOPMENT]
 ### Features
-- Introduced support for PHPmyAdmin Single Sign On
+- Introduced single sign-on support for phpMyAdmin.
+- Introduced support for NGINX FastCGI cache.
+- Introduced support for SMTP Relay / smarthosts (server-wide or per-domain).
+- Introduced the ability to choose which webmail client to use per-domain (Roundcube or Rainloop).
+- Added B2 Backup Support for Remote Backup Location - thanks **@rez0n**!
+- Added template support for osTicket - thanks **@madito**!
+- Packages for phpMyAdmin, Roundcube, and Rainloop will be pulled directly from their upstream source instead of APT for new installations.
+- Added DNS records view to mail domains which provides DKIM, SPF, and other entries to use with an external provider.
+- Added an upgrade script to provide in-place upgrades to php7.4 (or any other version).
+
 
 ### Bugfixes
-- Fixed an issue where user name was duplicated when editing FTP users (#1411)
+- Fixed an issue where user name was duplicated when editing FTP users. (#1411)
 - Fixed an issue where the iptables service would appear to be in a stopped state when fail2ban is stopped. (#1374)
 - Fixed an issue where the default language value was incorrectly set under Server Settings > Configure.
 - Fixed an issue with the dark theme where available updates were incorrectly displayed.
 - Fixed an issue where local and FTP backup files were not deleted when running `v-delete-user-backup`. (#1421)
-- Fixed an issue where IP addresses could not be deleted (#1423)
-- Improvements have been made to the API's error handling - thanks **@danielalexis**!
-- ZSTD Compression has been made multi-threaded.
+- Fixed an issue where IP addresses could not be deleted. (#1423)
+- Fixed an issue where `v-rebuild-user` would incorrectly rebuild domain items in addition to user account configuration.
+- Fixed an issue which caused a web domain's custom document root value to be lost when restoring from backup.
+- Fixed an issue which caused a `NSPOSIXErrorDomain:100` error when using Safari/iOS (thanks **@stsimb**).
+- Fixed an issue where exim ignored the configured mail quota limit.
+- Fixed an issue where invalid character validation was performed when editing mail auto replies.
+- Fixed an issue which caused Let's Encrypt to fail when using the Moodle template (thanks **@ArturoBlanco**).
+- Fixed an issue where the MySQL `wait_timeout` value was not saved due to wrong regexp attribute (thanks **@guicapanema**).
+- Fixed an issue where nginx web statistics authorization file was placed in the wrong directory.
+- Fixed several small issues that were reported when using PostgreSQL.
+- Improved reliability of mail domains and webmail clients.
+- Improved reliability of service restarts during upgrades.
+- Improved compatibility with Blesta / WHMCS plugins.
+- Improved API error handling routines - thanks **@danielalexis**!
+- Improved backup performance through the use of multi-threading when creating archives using the `zstd` compression type.
+- Improved error handling when creating firewall rules.
+- Improved handling of suspended users and domains to allow deletion without unsuspension.
+- Improved dependencies over package control to install `lsb-release` and `zstd`.
+- Improved SFTP connection handling to be case insensitive (thanks **@lazzurs**).
+- Improved domain validation to prevent creating subdomains when the top-level domain belongs to another account (thanks **@KuJoe** and **@sickcodes**).
+- Improved IDN domain handling to resolve issues with Let's Encrypt SSL and mail domain services.
+- Added private folder to openbasedir permissions for all main templates.
+- Disabled changing backup folder via Web UI because it used symbolic link instead of mount causing issues with restore mail / user files.
+- Fixed XSS vulnerability in `v-add-sys-ip` and user history log (thanks **@numanturle**).
+- Fixed remote code execution vulnerability which could occur when deleting SSH keys (thanks **@numanturle**).
+
+## [1.3.5] - Service Release
+### Features
+- No new features have been introduced in this release.
+
+### Bugfixes
+- Updated APT repository key for PHP from packages.sury.org (https://forum.hestiacp.com/t/apt-upgrade-failed-gpg-error-packages-sury-org)
+- Updated phpMyAdmin to v5.1.0.
+
+## [1.3.4] - Service Release
+### Features
+- No new features have been introduced in this release.
+
+### Bugfixes
+- Fixed xss vulnerability in v-add-sys-ip and user history log (thanks **@numanturle**)
+- Fixed remote execution possibility when deleting ssh key (thanks **@numanturle**)
+
+## [1.3.3] - Service Release
+### Bugfixes
+- Improved if web folder already exists and do not follow symlink on chmod (thanks @0xGsch and @kikoas1995).
+- Improved api key authentification to prevent brute force attacks.
+- Improved ssh keys folder permission to prevent unauthorized access.
 
