Merge branch 'main' into release

Author: jaapmarcus

.drone.yml

@@ -35,9 +35,6 @@ steps:
 - name: Run config tests 
   commands:
   - bats ./test/config-tests.bats
-- name: Run Check PHP
-  commands: 
-  - ./test/check_php.sh
 
 trigger:
   event: [ pull_request, push ]
@@ -89,10 +86,7 @@ steps:
 - name: Run config tests 
   commands:
   - bats ./test/config-tests.bats
-- name: Run Check PHP
-  commands: 
-  - ./test/check_php.sh
-
+  
 trigger:
   event: [ pull_request, push ]
   ref:
@@ -111,10 +105,14 @@ concurrency:
   limit: 1
 
 steps:
-  - name: shellcheck
+  - name: Shellcheck
     image: koalaman/shellcheck-alpine
     commands:
     - ./test/shellcheck.sh
+  - name: PHP 8.1
+    image: php:8.1-cli-bullseye
+    commands:
+      - ./test/check_php.sh ./web/
 
 trigger:
    event: [ pull_request, push ] 
@@ -160,7 +158,7 @@ steps:
         port: 22
         command_timeout: 2m
         script:
-            - freight-add ./hestia/*.deb apt/bionic apt/focal apt/stretch apt/buster apt/bullseye
+            - freight-add ./hestia/*.deb apt/bionic apt/focal apt/jammy apt/stretch apt/buster apt/bullseye
             - freight-cache
             - rm -fr ./hestia/
 
@@ -169,4 +167,4 @@ trigger:
 
 ---
 kind: signature
-hmac: 07f845f902f859c97c78a346d340f7fb8d4b1242581a242e592b149c13428f50
+hmac: 980aea20314dab4328b0016eb35fa3ef18fdd46e5d891c7ab3809f704891e72b

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -39,7 +39,7 @@ body:
         - Control Panel Command Line Interface
         - Control Panel Installation or Upgrade
         - Control Panel Web Interface
-        - Backend Web Server (Nginx, Apache2)
+        - (Backend) Web Server (Nginx, Apache2)
         - Database (MariaDB, PostgreSQL)
         - Let's Encrypt SSL
         - Mail (Exim, Dovecot)

.gitignore

@@ -15,4 +15,5 @@ test/node_modules/
 npm-debug.log
 .phpunit.result.cache
 .vs
-.nova
+.nova
+/.idea/

