ghzhost
diff --git a/‎CHANGELOG.md‎
Lines changed: 25 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎SECURITY.md‎
Lines changed: 42 additions & 9 deletions b/‎SECURITY.md‎
Lines changed: 42 additions & 9 deletions
diff --git a/‎bin/v-add-letsencrypt-domain‎
Lines changed: 5 additions & 2 deletions b/‎bin/v-add-letsencrypt-domain‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎bin/v-add-mail-domain‎
Lines changed: 8 additions & 4 deletions b/‎bin/v-add-mail-domain‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎bin/v-add-web-domain-backend‎
Lines changed: 1 addition & 1 deletion b/‎bin/v-add-web-domain-backend‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎bin/v-change-mail-domain-rate-limit‎
Lines changed: 1 addition & 1 deletion b/‎bin/v-change-mail-domain-rate-limit‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎bin/v-change-sys-hostname‎
Lines changed: 13 additions & 7 deletions b/‎bin/v-change-sys-hostname‎
Lines changed: 13 additions & 7 deletions
diff --git a/‎bin/v-change-sys-php‎
Lines changed: 11 additions & 0 deletions b/‎bin/v-change-sys-php‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎bin/v-change-web-domain-backend-tpl‎
Lines changed: 12 additions & 1 deletion b/‎bin/v-change-web-domain-backend-tpl‎
Lines changed: 12 additions & 1 deletion
@@ -1,6 +1,31 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.6.1] - Major Release (Feature / Quality Update)
+
+### Bugfixes
+
+- Fixed an issue with rate limit and alias domains (#2676, #2666)
+- Fixed an issue with reject spam option (#2687, #2864)
+- Fixed an issue in the installer when sieve is enabled (#2675, #2668)
+- Fixed an issue with File manager in development mode (#2682 #2644) 
+- Fixed multiple small in templates (#2659 @ledoktre, #2680, #2671, #2679, #2670, #2681, #2699)
+- Fixed add second check if DNS resolving fails (#2678)
+- Fixed an issue where v-change-sys-hostname does not update host file (#2688 #2683)
+- Fixed an issue with IDN conversions not working on new server installs (#2692 @wojsmol)
+
+### Enchantments
+
+- Improve restart behaviour php-fpm
+- Improve updating process to make it faster. 
+- Removed outdated / never used test scripts (#2685)
+
+### Dependencies
+
+- Update hestia-nginx to 1.23.0
+- Update PHPmailer to 6.6.3
+- Update Roundcube to 1.5.3
+
 ## [1.6.0] - Major Release (Feature / Quality Update)
 
 ### Important Notes
 
@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.6.0 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
+**Latest stable release:** Version 1.6.1 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>
 
@@ -1,18 +1,51 @@
-# Security Policy
+# Hestia CP Security policy
 
-## Supported Versions
+Welcome and thanks for taking interest in Hestia CP!
+
+We are mostly interested in reports by actual Hestia CP users but  all high quality contributions are welcome.
+
+If you believe that you have have discovered a vulnerability in Hestia Control Panel,
+please let our development team know by submitting a report [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) Bounties and CVEs are automatically managed and allocated via the platform.
+
+If you are unable to use [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) please send an email to support@hestiacp.com
+
+We ask you to include a detailed description of the vulnerability, a list of services involved (e.g. exim, dovecot) and the versions which you've tested, full steps to reproduce the vulnerability, and include your findings and expected results.
+
+Please do not open any public issue on Github or any other social media before the report has been published and a fix has been released. 
+
+With that, good luck hacking us ;)
+
+## Supported versions
 
 | Version | Supported          |
 | ------- | ------------------ |
 | Latest  | :white_check_mark: |
 
+## Qualifying Vulnerabilities
 
-## Reporting a Vulnerability
+### Vulnerabilities we really care about!
+- Remote command execution
+- Code/SQL Injection
+- Authentication bypass
+- Privilege Escalation
+- Cross-site scripting (XSS)
+- Performing limited admin actions without authorization
+- CSRF
 