 ## [1.3.2] - Service Release
 ### Features

README.md

@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.3.2 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md)<br>
+**Latest stable release:** Version 1.3.5 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md)<br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>

bin/v-add-backup-host

@@ -49,7 +49,7 @@ sftpc() {
         set count 0
         spawn /usr/bin/sftp -o StrictHostKeyChecking=no -o Port=$port $user@$host
         expect {
-            "password:" {
+            -nocase "password:" {
                 send "$password\r"
                 exp_continue
             }

bin/v-add-dns-domain

@@ -38,6 +38,7 @@ source $HESTIA/conf/hestia.conf
 # Additional argument formatting
 format_domain
 format_domain_idn
+domain_utf=$(idn -t --quiet -u "$domain_idn")
 
 #----------------------------------------------------------#
 #                    Verifications                         #
@@ -48,11 +49,22 @@ is_format_valid 'user' 'domain' 'ip'
 is_system_enabled "$DNS_SYSTEM" 'DNS_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
-is_domain_new 'dns' "$domain"
+
+if [ "$($BIN/v-list-dns-domain $user $domain_utf plain |cut -f 1) " != "$domain" ]; then
+    is_domain_new 'dns' "$domain_utf"
+fi
+if [ "$($BIN/v-list-dns-domain $user $domain_idn plain |cut -f 1) " != "$domain" ]; then
+    is_domain_new 'dns' "$domain_idn"
+else
+    is_domain_new 'dns' "$domain"
+fi
+
 is_package_full 'DNS_DOMAINS'
 template=$(get_user_value '$DNS_TEMPLATE')
 is_dns_template_valid $template
 
+is_base_domain_owner "$domain"
+
 if [ ! -z "$ns1" ]; then
     ns1=$(echo $4 |sed -e 's/\.*$//g' -e 's/^\.*//g')
     is_format_valid 'ns1'

bin/v-add-dns-record

@@ -50,6 +50,11 @@ if [[ $rtype =~ NS|CNAME|MX|PTR|SRV ]]; then
     fi
 fi
 
+if [[ $rtype =~ NS|CNAME|MX|PTR|SRV ]]; then
+    dvalue=$(idn -t --quiet -a "$dvalue" )
+    record=$(idn -t --quiet -a "$record" )
+fi
+
 # Cleanup quotes on dvalue
 # - [CAA] records will be left unchanged
 # - [SRV] will be  stripped of double quotes even when  containg spaces

bin/v-add-letsencrypt-domain

@@ -109,18 +109,16 @@ debug_log() {
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
 
+
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
-
-
-
 # Generate correct variables for mail domain SSL certificates
 if [ ! -z "$mail" ]; then
     root_domain=$domain
     domain="mail.$root_domain"
-    webmail=$(get_object_value "mail" "$domain" '$WEBMAIL');
+    webmail=$(get_object_value "mail" "DOMAIN" "$root_domain" '$WEBMAIL');
     if [ ! -z "$webmail" ]; then
         aliases="$WEBMAIL_ALIAS.$root_domain"
     fi

bin/v-add-mail-domain

@@ -36,7 +36,7 @@ fi
 # Additional argument formatting
 format_domain
 format_domain_idn
-
+domain_utf=$(idn -t --quiet -u "$domain_idn")
 