CHANGELOG.md

@@ -1,6 +1,90 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.6.0] - Major Release (Feature / Quality Update)
+## [1.5.15] - Service release
+
+### Important Notes
+
+- Added support for Ubuntu 22.04 Jammy. If you planning to upgrade your server from Ubuntu 20.04 or 18.04 to Ubuntu 22.04 read the instruction carefully!
+- Issues with Ubuntu and Netplan and additional ip addresses has been discovered if this is the case for your setup please check if Netplan configuration is correct.
+- Due to know security issues with Rainloop [CVE-2022-29360](https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/) and the lack of updates from there side we are planning to update / replace Rainloop with [Snappymail](https://github.com/the-djmaze/snappymail). How ever minor changes are needed to the release of Snappymail. The required changes have been made however we are waiting for for the final release of 2.16.4
+- Added support for Yescrypt and ARGON2ID for storing passwords of the users / email accounts password. If you encounter any issues (after importing a backup) with logging change the user / email account password and it will solve any issues. 
+
+### Deprecated
+
+- Dropped support for Debian 9 for new installs (#2537)
+- Dropped support for RSSH on Ubuntu 18.04 on install (#2537)
+- Dropped support for TLS1.1 and older for Dovecot (#2012 and #2538)
+ 
+### Features
+
+- Added support for Ubuntu 22.04 Jammy (#2537 #2489)
+- Added support Exim rate limits for email accounts via UI (#2225 and #2523 @madito)
+- Added support to delete spam when reaching certain threshold (#2206 and #2200 @madito)
+- Added support to send mail to an unauthenticated SMTP relay (#2441 @clarkchentw)
+- Replace default MD5 encoding with ARGON2ID for Debian 10 and Ubuntu 20.04 and higher (#2421 @stsimb)
+- Added support for Yescrypt  (#2235 / #2499) 
+- Upgrade backend to PHP8.1 due to compatibility issues Jammy (#2515)
+- Introduce new api allowing users to use certain commands over API (#2535 and #1333)
+- Allow "Purge" cache button visible on templates with the name cacheing-your-template-name (#2526 #2530)
+- Add hooks to hestia-nginx and hestia-php (#2440)
+- Update DNS cluster to support new API system (#2587)
+
+### Bugfixes
+
+- Fixed an issue where --hostname and --email did not validated when using --interactive no (#2532 #2531)
+- Fixed an issue with the detection if MariaDB 10.7 was running (#2536 @gOOvER)
+- Fixed an issue with downloading a backup as a standard user (#2524 #2525)
+- Remove duplicated package installer (#2520 @rfzh1996)
+- Fixed an issue with "Do not allow user to login" checkbox sync up with real settings (#2507 #2513)
+- Fixed an issue where deleting a suspended users did not decrease the suspended user counter (#2504 #2531)
+- Fixed an issue where domain with redirect enabled was not able to "request" Lets encrypt ssl (#2514 #2176)
+- Add an notice when using Blackblaze on a ARM64 based server (#2394 @zedpr0)
+- Add rsyslog as a dependency (#2505)
+- Fixed an issue when a user import a backup a let's encrypt cronjob was not created on default. (#2498 @NickCoolii)
+- Add missing translation conversions in backup list (#2501)
+- Update example in v-add-web-domain-backend (#2500 gingerbeardman)
+- Update example in v-add-letsencrypt-domain (#2442)
+- Fixed an issue in configure-server-smtp.sh by loading /etc/hestiacp/hestia.conf (#2488)
+- Update Cloudflare ips in nginx.conf (#2542 @clarkchentw)
+- Remove duplicate code in Ubuntu installer (#2542 @clarkchentw)
+- Fixed an issue in Nginx + Apache2 mail "disabled" template. Causing users unable to request an valid ssl certificate (#2550 #2549)
+- Fixed an issue with "Reject spam" option not working (#2551 #2545)
+- Fixed an issue with Editing / Adding DNS records (#2546, #2547, #2548 @DunoCZ) 
+- Fixed an issue with TXT records longer then 255 characters (#2559)
+- Fixed an issue with wp-cli permission denied and allow wp-cli to be run in v-run-cmd command (#2562 and #2565)
+- Fixed an issue with apt-get install output not written to install log (#2585)
+- Fixed multiple issues with improved Quick installer app for Wordpress (#2583)
+- Changes in upstream package caused phpMyAdmin Single Sign on feature to break (#2591)
+- Fixed issues with DNS cluster and the new API (#2587)
+- Fixed an issue where PHPpgAdmin config files was not renamed to .inc for Apache2 setups (#2592)
+- Startup Fail2ban on boot for Ubuntu 22.04 (#2596 #2594)
+- Fixed issue with duplicate config value (#2640 @Kujoe and #2605 #2610 )
+- Fixed an issue with change password function for webmail clients
+- Fixed multiple issues with Quick install apps in general (#2444, #1092, #2638)
+- Fixed an issue with memory usage graph and non english locale (#2643 #2540)
+- Fixed an issue with incorrect download path ftp backup (#2636 @cloudyhostcom)
+- Add php8.1 in v-run-cli-cmd (#2630 @gOOvER)
+- Fixed multiple issues with wildcard and Letsencrypt (#2627, #2626, #2624, #2623)
+- Fixed multiple issues in v-change-domain-owner (#2618, #2617, #1864)
+- Fixed an issue with MariadDB 10.8 detection (#2616)
+- Fixed an issue with netplan and additional ip addresses (#2612)
+- Removed MariaDB repo form Ubuntu 22.04 install 
+- Don not install Roundcube dependencies if Roundcube is missing while installing sieve.
+- Remove duplicated code in v-add-web-domain-ssl
+
+### Dependencies
+- Update hestia-nginx to 1.22.0
+    - Update OpenSSL to 3.0.3
+    - Update zlib to 1.2.12
+    - Update PCRE to 10.40 
+- Update hestia-php to 8.1.7
+- Updated phpMyAdmin to 5.2.0 (https://www.phpmyadmin.net/files/5.2.0/)
+- Update Filegator to 7.8.1
+- Update PHPmailer to 6.6.2
+- Update composer dependencies
+
 ## [1.5.15] - Service release
 
