Fix issue with Global SMTP settings not updating (hestiacp#3730)

* Allow edit smtp global settings on password change

+ Patch XSS

* Fix issue with exim config todo prepare patch for existing instals

* Fix existing broken installs

* Update versions depencies Roundcube / Snappymail

* Fix issue with Debug panel

* Fix error

* Fix issue with password reset module

Author: jaapmarcus

.yarnrc.yml

@@ -15,7 +15,7 @@ add_environment = <; PATH=/bin:/usr/bin
 keep_environment =
 disable_ipv6 = true
 
-SRS_SECRET = readfile{/etc/exim4/srs.conf}
+SRS_SECRET = ${readfile{/etc/exim4/srs.conf}}
 
 smtputf8_advertise_hosts =
 domainlist local_domains = dsearch;/etc/exim4/domains/

install/deb/exim/exim4.conf.4.95.template

@@ -50,10 +50,10 @@ pga_v='7.14.4'
 
 # Set version of RoundCube (Webmail) to update during upgrade if not already installed
 # Note: only applies to "non-apt installs >= 1.4.0 or manually phased out"
-rc_v='1.6.1'
+rc_v='1.6.2'
 
 # Set version of SnappyMail (Webmail) to update during upgrade if not already installed
-sm_v='2.27.3'
+sm_v='2.28.3'
 
 # Update the File Manager or it's configuration file
 # Check if Filegator requires an update based on current version and setting below

install/upgrade/upgrade.conf

@@ -248,16 +248,18 @@ elif [ "$PROXY_SYSTEM" = "nginx" ]; then
 	done < <(ls "$HESTIA"/data/ips/ 2> /dev/null)
 fi
 
-exim_version=$(exim4 --version | head -1 | awk '{print $3}' | cut -f -2 -d .)
-# if Exim version > 4.95 or greater!
-if version_ge "$exim_version" "4.95"; then
-	if ! grep -q 'SRS_SECRET' /etc/exim4/exim4.conf.template; then
-		srs=$(generate_password)
-		echo $srs > /etc/exim4/srs.conf
-		chmod 640 /etc/exim4/srs.conf
-		echo "[ * ] Update exim4.conf.template ..."
-		patch /etc/exim4/exim4.conf.template $HESTIA/install/upgrade/patch/3661-exim-srs-support.patch
+if [ "$MAIL_SYSTEM" = "exim4" ]; then
+	exim_version=$(exim4 --version | head -1 | awk '{print $3}' | cut -f -2 -d .)
+	# if Exim version > 4.95 or greater!
+	if version_ge "$exim_version" "4.95"; then
+		if ! grep -q 'SRS_SECRET' /etc/exim4/exim4.conf.template; then
+			srs=$(generate_password)
+			echo $srs > /etc/exim4/srs.conf
+			chmod 640 /etc/exim4/srs.conf
+			echo "[ * ] Update exim4.conf.template ..."
+			patch /etc/exim4/exim4.conf.template $HESTIA/install/upgrade/patch/3661-exim-srs-support.patch
+		else
+			sed -i "s/SRS_SECRET = readfile{\/etc\/exim4\/srs.conf}/SRS_SECRET = \${readfile{\/etc\/exim4\/srs.conf}}/g" /etc/exim4/exim4.conf.template
+		fi
 	fi
-else
-	echo $exim_version
 fi

install/upgrade/versions/1.8.0.sh

@@ -701,11 +701,11 @@
 						quoteshellarg($v_domain) .
 						" " .
 						$v_smtp_relay_host .
-						" '" .
+						" " .
 						$v_smtp_relay_user .
-						"' '" .
+						" " .
 						$v_smtp_relay_pass .
-						"' " .
+						" " .
 						$v_smtp_relay_port,
 					$output,
 					$return_var,