 #----------------------------------------------------------#
 #                    Verifications                         #
@@ -47,10 +47,21 @@ is_format_valid 'user' 'domain' 'antispam' 'antivirus' 'dkim' 'dkim_size'
 is_system_enabled "$MAIL_SYSTEM" 'MAIL_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
-is_domain_new 'mail' "$domain"
+
+if [ "$($BIN/v-list-mail-domain $user $domain_utf plain |cut -f 1) " != "$domain" ]; then
+    is_domain_new 'mail' "$domain_utf"
+fi
+if [ "$($BIN/v-list-mail-domain $user $domain_idn plain |cut -f 1) " != "$domain" ]; then
+    is_domain_new 'mail' "$domain_idn"
+else
+    is_domain_new 'mail' "$domain"
+fi
+
 is_package_full 'MAIL_DOMAINS'
 is_dir_symlink $HOMEDIR/$user/mail
 
+is_base_domain_owner "$domain"
+
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
 
@@ -104,23 +115,6 @@ if [[ "$MAIL_SYSTEM" =~ exim ]]; then
         echo "$local_ip" > $HOMEDIR/$user/conf/mail/$domain/ip
     fi
 
-    # Touch mailhelo.conf if it doesnt exist
-    if [ ! -f "/etc/exim4/mailhelo.conf" ]; then
-        touch /etc/exim4/mailhelo.conf
-    fi
-
-    # Setting HELO for mail domain
-    if [ ! -z "$local_ip" ]; then
-        IP_RDNS=$(is_ip_rdns_valid "$local_ip")
-        if [ ! -z "$IP_RDNS" ]; then
-            if [ $(grep -s "^${domain}:" /etc/exim4/mailhelo.conf) ]; then
-                sed -i "/^${domain}:/c\\${domain}:${IP_RDNS}" /etc/exim4/mailhelo.conf
-            else
-                echo ${domain}:${IP_RDNS} >> /etc/exim4/mailhelo.conf
-            fi
-        fi        
-    fi
-
     # Adding antispam protection
     if [ "$antispam" = 'yes' ]; then
         touch $HOMEDIR/$user/conf/mail/$domain/antispam
@@ -169,7 +163,7 @@ fi
 # Add webmail configuration to mail domain
 if [ ! -z "$WEB_SYSTEM" ] || [ ! -z "$PROXY_SYSTEM" ]; then
     if [ ! -z "$IMAP_SYSTEM" ]; then
-        $BIN/v-add-sys-webmail $user $domain '' '' ''
+        $BIN/v-add-sys-webmail $user $domain '' 'no'
     fi
 fi
 

bin/v-add-sys-filemanager

@@ -13,14 +13,14 @@
 # Includes
 source $HESTIA/func/main.sh
 source $HESTIA/conf/hestia.conf
+source $HESTIA/install/upgrade/upgrade.conf
 
 MODE=$1
 user="admin"
 
 FM_INSTALL_DIR="$HESTIA/web/fm"
-FM_V="7.4.1"
-FM_FILE="filegator_v${FM_V}.zip"
-FM_URL="https://github.com/filegator/filegator/releases/download/v${FM_V}/${FM_FILE}"
+FM_FILE="filegator_v${fm_v}.zip"
+FM_URL="https://github.com/filegator/filegator/releases/download/v${fm_v}/${FM_FILE}"
 COMPOSER_BIN="$HOMEDIR/$user/.composer/composer"
 
 

bin/v-add-sys-ip

@@ -1,7 +1,7 @@
 #!/bin/bash
 # info: add system ip address
-# options: IP NETMASK [INTERFACE] [USER] [IP_STATUS] [IP_NAME] [NAT_IP]
-# labels: 
+# options: IP NETMASK [INTERFACE] [USER] [IP_STATUS] [IP_NAME] [NAT_IP] [HELO]
+# labels:
 #
 # example: v-add-sys-ip 216.239.32.21 255.255.255.0
 #
@@ -28,6 +28,7 @@ user="${4-admin}"
 ip_status="${5-shared}"
 ip_name=$6
 nat_ip=$7
+helo=$8
 