-If you believe that you have have discovered a vulnerability in Hestia Control Panel,
-please let our development team know by submitting a report [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) Bounties and CVEs are automatically managed and allocated via the platform.
+### Vulnerabilities we accept
+
+- Open redirects
+- Password brute-forcing that circumvents rate limiting
+
+## Non-Qualifying Vulnerabilities
+
+- Theoretical attacks without proof of exploitability
+- Attacks that are the result of a third party library should be reported to the library maintainers
+- Social engineering
+- Reflected file download
+- Physical attacks
+- Weak SSL/TLS/SSH algorithms or protocols
+- Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (eg man-in-the-middle).
+- The user attacks themselves
+- anything in `/test/` folder
 
-If you are unable to [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) please send an email to support@hestiacp.com
-We ask that you please include a detailed description of the vulnerability,
-a list of services involved (e.g. exim, dovecot) and the versions which you've tested,
-full steps to reproduce the vulnerability, and include your findings and expected results.
 
@@ -187,7 +187,10 @@ if [ "$proto" = "http-01" ]; then
             identifier=$(idn2 --quiet $identifier)
         fi
         if ! nslookup "${identifier}" > /dev/null 2>&1 ; then
-            check_result "$E_NOTEXIST" "DNS record for $identifier doesn't exist"
+            # Attempt against Cloudflare DNS
+            if ! nslookup "${identifier}" 1.1.1.1 > /dev/null 2>&1 ; then
+                check_result "$E_NOTEXIST" "DNS record for $identifier doesn't exist"
+            fi
         fi
     done
 fi
@@ -230,7 +233,7 @@ url="$LE_API/acme/new-order"
 payload='{"identifiers":['
 for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
     if [[ "$identifier" = *[![:ascii:]]* ]]; then
-        identifier=$(idn -t --quiet -a $identifier)
+        identifier=$(idn2 --quiet $identifier)
     fi
     payload=$payload'{"type":"dns","value":"'$identifier'"},'
 done
 
@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: add mail domain
-# options: USER DOMAIN [ANTISPAM] [ANTIVIRUS] [DKIM] [DKIM_SIZE]
+# options: USER DOMAIN [ANTISPAM] [ANTIVIRUS] [DKIM] [DKIM_SIZE] [RESTART] [REJECT_SPAM]
 #
 # example: v-add-mail-domain admin mydomain.tld
 #
@@ -18,6 +18,7 @@ antivirus=${4-yes}
 dkim=${5-yes}
 dkim_size=${6-1024}
 restart=${7-yes}
+reject=${8-yes}
 
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
@@ -49,8 +50,8 @@ domain_utf=$(idn2 --quiet -d "$domain_idn")
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '2' "$#" 'USER DOMAIN [ANTISPAM] [ANTIVIRUS] [DKIM] [DKIM_SIZE]'
-is_format_valid 'user' 'domain' 'antispam' 'antivirus' 'dkim' 'dkim_size' 'restart'
+check_args '2' "$#" 'USER DOMAIN [ANTISPAM] [ANTIVIRUS] [DKIM] [DKIM_SIZE] [RESTART] [REJECT_SPAM]'
+is_format_valid 'user' 'domain' 'antispam' 'antivirus' 'dkim' 'dkim_size' 'restart' 'reject'
 is_system_enabled "$MAIL_SYSTEM" 'MAIL_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
@@ -93,7 +94,7 @@ fi
 new_timestamp
 
 # Adding domain to mail.conf
-s="DOMAIN='$domain' ANTIVIRUS='$antivirus' ANTISPAM='$antispam' DKIM='$dkim' WEBMAIL=''"
+s="DOMAIN='$domain' ANTIVIRUS='$antivirus' ANTISPAM='$antispam' REJECT='$reject' DKIM='$dkim' WEBMAIL=''"
 s="$s SSL='no' LETSENCRYPT='no' CATCHALL='' ACCOUNTS='0' U_DISK='0' SUSPENDED='no' TIME='$time'"
 s="$s DATE='$date'"
 echo $s >> $USER_DATA/mail.conf
@@ -133,6 +134,9 @@ if [[ "$MAIL_SYSTEM" =~ exim ]]; then
         if [ "$antispam" = 'yes' ]; then
             touch "$HOMEDIR/$user/conf/mail/$domain/antispam"
         fi
+        if [ "$reject" = 'yes' ]; then
+            touch "$HOMEDIR/$user/conf/mail/$domain/reject_spam"
+        fi
     fi
 
     if [ -n "$ANTIVIRUS_SYSTEM" ]; then
 
@@ -84,7 +84,7 @@ fi
 #----------------------------------------------------------#
 