web/edit/mail/index.php

@@ -613,7 +613,8 @@
 			if (
 				$_POST["v_smtp_relay_host"] != $v_smtp_relay_host ||
 				$_POST["v_smtp_relay_user"] != $v_smtp_relay_user ||
-				$_POST["v_smtp_relay_port"] != $v_smtp_relay_port
+				$_POST["v_smtp_relay_port"] != $v_smtp_relay_port ||
+				!empty($_POST["v_smtp_relay_pass"])
 			) {
 				$v_smtp_relay = true;
 				$v_smtp_relay_host = quoteshellarg($_POST["v_smtp_relay_host"]);

web/edit/server/index.php

@@ -101,11 +101,13 @@
 							$_SERVER["HTTP_HOST"],
 						);
 						if ($port_is_defined) {
-							$port = preg_replace(
-								"/(\[?[^]]*\]?):([0-9]{1,5})$/",
-								"$2",
-								$_SERVER["HTTP_HOST"],
-							);
+							$port =
+								":" .
+								preg_replace(
+									"/(\[?[^]]*\]?):([0-9]{1,5})$/",
+									"$2",
+									$_SERVER["HTTP_HOST"],
+								);
 						} else {
 							$port = "";
 						}
@@ -121,7 +123,6 @@
 
 					putenv("LANGUAGE=" . $data[$user]["LANGUAGE"]);
 					$name = empty($data[$user]["NAME"]) ? $user : $data[$user]["NAME"];
-
 					$mailtext = translate_email($template, [
 						"name" => htmlentities($name),
 						"hostname" => htmlentities($hostname . $port),

web/reset/index.php

@@ -1,3 +1,8 @@
+<?php
+if( !defined("HESTIA_DIR_BIN") ){
+	die("Direct access disabled");
+}
+?>
 <div x-data="{ open: false }" class="debug-panel">
 	<button
 		type="button"
@@ -10,25 +15,48 @@ class="debug-panel-toggle"
 		<?php
 			echo "<h3 class=\"u-mb10\">Server Variables</h3>";
 			foreach ($_SERVER as $key => $val) {
-				echo "<span class=\"u-text-bold\">" . $key . "= </span> " . $val . " ";
+				if(is_string($val)){
+					echo "<span class=\"u-text-bold\">" . $key . "= </span> " . $val . " ";
+				}
 			}
   	?>
 		<?php
 			echo "<h3 class=\"u-mb10 u-mt10\">Session Variables</h3>";
 			foreach ($_SESSION as $key => $val) {
-				echo "<span class=\"u-text-bold\">" . $key . "= </span> " . $val . " ";
+				if(is_string($val)){
+					echo "<span class=\"u-text-bold\">" . $key . "= </span> " . $val . " ";
+				}else if(is_array($val)){
+					array_walk_recursive($lang, function (&$value) {
+							$value = htmlentities($value);
+					});
+					echo "<span class=\"u-text-bold\">" . $key . "= </span> "  .var_dump($val). " ";
+				}
 			}
   	?>
 		<?php
 			echo "<h3 class=\"u-mb10 u-mt10\">POST Variables</h3>";
 			foreach ($_POST as $key => $val) {
-				echo "<span class=\"u-text-bold\">" . $key . "= </span> " . $val . " ";
+				if(is_string($val)){
+					echo "<span class=\"u-text-bold\">" . $key . "= </span> " . $val . " ";
+				}else if(is_array($val)){
+					array_walk_recursive($lang, function (&$value) {
+							$value = htmlentities($value);
+					});
+					echo "<span class=\"u-text-bold\">" . $key . "= </span> "  .var_dump($val). " ";
+				}
 			}
   	?>
 		<?php
 			echo "<h3 class=\"u-mb10 u-mt10\">GET Variables</h3>";
 			foreach ($_GET as $key => $val) {
-				echo "<span class=\"u-text-bold\">" . $key . "= </span> " . $val . " ";
+				if(is_string($val)){
+					echo "<span class=\"u-text-bold\">" . $key . "= </span> " . $val . " ";
+				}else if(is_array($val)){
+					array_walk_recursive($lang, function (&$value) {
+							$value = htmlentities($value);
+					});
+					echo "<span class=\"u-text-bold\">" . $key . "= </span> "  .var_dump($val). " ";
+				}
 			}
   	?>
 	</div>