 # Includes
 source $HESTIA/func/main.sh
@@ -40,8 +41,8 @@ source $HESTIA/conf/hestia.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '2' "$#" 'IP NETMASK [INTERFACE] [USER] [STATUS] [NAME] [NATED_IP]'
-is_format_valid 'ip' 'netmask' 'interface' 'user' 'ip_status'
+check_args '2' "$#" 'IP NETMASK [INTERFACE] [USER] [STATUS] [NAME] [NATED_IP] [HELO]'
+is_format_valid 'ip' 'netmask' 'iface' 'user' 'ip_status'
 is_ip_free
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
@@ -112,6 +113,7 @@ U_WEB_DOMAINS='0'
 INTERFACE='$iface'
 NETMASK='$netmask'
 NAT='$nat_ip'
+HELO='$helo'
 TIME='$time'
 DATE='$date'" > $HESTIA/data/ips/$ip
 chmod 660 $HESTIA/data/ips/$ip
@@ -213,6 +215,11 @@ if [ ! -z "$FIREWALL_SYSTEM" ]; then
     $BIN/v-update-firewall
 fi
 
+# Update ip helo for exim
+if [ ! -z "$MAIL_SYSTEM" ] && [ ! -z "$helo"]; then
+    $BIN/v-change-sys-ip-helo $ip $helo
+fi
+
 # Logging
 log_history "added system ip address $ip" '' 'admin'
 log_event "$OK" "$ARGUMENTS"

bin/v-add-sys-rainloop

@@ -14,7 +14,7 @@ source $HESTIA/func/main.sh
 source $HESTIA/conf/hestia.conf
 source $HESTIA/install/upgrade/upgrade.conf
 
-MODE=$2
+MODE=$1
 UPDATE="no"
 # Version and Download paths
 # Version to be moved to upgrade script
@@ -54,7 +54,7 @@ fi
 if [ -f "/var/lib/rainloop/data/VERSION" ]; then
     version=$(cat $RL_INSTALL_DIR/data/VERSION);
     if [ "$version" == "$rl_v" ]; then
-        echo "Error: Installed version ($version) is equal as the availble version ($rc_v)"
+        echo "Error: Installed version ($version) is equal as the availble version ($rl_v)"
         exit 2;
     else 
         UPDATE="yes"
@@ -88,7 +88,7 @@ if [ "$UPDATE" == "no" ]; then
     echo "Password: $admin_password" >> ~/.rainloop
     echo "Secret key: admin_$key" >> ~/.rainloop
 
-    unzip -q $RL_FILE
+    unzip -q ${RL_INSTALL_DIR}/${RL_FILE}
 
     mv ./data $RL_CONFIG_DIR/
     ln -s $RL_CONFIG_DIR/data/ ./data
@@ -151,8 +151,17 @@ if [ "$UPDATE" == "no" ]; then
 
 else
    [ ! -f "${RC_INSTALL_DIR}/${RC_FILE}" ] && wget "$RL_URL" --quiet -O "${RL_INSTALL_DIR}/${RL_FILE}"
-   unzip -q -o $RL_FILE
-   rm $RL_INSTALL_DIR/$RL_FILE
+   version=$(cat $RL_INSTALL_DIR/data/VERSION);
+   
+   unzip -q -j rainloop-community-latest.zip "data/VERSION" -d $RL_INSTALL_DIR/ 
+   version_source=$(cat $RL_INSTALL_DIR/VERSION);
+   
+   # Check version inside .zip file in case hestia didn't update yet
+   if [ "$version" != "$version_source" ]; then 
+       unzip -q ${RL_INSTALL_DIR}/${RL_FILE}
+       rm $RL_INSTALL_DIR/$RL_FILE
+    fi
+    rm ${RL_INSTALL_DIR}/VERSION
 fi
 
 #----------------------------------------------------------#