Merge pull request hestiacp#516 from Flatta/fix-sec-osci

[SECURITY] Fix OS command injection.

Author: serghey-rodin

web/add/cron/autoupdate/index.php

@@ -3,13 +3,12 @@
 error_reporting(NULL);
 ob_start();
 session_start();
-include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+include($_SERVER['DOCUMENT_ROOT'].'/inc/main.php');
 
 if ($_SESSION['user'] == 'admin') {
-    exec (VESTA_CMD."v-add-cron-vesta-autoupdate", $output, $return_var);
+    v_exec('v-add-cron-vesta-autoupdate', [], false);
     $_SESSION['error_msg'] = __('Autoupdate has been successfully enabled');
-    unset($output);
 }
 
-header("Location: /list/updates/");
+header('Location: /list/updates/');
 exit;

web/add/cron/index.php

@@ -13,7 +13,7 @@
     // Check token
     if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
         header('location: /login/');
-        exit();
+        exit;
     }
 
     // Check empty fields
@@ -35,18 +35,16 @@
     }
 
     // Protect input
-    $v_min = escapeshellarg($_POST['v_min']);
-    $v_hour = escapeshellarg($_POST['v_hour']);
-    $v_day = escapeshellarg($_POST['v_day']);
-    $v_month = escapeshellarg($_POST['v_month']);
-    $v_wday = escapeshellarg($_POST['v_wday']);
-    $v_cmd = escapeshellarg($_POST['v_cmd']);
+    $v_min = $_POST['v_min'];
+    $v_hour = $_POST['v_hour'];
+    $v_day = $_POST['v_day'];
+    $v_month = $_POST['v_month'];
+    $v_wday = $_POST['v_wday'];
+    $v_cmd = $_POST['v_cmd'];
 
     // Add cron job
     if (empty($_SESSION['error_msg'])) {
-        exec (VESTA_CMD."v-add-cron-job ".$user." ".$v_min." ".$v_hour." ".$v_day." ".$v_month." ".$v_wday." ".$v_cmd, $output, $return_var);
-        check_return_code($return_var,$output);
-        unset($output);
+        v_exec('v-add-cron-job', [$user, $v_min, $v_hour, $v_day, $v_month, $v_wday, $v_cmd]);
     }
 
     // Flush field values on success
@@ -58,7 +56,6 @@
         unset($v_month);
         unset($v_wday);
         unset($v_cmd);
-        unset($output);
     }
 }
 

web/add/cron/reports/index.php

@@ -3,11 +3,10 @@
 error_reporting(NULL);
 ob_start();
 session_start();
-include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+include($_SERVER['DOCUMENT_ROOT'].'/inc/main.php');
 
-exec (VESTA_CMD."v-add-cron-reports ".$user, $output, $return_var);
+v_exec('v-add-cron-reports', [$user], false);
 $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled');
-unset($output);
 
-header("Location: /list/cron/");
+header('Location: /list/cron/');
 exit;

web/add/db/index.php

@@ -12,7 +12,7 @@
     // Check token
     if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
         header('location: /login/');
-        exit();
+        exit;
     }
 
     // Check empty fields
@@ -30,7 +30,7 @@
                 $error_msg = $error_msg.", ".$error;
             }
         }
-        $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg);
+        $_SESSION['error_msg'] = __('Field "%s" can not be blank.', $error_msg);
     }
 
     // Validate email
@@ -43,45 +43,36 @@
     // Check password length
     if (empty($_SESSION['error_msg'])) {
         $pw_len = strlen($_POST['v_password']);
-        if ($pw_len < 6 ) $_SESSION['error_msg'] = __('Password is too short.',$error_msg);
+        if ($pw_len < 6) $_SESSION['error_msg'] = __('Password is too short.', $error_msg);
     }
 
-    // Protect input
-    $v_database = escapeshellarg($_POST['v_database']);
-    $v_dbuser = escapeshellarg($_POST['v_dbuser']);
+    $v_database = $_POST['v_database'];
+    $v_dbuser = $_POST['v_dbuser'];
     $v_type = $_POST['v_type'];
     $v_charset = $_POST['v_charset'];
     $v_host = $_POST['v_host'];
     $v_db_email = $_POST['v_db_email'];
 
