Fix security issue in v-add-user-package + v-change-user-package (hestiacp#2171)

jaapmarcus · web-flow · commit a2845d4c71d5 · 2021-10-05T10:48:19.000+02:00
* Fix issue where shell could be executed during change of package

* Replace the last eval

* Also verify nameserver name servers format
diff --git a/bin/v-add-user-package b/bin/v-add-user-package
@@ -18,6 +18,8 @@ rewrite=$3
 # Includes
 # shellcheck source=/usr/local/hestia/func/main.sh
 source $HESTIA/func/main.sh
+# shellcheck source=/usr/local/hestia/func/domain.sh
+source $HESTIA/func/domain.sh
 # shellcheck source=/usr/local/hestia/conf/hestia.conf
 source $HESTIA/conf/hestia.conf
 
@@ -65,6 +67,28 @@ is_package_consistent() {
     if [ "$BACKUPS" != 'unlimited' ]; then
         is_int_format_valid $BACKUPS 'BACKUPS'
     fi
+    if [ -n "$WEB_TEMPLATE" ]; then
+        is_web_template_valid $WEB_TEMPLATE
+    fi
+    if [ -n "$BACKEND_TEMPLATE" ]; then
+        is_backend_template_valid $BACKEND_TEMPLATE
+    fi
+    if [ -n "$PROXY_TEMPLATE" ]; then
+        is_proxy_template_valid $PROXY_TEMPLATE
+    fi
+    if [ -n "$DNS_TEMPLATE" ]; then
+        is_dns_template_valid $DNS_TEMPLATE
+    fi
+    if [ -n "$NS" ]; then
+        IFS=',' read -r -a nameservers <<< "$NS"
+        i=1;
+        for ns in "${nameservers[@]}"
+        do
+            is_domain_format_valid "$ns" "ns$i"
+            i=$((i+1))
+        done
+    fi
+    
     is_format_valid_shell $SHELL
 }
 
diff --git a/bin/v-change-user-package b/bin/v-change-user-package
@@ -24,12 +24,8 @@ source $HESTIA/func/main.sh
 source $HESTIA/conf/hestia.conf
 
 is_package_avalable() {
-
-    usr_data=$(cat $USER_DATA/user.conf)
-    IFS=$'\n'
-    for key in $usr_data; do
-        eval ${key%%=*}=${key#*=}
-    done
+    
+    source $USER_DATA/user.conf
 
     WEB_DOMAINS='0'
     DATABASES='0'
@@ -38,9 +34,7 @@ is_package_avalable() {
     DISK_QUOTA='0'
     BANDWIDTH='0'
 
-    pkg_data=$(cat $HESTIA/data/packages/$package.pkg |grep -v TIME |\
-        grep -v DATE)
-    eval $pkg_data
+    source $HESTIA/data/packages/$package.pkg
 
     # Checking usage agains package limits
     if [ "$WEB_DOMAINS" != 'unlimited' ]; then
@@ -81,8 +75,11 @@ is_package_avalable() {
 }
 
 change_user_package() {
-    eval $(cat $USER_DATA/user.conf)
-    eval $(cat $HESTIA/data/packages/$package.pkg |egrep -v "TIME|DATE")
+    source $USER_DATA/user.conf
+    # Keep user creation date and time saved
+    time="$TIME"
+    date="$DATE"
+    source $HESTIA/data/packages/$package.pkg
     echo "NAME='$NAME'
 PACKAGE='$package'
 WEB_TEMPLATE='$WEB_TEMPLATE'
@@ -144,8 +141,8 @@ PREF_UI_SORT='$PREF_UI_SORT'
 LOGIN_DISABLED='$LOGIN_DISABLED'
 LOGIN_USE_IPLIST='$LOGIN_USE_IPLIST'
 LOGIN_ALLOW_IPS='$LOGIN_ALLOW_IPS'
-TIME='$TIME'
-DATE='$DATE'" > $USER_DATA/user.conf
+TIME='$time'
+DATE='$date'" > $USER_DATA/user.conf
 }
 
 
@@ -173,7 +170,7 @@ check_hestia_demo_mode
 change_user_package
 
 # Update user shell
-shell_conf=$(echo "$pkg_data" | grep 'SHELL' | cut -f 2 -d \')
+shell_conf=$(cat $HESTIA/data/packages/$package.pkg | grep 'SHELL' | cut -f 2 -d \')
 $BIN/v-change-user-shell $user $shell_conf
 
 # Run template trigger
diff --git a/install/deb/nginx/phpmyadmin.inc b/install/deb/nginx/phpmyadmin.inc
@@ -1,7 +1,7 @@
 location /%pma_alias% {
     alias /usr/share/phpmyadmin/;
 
-    location ~ /(libraries|setup|templates|locale|sql)/ {
+    location ~ /(libraries|setup|templates|locale) {
         deny all;
         return 404;
     }
diff --git a/install/upgrade/versions/1.4.18.sh b/install/upgrade/versions/1.4.18.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.4.18
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+####### Pass trough information to the end user incase of a issue or problem    #######
+#######                                                                         #######
+####### Use add_upgrade_message "My message here" to include a message          #######
+####### to the upgrade email. Please add it using:                              #######
+#######                                                                         #######
+####### add_upgrade_message "My message here"                                   #######
+#######                                                                         #######
+####### You can use \n within the string to create new lines.                   #######
+#######################################################################################
+
+if [ ! -z "$DB_PMA_ALIAS" ]; then
+    $HESTIA/bin/v-change-sys-db-alias 'pma' $DB_PMA_ALIAS
+fi
+

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`location /%pma_alias% {`
`2`	`2`	`alias /usr/share/phpmyadmin/;`
`3`	`3`
`4`		`- location ~ /(libraries\|setup\|templates\|locale\|sql)/ {`
	`4`	`+ location ~ /(libraries\|setup\|templates\|locale) {`
`5`	`5`	`deny all;`
`6`	`6`	`return 404;`
`7`	`7`	`}`