Fix due to external control of filename or path

jaapmarcus · jaapmarcus · commit b962e037810e · 2021-09-09T14:41:25.000+02:00
Also removal of /edit/file/index.php as is not used within Hestia
diff --git a/bin/v-add-user-package b/bin/v-add-user-package
@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: adding user package
-# options: PKG_DIR PACKAGE [REWRITE]
+# options: tmpfile PACKAGE [REWRITE]
 # labels: 
 #
 # The function adds new user package to the system.
@@ -11,7 +11,7 @@
 #----------------------------------------------------------#
 
 # Argument definition
-pkg_dir=$1
+tmpfile=$1
 package=$2
 rewrite=$3
 
@@ -31,7 +31,7 @@ is_package_new() {
 }
 
 is_package_consistent() {
-    source $pkg_dir/$package.pkg
+    source $tmpfile
     if [ "$WEB_DOMAINS" != 'unlimited' ]; then
         is_int_format_valid $WEB_DOMAINS 'WEB_DOMAINS'
     fi
@@ -78,7 +78,12 @@ is_format_valid 'pkg_dir' 'package'
 if [ "$rewrite" != 'yes' ]; then
     is_package_new
 fi
-is_package_valid "$pkg_dir"
+
+if [ ! -f "$tmpfile" ]; then 
+    echo "$tmpfile does not exists"
+    exit $E_NOTEXIST;
+fi
+
 is_package_consistent
 
 # Perform verification if read-only mode is enabled
@@ -89,7 +94,7 @@ check_hestia_demo_mode
 #                       Action                             #
 #----------------------------------------------------------#
 
-cp -f $pkg_dir/$package.pkg $HESTIA/data/packages/
+cp -f $tmpfile $HESTIA/data/packages/$package.pkg
 chmod 644 $HESTIA/data/packages/$package.pkg
 
 
diff --git a/install/upgrade/versions/1.4.13.sh b/install/upgrade/versions/1.4.13.sh
@@ -43,3 +43,8 @@ if [ "$FIREWALL_SYSTEM" = "iptables" ]; then
     $BIN/v-delete-sys-firewall
     $BIN/v-add-sys-firewall
 fi
+
+# Not used any more
+if [ -d "$HESTIA/web/edit/file/" ]; then
+    rm -fr $HESTIA/web/edit/file/
+fi
diff --git a/web/add/package/index.php b/web/add/package/index.php
@@ -1,13 +1,14 @@
 <?php
-error_reporting(NULL);
+
+error_reporting(null);
 ob_start();
 $TAB = 'PACKAGE';
 
 // Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Check user
-if ($_SESSION['userContext'] != 'admin')  {
+if ($_SESSION['userContext'] != 'admin') {
     header("Location: /list/user");
     exit;
 }
@@ -22,42 +23,80 @@
     }
 
     // Check empty fields
-    if (empty($_POST['v_package'])) $errors[] = _('package');
-    if (empty($_POST['v_web_template'])) $errors[] = _('web template');
+    if (empty($_POST['v_package'])) {
+        $errors[] = _('package');
+    }
+    if (empty($_POST['v_web_template'])) {
+        $errors[] = _('web template');
+    }
     if (!empty($_SESSION['WEB_BACKEND'])) {
-        if (empty($_POST['v_backend_template'])) $errors[] = _('backend template');
+        if (empty($_POST['v_backend_template'])) {
+            $errors[] = _('backend template');
+        }
     }
     if (!empty($_SESSION['PROXY_SYSTEM'])) {
-        if (empty($_POST['v_proxy_template'])) $errors[] = _('proxy template');
-    }
-    if (empty($_POST['v_dns_template'])) $errors[] = _('dns template');
-    if (empty($_POST['v_shell'])) $errrors[] = _('shell');
-    if (!isset($_POST['v_web_domains'])) $errors[] = _('web domains');
-    if (!isset($_POST['v_web_aliases'])) $errors[] = _('web aliases');
-    if (!isset($_POST['v_dns_domains'])) $errors[] = _('dns domains');
-    if (!isset($_POST['v_dns_records'])) $errors[] = _('dns records');
-    if (!isset($_POST['v_mail_domains'])) $errors[] = _('mail domains');
-    if (!isset($_POST['v_mail_accounts'])) $errors[] = _('mail accounts');
-    if (!isset($_POST['v_databases'])) $errors[] = _('databases');
-    if (!isset($_POST['v_cron_jobs'])) $errors[] = _('cron jobs');
-    if (!isset($_POST['v_backups'])) $errors[] = _('backups');
-    if (!isset($_POST['v_disk_quota'])) $errors[] = _('quota');
-    if (!isset($_POST['v_bandwidth'])) $errors[] = _('bandwidth');
-    
+        if (empty($_POST['v_proxy_template'])) {
+            $errors[] = _('proxy template');
+        }
+    }
+    if (empty($_POST['v_dns_template'])) {
+        $errors[] = _('dns template');
+    }
+    if (empty($_POST['v_shell'])) {
+        $errrors[] = _('shell');
+    }
+    if (!isset($_POST['v_web_domains'])) {
+        $errors[] = _('web domains');
+    }
+    if (!isset($_POST['v_web_aliases'])) {
+        $errors[] = _('web aliases');
+    }
+    if (!isset($_POST['v_dns_domains'])) {
+        $errors[] = _('dns domains');
+    }
+    if (!isset($_POST['v_dns_records'])) {
+        $errors[] = _('dns records');
+    }
+    if (!isset($_POST['v_mail_domains'])) {
+        $errors[] = _('mail domains');
+    }
+    if (!isset($_POST['v_mail_accounts'])) {
+        $errors[] = _('mail accounts');
+    }
+    if (!isset($_POST['v_databases'])) {
+        $errors[] = _('databases');
+    }
+    if (!isset($_POST['v_cron_jobs'])) {
+        $errors[] = _('cron jobs');
+    }
+    if (!isset($_POST['v_backups'])) {
+        $errors[] = _('backups');
+    }
+    if (!isset($_POST['v_disk_quota'])) {
+        $errors[] = _('quota');
+    }
+    if (!isset($_POST['v_bandwidth'])) {
+        $errors[] = _('bandwidth');
+    }
+
     // Check if name server entries are blank if DNS server is installed
     if ((isset($_SESSION['DNS_SYSTEM'])) && (!empty($_SESSION['DNS_SYSTEM']))) {
-        if (empty($_POST['v_ns1'])) $errors[] = _('ns1');
-        if (empty($_POST['v_ns2'])) $errors[] = _('ns2');
+        if (empty($_POST['v_ns1'])) {
+            $errors[] = _('ns1');
+        }
+        if (empty($_POST['v_ns2'])) {
+            $errors[] = _('ns2');
+        }
     }
     if (!empty($errors[0])) {
         foreach ($errors as $i => $error) {
-            if ( $i == 0 ) {
+            if ($i == 0) {
                 $error_msg = $error;
             } else {
                 $error_msg = $error_msg.", ".$error;
             }
         }
-        $_SESSION['error_msg'] = sprintf(_('Field "%s" can not be blank.'),$error_msg);
+        $_SESSION['error_msg'] = sprintf(_('Field "%s" can not be blank.'), $error_msg);
     }
 