     // Add database
     if (empty($_SESSION['error_msg'])) {
-        $v_type = escapeshellarg($_POST['v_type']);
-        $v_charset = escapeshellarg($_POST['v_charset']);
-        $v_host = escapeshellarg($_POST['v_host']);
-        $v_password = tempnam("/tmp","vst");
-        $fp = fopen($v_password, "w");
+        $v_password = tempnam('/tmp', 'vst');
+        $fp = fopen($v_password, 'w');
         fwrite($fp, $_POST['v_password']."\n");
         fclose($fp);
-        exec (VESTA_CMD."v-add-database ".$user." ".$v_database." ".$v_dbuser." ".$v_password." ".$v_type." ".$v_host." ".$v_charset, $output, $return_var);
-        check_return_code($return_var,$output);
-        unset($output);
+        v_exec('v-add-database', [$user, $v_database, $v_dbuser, $v_password, $v_type, $v_host, $v_charset]);
         unlink($v_password);
-        $v_password = escapeshellarg($_POST['v_password']);
-        $v_type = $_POST['v_type'];
-        $v_host = $_POST['v_host'];
-        $v_charset = $_POST['v_charset'];
+        $v_password = $_POST['v_password'];
     }
 
     // Get database manager url
     if (empty($_SESSION['error_msg'])) {
-        list($http_host, $port) = explode(':', $_SERVER["HTTP_HOST"] . ":");
+        list($http_host, $port) = explode(':', $_SERVER['HTTP_HOST'] . ':');
         if ($_POST['v_host'] != 'localhost' ) $http_host = $_POST['v_host'];
-        if ($_POST['v_type'] == 'mysql') $db_admin = "phpMyAdmin";
-        if ($_POST['v_type'] == 'mysql') $db_admin_link = "http://".$http_host."/phpmyadmin/";
+        if ($_POST['v_type'] == 'mysql') $db_admin = 'phpMyAdmin';
+        if ($_POST['v_type'] == 'mysql') $db_admin_link = "http://$http_host/phpmyadmin/";
         if (($_POST['v_type'] == 'mysql') && (!empty($_SESSION['DB_PMA_URL']))) $db_admin_link = $_SESSION['DB_PMA_URL'];
-        if ($_POST['v_type'] == 'pgsql') $db_admin = "phpPgAdmin";
-        if ($_POST['v_type'] == 'pgsql') $db_admin_link = "http://".$http_host."/phppgadmin/";
+        if ($_POST['v_type'] == 'pgsql') $db_admin = 'phpPgAdmin';
+        if ($_POST['v_type'] == 'pgsql') $db_admin_link = "http://$http_host/phppgadmin/";
         if (($_POST['v_type'] == 'pgsql') && (!empty($_SESSION['DB_PGA_URL']))) $db_admin_link = $_SESSION['DB_PGA_URL'];
     }
 
@@ -90,15 +81,15 @@
         $to = $v_db_email;
         $subject = __("Database Credentials");
         $hostname = exec('hostname');
-        $from = __('MAIL_FROM',$hostname);
-        $mailtext = __('DATABASE_READY',$user."_".$_POST['v_database'],$user."_".$_POST['v_dbuser'],$_POST['v_password'],$db_admin_link);
+        $from = __('MAIL_FROM', $hostname);
+        $mailtext = __('DATABASE_READY', $user.'_'.$_POST['v_database'], $user.'_'.$_POST['v_dbuser'], $_POST['v_password'], $db_admin_link);
         send_email($to, $subject, $mailtext, $from);
     }
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('DATABASE_CREATED_OK',htmlentities($user)."_".htmlentities($_POST['v_database']),htmlentities($user)."_".htmlentities($_POST['v_database']));
-        $_SESSION['ok_msg'] .= " / <a href=".$db_admin_link." target='_blank'>" . __('open %s',$db_admin) . "</a>";
+        $_SESSION['ok_msg'] = __('DATABASE_CREATED_OK', htmlentities($user.'_'.$_POST['v_database']), htmlentities($user.'_'.$_POST['v_database']));
+        $_SESSION['ok_msg'] .= " / <a href=$db_admin_link target='_blank'>" . __('open %s', $db_admin) . '</a>';
         unset($v_database);
         unset($v_dbuser);
         unset($v_password);
@@ -117,16 +108,15 @@
 $v_db_email = $panel[$user]['CONTACT'];
 
 // List avaiable database types
-$db_types = split(",",$_SESSION['DB_SYSTEM']);
+$db_types = explode(',', $_SESSION['DB_SYSTEM']);
 
 // List available database servers
 $db_hosts = array();
 foreach ($db_types as $db_type ) {
-    exec (VESTA_CMD."v-list-database-hosts ".$db_type." 'json'", $output, $return_var);
-    $db_hosts_tmp = json_decode(implode('', $output), true);
+    v_exec('v-list-database-hosts', [$db_type, 'json'], false, $output);
+    $db_hosts_tmp = json_decode($output, true);
     $db_hosts = array_merge($db_hosts, $db_hosts_tmp);
     unset($db_hosts_tmp);
-    unset($output);
 }
 