 ### Bugfixes

README.md

@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.5.14 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
+**Latest stable release:** Version 1.6.0 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>
@@ -34,14 +34,13 @@ Supported platforms and operating systems
 
 AMD (x86_64 Intel/AMD)
 ----------------------------
-* **Debian:** 11, 10 or 9
-* **Ubuntu:** 20.04 LTS or 18.04 LTS
+* **Debian:** 11 or 10
+* **Ubuntu:** 22.04LTS, 20.04 LTS or 18.04 LTS
 
 ARM64 (arm64)
 ----------------------------
-* **Debian:** 11, 10, 9
-* **Ubuntu:** 20.04 LTS or 18.04 LTS
-* **NOTE:** ARM 64 bit processors only! ARM 32bit (armhf) is currently not supported!
+* **Debian:** 11 or 10
+* **Ubuntu:** 22.04LTS, 20.04 LTS or 18.04 LTS
 
 Installing Hestia Control Panel
 ============================

SECURITY.md

@@ -1,10 +1,18 @@
 # Security Policy
 
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Latest  | :white_check_mark: |
+
+
 ## Reporting a Vulnerability
 
 If you believe that you have have discovered a vulnerability in Hestia Control Panel,
-please let our development team know via email at info@hestiacp.com. 
+please let our development team know by submitting a report [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) Bounties and CVEs are automatically managed and allocated via the platform.
 
+If you are unable to [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) please send an email to support@hestiacp.com
 We ask that you please include a detailed description of the vulnerability,
 a list of services involved (e.g. exim, dovecot) and the versions which you've tested,
-full steps to reproduce the vulnerability, and include your findings and expected results.
+full steps to reproduce the vulnerability, and include your findings and expected results.

bin/v-add-access-key

@@ -0,0 +1,106 @@
+#!/bin/bash
+# info: generate access key
+# options: USER [PERMISSIONS] [COMMENT] [FORMAT]
+#
+# example: v-add-access-key admin v-purge-nginx-cache,v-list-mail-accounts comment json
+#
+# The "PERMISSIONS" argument is optional for the admin user only.
+# This function creates a key file in $HESTIA/data/access-keys/
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+permissions=$2
+comment=$3
+format=${4-shell}
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+keygen() {
+    local LENGTH=${1:-20}
+    local USE_SPECIAL_CHARACTERS="${2:-no}"
+
+    local MATRIX='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
+    if [[ "$USE_SPECIAL_CHARACTERS" == "yes" ]]; then
+        MATRIX+='_-='
+    fi
+
+    local PASS N
+    while [ ${N:=1} -le $LENGTH ]; do
+        PASS="$PASS${MATRIX:$(($RANDOM%${#MATRIX})):1}"
+        let N+=1
+    done
+
+    echo "$PASS"
+}
+
+access_key_id="$(keygen)"
+secret_access_key="$(keygen 40 yes)"
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
+# Remove whitespace and bin path from permissions
+permissions="$(cleanup_key_permissions "$permissions")"
+
+time_n_date=$(date +'%T %F')
+time=$(echo "$time_n_date" |cut -f 1 -d \ )
+date=$(echo "$time_n_date" |cut -f 2 -d \ )
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'USER [PERMISSIONS] [COMMENT] [FORMAT]'
+is_format_valid 'user' 'comment' 'format'
+is_object_valid 'user' 'USER' "$user"
+is_key_permissions_format_valid "$permissions" "$user"
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+if [ ! -d "$HESTIA/data/access-keys/" ]; then
+    mkdir -p $HESTIA/data/access-keys/
+    chown root:root $HESTIA/data/access-keys/
+    chmod 750 $HESTIA/data/access-keys/
+fi
+
+if [[ -e "$HESTIA/data/access-keys/${access_key_id}" ]]; then
+    while [[ -e "$HESTIA/data/access-keys/${access_key_id}" ]]; do
+        access_key_id=$(keygen)
+    done
+fi
+
+echo "SECRET_ACCESS_KEY='$secret_access_key'" >"$HESTIA/data/access-keys/${access_key_id}"
+echo "USER='$user'" >>"$HESTIA/data/access-keys/${access_key_id}"
+echo "PERMISSIONS='$permissions'" >>"$HESTIA/data/access-keys/${access_key_id}"
+echo "COMMENT='$comment'" >>"$HESTIA/data/access-keys/${access_key_id}"
+echo "TIME='$time'" >>"$HESTIA/data/access-keys/${access_key_id}"
+echo "DATE='$date'" >>"$HESTIA/data/access-keys/${access_key_id}"
+# TODO Index reserved for future implementation
+echo "EXPIRES_IN=''" >>"$HESTIA/data/access-keys/${access_key_id}"
+echo "IP=''" >>"$HESTIA/data/access-keys/${access_key_id}"
+
+chmod 640 "$HESTIA/data/access-keys/${access_key_id}"
+
+$BIN/v-list-access-key "$access_key_id" "$format"
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+# Logging
+log_history "Access key $access_key_id generated" "Warning" "$user" "API"
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-add-backup-host

