Flatta's security fixes from PullRequest hestiacp#516

serghey-rodin · serghey-rodin · commit 95850df8d17f · 2015-12-11T21:32:07.000+02:00
diff --git a/web/add/web/index.php b/web/add/web/index.php
@@ -272,7 +272,7 @@
                     $fp = fopen($v_ftp_password, "w");
                     fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
                     fclose($fp);
-                    exec (VESTA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
+                    exec (VESTA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_user." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var); 
                     check_return_code($return_var,$output);
                     unset($output);
                     unlink($v_ftp_password);
diff --git a/web/edit/cron/index.php b/web/edit/cron/index.php
@@ -53,6 +53,7 @@
     }
 
     $v_username = $user;
+    $v_job = escapeshellarg($_GET['job']); 
     $v_min = escapeshellarg($_POST['v_min']);
     $v_hour = escapeshellarg($_POST['v_hour']);
     $v_day = escapeshellarg($_POST['v_day']);
diff --git a/web/edit/mail/index.php b/web/edit/mail/index.php
@@ -233,7 +233,7 @@
         $result = array_diff($aliases, $valiases);
         foreach ($result as $alias) {
             if ((empty($_SESSION['error_msg'])) && (!empty($alias))) {
-                exec (VESTA_CMD."v-add-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var);
+                exec (VESTA_CMD."v-add-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." ".escapeshellarg($alias), $output, $return_var);
                 check_return_code($return_var,$output);
                 unset($output);
             }
@@ -259,7 +259,7 @@
         $result = array_diff($fwd, $vfwd);
         foreach ($result as $forward) {
             if ((empty($_SESSION['error_msg'])) && (!empty($forward))) {
-                exec (VESTA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var);
+                exec (VESTA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." ".escapeshellarg($forward), $output, $return_var);
                 check_return_code($return_var,$output);
                 unset($output);
             }
diff --git a/web/edit/web/index.php b/web/edit/web/index.php
@@ -188,14 +188,14 @@
                 $restart_web = 'yes';
                 $restart_proxy = 'yes';
                 $v_template = escapeshellarg($_POST['v_template']);
-                exec (VESTA_CMD."v-add-web-domain-alias ".$v_username." ".$v_domain." '".$alias."' 'no'", $output, $return_var);
+                exec (VESTA_CMD."v-add-web-domain-alias ".$v_username." ".$v_domain." ".escapeshellarg($alias)." 'no'", $output, $return_var);
                 check_return_code($return_var,$output);
                 unset($output);
                 if (empty($_SESSION['error_msg'])) {
                     exec (VESTA_CMD."v-list-dns-domain ".$v_username." ".$v_domain, $output, $return_var);
                     unset($output);
                     if ($return_var == 0) {
-                        exec (VESTA_CMD."v-add-dns-on-web-alias ".$v_username." ".$alias." ".$v_ip." no", $output, $return_var);
+                        exec (VESTA_CMD."v-add-dns-on-web-alias ".$v_username." ".escapeshellarg($alias)." ".$v_ip." no", $output, $return_var);
                         check_return_code($return_var,$output);
                     unset($output);
                         $restart_dns = 'yes';
@@ -520,7 +520,7 @@
                     $fp = fopen($v_ftp_password, "w");
                     fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
                     fclose($fp);
-                    exec (VESTA_CMD."v-add-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
+                    exec (VESTA_CMD."v-add-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_user." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
                     check_return_code($return_var,$output);
                     if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) {
                         $to = $v_ftp_user_data['v_ftp_email'];
diff --git a/web/login/index.php b/web/login/index.php
@@ -44,7 +44,7 @@
     fclose($fp);
 
     // Check user & password
-    exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'",  $output, $return_var);
+    exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." ".escapeshellarg($_SERVER['REMOTE_ADDR']),  $output, $return_var);
     unset($output);
 
     // Remove tmp file
diff --git a/web/search/index.php b/web/search/index.php
@@ -28,8 +28,8 @@
 //setlocale(LC_ALL, $lang);
 
 // Data
+$q = escapeshellarg($q);
 if ($_SESSION['user'] == 'admin') {
-    $q = escapeshellarg($q);
     exec (VESTA_CMD."v-search-object ".$q." json", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_search.html');

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`$v_username = $user;`
	`56`	`+ $v_job = escapeshellarg($_GET['job']);`
`56`	`57`	`$v_min = escapeshellarg($_POST['v_min']);`
`57`	`58`	`$v_hour = escapeshellarg($_POST['v_hour']);`
`58`	`59`	`$v_day = escapeshellarg($_POST['v_day']);`