 // Display body

web/add/dns/index.php

@@ -13,7 +13,7 @@
     // Check token
     if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
         header('location: /login/');
-        exit();
+        exit;
     }
 
     // Check empty fields
@@ -32,56 +32,47 @@
 
     // Protect input
     $v_domain = preg_replace("/^www./i", "", $_POST['v_domain']);
-    $v_domain = escapeshellarg($v_domain);
     $v_domain = strtolower($v_domain);
-    $v_ip = escapeshellarg($_POST['v_ip']);
-    if (!empty($_POST['v_ns1'])) $v_ns1 = escapeshellarg($_POST['v_ns1']);
-    if (!empty($_POST['v_ns2'])) $v_ns2 = escapeshellarg($_POST['v_ns2']);
-    if (!empty($_POST['v_ns3'])) $v_ns3 = escapeshellarg($_POST['v_ns3']);
-    if (!empty($_POST['v_ns4'])) $v_ns4 = escapeshellarg($_POST['v_ns4']);
-    if (!empty($_POST['v_ns5'])) $v_ns5 = escapeshellarg($_POST['v_ns5']);
-    if (!empty($_POST['v_ns6'])) $v_ns6 = escapeshellarg($_POST['v_ns6']);
-    if (!empty($_POST['v_ns7'])) $v_ns7 = escapeshellarg($_POST['v_ns7']);
-    if (!empty($_POST['v_ns8'])) $v_ns8 = escapeshellarg($_POST['v_ns8']);
+    $v_ip = $_POST['v_ip'];
+    if (!empty($_POST['v_ns1'])) $v_ns1 = $_POST['v_ns1'];
+    if (!empty($_POST['v_ns2'])) $v_ns2 = $_POST['v_ns2'];
+    if (!empty($_POST['v_ns3'])) $v_ns3 = $_POST['v_ns3'];
+    if (!empty($_POST['v_ns4'])) $v_ns4 = $_POST['v_ns4'];
+    if (!empty($_POST['v_ns5'])) $v_ns5 = $_POST['v_ns5'];
+    if (!empty($_POST['v_ns6'])) $v_ns6 = $_POST['v_ns6'];
+    if (!empty($_POST['v_ns7'])) $v_ns7 = $_POST['v_ns7'];
+    if (!empty($_POST['v_ns8'])) $v_ns8 = $_POST['v_ns8'];
 
     // Add dns domain
     if (empty($_SESSION['error_msg'])) {
-        exec (VESTA_CMD."v-add-dns-domain ".$user." ".$v_domain." ".$v_ip." ".$v_ns1." ".$v_ns2." ".$v_ns3." ".$v_ns4." ".$v_ns5."  ".$v_ns6."  ".$v_ns7." ".$v_ns8." no", $output, $return_var);
-        check_return_code($return_var,$output);
-        unset($output);
+        v_exec('v-add-dns-domain', [$user, $v_domain, $v_ip, $v_ns1, $v_ns2, $v_ns3, $v_ns4, $v_ns5, $v_ns6, $v_ns7, $v_ns8, 'no']);
     }
 
 
     // Set expiriation date
     if (empty($_SESSION['error_msg'])) {
         if ((!empty($_POST['v_exp'])) && ($_POST['v_exp'] != date('Y-m-d', strtotime('+1 year')))) {
-            $v_exp = escapeshellarg($_POST['v_exp']);
-            exec (VESTA_CMD."v-change-dns-domain-exp ".$user." ".$v_domain." ".$v_exp." no", $output, $return_var);
-            check_return_code($return_var,$output);
-            unset($output);
+            $v_exp = $_POST['v_exp'];
+            v_exec('v-change-dns-domain-exp', [$user, $v_domain, $v_exp, 'no']);
         }
     }
 
     // Set ttl
     if (empty($_SESSION['error_msg'])) {
         if ((!empty($_POST['v_ttl'])) && ($_POST['v_ttl'] != '14400') && (empty($_SESSION['error_msg']))) {
-            $v_ttl = escapeshellarg($_POST['v_ttl']);
-            exec (VESTA_CMD."v-change-dns-domain-ttl ".$user." ".$v_domain." ".$v_ttl." no", $output, $return_var);
-            check_return_code($return_var,$output);
-            unset($output);
+            $v_ttl = $_POST['v_ttl'];
+            v_exec('v-change-dns-domain-ttl', [$user, $v_domain, $v_ttl, 'no']);
         }
     }
 