@@ -20,6 +20,9 @@ password=$(perl -e 'print quotemeta shift(@ARGV)' "${raw_password}")
 path=${5-/backup}
 port=$6
 
+# CPU Architecture
+arch=$(uname -m)
+
 # Includes
 # shellcheck source=/usr/local/hestia/func/main.sh
 source $HESTIA/func/main.sh
@@ -189,8 +192,13 @@ fi
 if [ "$type" = 'b2' ]; then
     # Download b2 binary
     if [ ! -f "$b2cli" ]; then
-        wget -O $b2cli $b2lnk > /dev/null 2>&1
-        chmod +x $b2cli > /dev/null 2>&1
+        if [ "$arch" = 'aarch64' ] || [ "$arch" = 'arm64' ]; then
+            echo "Error: B2 binary for arm64 must be downloaded manually."
+            exit 3
+        else
+            wget -O $b2cli $b2lnk > /dev/null 2>&1
+            chmod +x $b2cli > /dev/null 2>&1
+        fi
         if [ ! -f "$b2cli" ]; then
             echo "Error: Binary download failed, b2 doesnt work as expected."
             exit 3

bin/v-add-dns-domain

@@ -41,7 +41,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 # Additional argument formatting
 format_domain
 format_domain_idn
-domain_utf=$(idn -t --quiet -u "$domain_idn")
+domain_utf=$(idn2 --quiet -d "$domain_idn")
 
 #----------------------------------------------------------#
 #                    Verifications                         #

bin/v-add-dns-record

@@ -17,10 +17,10 @@
 user=$1
 domain=$2
 domain_idn=$2
-record=$(idn -t --quiet -u "$3" )
+record=$(idn2 --quiet -d "$3" )
 record=$(echo "$record" | tr '[:upper:]' '[:lower:]')
 rtype=$(echo "$4"| tr '[:lower:]' '[:upper:]')
-dvalue=$(idn -t --quiet -u "$5" )
+dvalue=$5
 priority=$6
 id=$7
 restart=$8
@@ -55,8 +55,8 @@ if [[ $rtype =~ NS|CNAME|MX|PTR|SRV ]]; then
 fi
 
 if [[ $rtype =~ NS|CNAME|MX|PTR|SRV ]]; then
-    dvalue=$(idn -t --quiet -a "$dvalue" )
-    record=$(idn -t --quiet -a "$record" )
+    dvalue=$(idn2 --quiet  "$dvalue" )
+    record=$(idn2 --quiet  "$record" )
 fi
 
 # Cleanup quotes on dvalue