 # Restart backend server
-$BIN/v-restart-web-backend "$restart"
+$BIN/v-restart-web-backend "$restart" "$backend_version"
 check_result $? "Web backend restart failed" >/dev/null
 
 # Logging
 
@@ -62,9 +62,9 @@ if [[ "$rate" = "system" ]]; then
     rate=''
 fi
 
-$HESTIA/bin/v-rebuild-mail-domain "$user" "$domain"
 # Update quota
 update_object_value "mail" 'DOMAIN' "$domain" '$RATE_LIMIT' "$rate"
+$HESTIA/bin/v-rebuild-mail-domain "$user" "$domain"
 
 # Logging
 $BIN/v-log-action "$user" "Info" "Mail" "Mail domain rate limit has changed ($rate)"
 
@@ -49,15 +49,21 @@ else
     # Debian/Ubuntu
     hostnamectl set-hostname "$domain"
     echo "$domain" > /etc/hostname
+fi
 
-    # Update Roundcube password plugin configuration
-    if [ -d /etc/roundcube/ ]; then
-        sed -i "/password_hestia_host/c\$rcmail_config['password_hestia_host'] = '$domain';" /etc/roundcube/plugins/password/config.inc.php
-    fi
-    if [ -d /etc/rainloop/ ]; then
-        sed -i "/hestia_host/c\hestia_host = \"$domain\"" /etc/rainloop/data/_data_/_default_/configs/plugin-hestia-change-password.ini 
-    fi
+# Update Roundcube password plugin configuration
+if [ -d /etc/roundcube/ ]; then
+    sed -i "/password_hestia_host/c\$rcmail_config['password_hestia_host'] = '$domain';" /etc/roundcube/plugins/password/config.inc.php
 fi
+if [ -d /etc/rainloop/ ]; then
+    sed -i "/hestia_host/c\hestia_host = \"$domain\"" /etc/rainloop/data/_data_/_default_/configs/plugin-hestia-change-password.ini 
+fi
+
+if [ -f /etc/hosts ];then
+    if ! cat /etc/hosts | grep $domain > /dev/null ; then
+        echo "127.0.0.1 $domain" >> /etc/hosts
+    fi
+fi 
 
 #----------------------------------------------------------#
 #                       Hestia                             #
 
@@ -48,7 +48,18 @@ php_fpm="/etc/init.d/php$version-fpm"
 
 rm -f /etc/php/*/fpm/pool.d/www.conf
 cp -f $HESTIA/install/deb/php-fpm/www.conf /etc/php/$version/fpm/pool.d/www.conf
+
+for user in $($HESTIA/bin/v-list-sys-users plain); do
+    $BIN/v-rebuild-web-domains "$user" 'no' >/dev/null 2>&1
+    $BIN/v-rebuild-mail-domains "$user" 'no' >/dev/null 2>&1
+done;
+
+# restart
 $HESTIA/bin/v-restart-web-backend
+$HESTIA/bin/v-restart-web
+$HESTIA/bin/v-restart-proxy
+
+
 
 update-alternatives --set php /usr/bin/php$version
 
 
@@ -165,7 +165,18 @@ fi
 $BIN/v-restart-web "$restart"
 check_result $? "Web restart failed" >/dev/null
 
-$BIN/v-restart-web-backend "$restart"
+# Detect prev version
+if [[ $BACKEND =~ ^.*PHP-([0-9])\_([0-9])$ ]]; then
+    version="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}"
+else
+    version=$(multiphp_default_version)
+fi
+
+$BIN/v-restart-web-backend "$restart" "$version"
+if [ "$version" != "$backend_version" ]; then
+    $BIN/v-restart-web-backend "$restart" "$backend_version"
+fi
+
 check_result $? "Web backend restart failed" >/dev/null
 
 # Logging