     // Restart dns server
     if (empty($_SESSION['error_msg'])) {
-        exec (VESTA_CMD."v-restart-dns", $output, $return_var);
-        check_return_code($return_var,$output);
-        unset($output);
+        v_exec('v-restart-dns');
     }
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK',htmlentities($_POST[v_domain]),htmlentities($_POST[v_domain]));
+        $_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK', htmlentities($_POST[v_domain]), htmlentities($_POST[v_domain]));
         unset($v_domain);
     }
 }
@@ -93,7 +84,7 @@
     // Check token
     if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
         header('location: /login/');
-        exit();
+        exit;
     }
 
     // Check empty fields
@@ -113,18 +104,15 @@
     }
 
     // Protect input
-    $v_domain = escapeshellarg($_POST['v_domain']);
-    $v_rec = escapeshellarg($_POST['v_rec']);
-    $v_type = escapeshellarg($_POST['v_type']);
-    $v_val = escapeshellarg($_POST['v_val']);
-    $v_priority = escapeshellarg($_POST['v_priority']);
+    $v_domain = $_POST['v_domain'];
+    $v_rec = $_POST['v_rec'];
+    $v_type = $_POST['v_type'];
+    $v_val = $_POST['v_val'];
+    $v_priority = $_POST['v_priority'];
 
     // Add dns record
     if (empty($_SESSION['error_msg'])) {
-        exec (VESTA_CMD."v-add-dns-record ".$user." ".$v_domain." ".$v_rec." ".$v_type." ".$v_val." ".$v_priority, $output, $return_var);
-        check_return_code($return_var,$output);
-        unset($output);
-        $v_type = $_POST['v_type'];
+        v_exec('v-add-dns-record', [$user, $v_domain, $v_rec, $v_type, $v_val, $v_priority]);
     }
 
     // Flush field values on success
@@ -159,8 +147,8 @@
     if (empty($v_ttl)) $v_ttl = 14400;
     if (empty($v_exp)) $v_exp = date('Y-m-d', strtotime('+1 year'));
     if (empty($v_ns1)) {
-        exec (VESTA_CMD."v-list-user-ns ".$user." json", $output, $return_var);
-        $nameservers = json_decode(implode('', $output), true);
+        v_exec('v-list-user-ns', [$user, 'json'], false, $output);
+        $nameservers = json_decode($output, true);
         $v_ns1 = str_replace("'", "", $nameservers[0]);
         $v_ns2 = str_replace("'", "", $nameservers[1]);
         $v_ns3 = str_replace("'", "", $nameservers[2]);
@@ -169,7 +157,6 @@
         $v_ns6 = str_replace("'", "", $nameservers[5]);
         $v_ns7 = str_replace("'", "", $nameservers[6]);
         $v_ns8 = str_replace("'", "", $nameservers[7]);
-        unset($output);
     }
     include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/add_dns.html');
 }

web/add/favorite/index.php

@@ -9,15 +9,13 @@
 // Check token
 //    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
 //        header('location: /login/');
-//        exit();
+//        exit;
 //    }
 
-    // Protect input
-    $v_section = escapeshellarg($_REQUEST['v_section']);
-    $v_unit_id = escapeshellarg($_REQUEST['v_unit_id']);
+    $v_section = $_REQUEST['v_section'];
+    $v_unit_id = $_REQUEST['v_unit_id'];
 
-    $_SESSION['favourites'][strtoupper($_REQUEST['v_section'])][$_REQUEST['v_unit_id']] = 1;
+    $_SESSION['favourites'][strtoupper((string)$v_section)][(string)$v_unit_id] = 1;
 
-    exec (VESTA_CMD."v-add-user-favourites ".$_SESSION['user']." ".$v_section." ".$v_unit_id, $output, $return_var);
-//    check_return_code($return_var,$output);
+    v_exec('v-add-user-favourites', [$_SESSION['user'], $v_section, $v_unit_id], false/*true*/);
 ?>

web/add/firewall/banlist/index.php

@@ -31,15 +31,12 @@
         $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg);
     }
 
-    // Protect input
-    $v_chain = escapeshellarg($_POST['v_chain']);
-    $v_ip = escapeshellarg($_POST['v_ip']);
+    $v_chain = $_POST['v_chain'];
+    $v_ip = $_POST['v_ip'];
 
     // Add firewall ban
     if (empty($_SESSION['error_msg'])) {
-        exec (VESTA_CMD."v-add-firewall-ban ".$v_ip." ".$v_chain, $output, $return_var);
-        check_return_code($return_var,$output);
-        unset($output);
+        v_exec('v-add-firewall-ban', [$v_ip, $v_chain]);
     }
 
     // Flush field values on success