     // Protect input
@@ -87,24 +126,28 @@
     $v_ns7 = trim($_POST['v_ns7'], '.');
     $v_ns8 = trim($_POST['v_ns8'], '.');
     $v_ns = $v_ns1.",".$v_ns2;
-    if (!empty($v_ns3)) $v_ns .= ",".$v_ns3;
-    if (!empty($v_ns4)) $v_ns .= ",".$v_ns4;
-    if (!empty($v_ns5)) $v_ns .= ",".$v_ns5;
-    if (!empty($v_ns6)) $v_ns .= ",".$v_ns6;
-    if (!empty($v_ns7)) $v_ns .= ",".$v_ns7;
-    if (!empty($v_ns8)) $v_ns .= ",".$v_ns8;
+    if (!empty($v_ns3)) {
+        $v_ns .= ",".$v_ns3;
+    }
+    if (!empty($v_ns4)) {
+        $v_ns .= ",".$v_ns4;
+    }
+    if (!empty($v_ns5)) {
+        $v_ns .= ",".$v_ns5;
+    }
+    if (!empty($v_ns6)) {
+        $v_ns .= ",".$v_ns6;
+    }
+    if (!empty($v_ns7)) {
+        $v_ns .= ",".$v_ns7;
+    }
+    if (!empty($v_ns8)) {
+        $v_ns .= ",".$v_ns8;
+    }
     $v_ns = escapeshellarg($v_ns);
     $v_time = escapeshellarg(date('H:i:s'));
     $v_date = escapeshellarg(date('Y-m-d'));
 
-    // Create temporary dir
-    if (empty($_SESSION['error_msg'])) {
-        exec ('mktemp -d', $output, $return_var);
-        $tmpdir = $output[0];
-        check_return_code($return_var,$output);
-        unset($output);
-    }
-
     // Create package file
     if (empty($_SESSION['error_msg'])) {
         $pkg = "WEB_TEMPLATE=".$v_web_template."\n";
@@ -131,79 +174,108 @@
         $pkg .= "TIME=".$v_time."\n";
         $pkg .= "DATE=".$v_date."\n";
 
-        $fp = fopen($tmpdir."/".$_POST['v_package'].".pkg", 'w');
+        $tmpfile = tempnam('/tmp/', 'hst_');
+        $fp = fopen($tmpfile, 'w');
         fwrite($fp, $pkg);
-        fclose($fp);
-    }
-
-    // Add new package
-    if (empty($_SESSION['error_msg'])) {
-        exec (HESTIA_CMD."v-add-user-package ".$tmpdir." ".$v_package, $output, $return_var);
-        check_return_code($return_var,$output);
+        exec(HESTIA_CMD."v-add-user-package ".$tmpfile." ".$v_package, $output, $return_var);
+        check_return_code($return_var, $output);
         unset($output);
-    }
 
-    // Remove tmpdir
-    exec ('rm -rf '.$tmpdir, $output, $return_var);
-    unset($output);
+        fclose($fp);
+    }
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = sprintf(_('PACKAGE_CREATED_OK'),htmlentities($_POST['v_package']),htmlentities($_POST['v_package']));
+        $_SESSION['ok_msg'] = sprintf(_('PACKAGE_CREATED_OK'), htmlentities($_POST['v_package']), htmlentities($_POST['v_package']));
         unset($v_package);
     }
-
 }
 
 
 // List web temmplates
-exec (HESTIA_CMD."v-list-web-templates json", $output, $return_var);
+exec(HESTIA_CMD."v-list-web-templates json", $output, $return_var);
 $web_templates = json_decode(implode('', $output), true);
 unset($output);
 
 // List web templates for backend
 if (!empty($_SESSION['WEB_BACKEND'])) {
-    exec (HESTIA_CMD."v-list-web-templates-backend json", $output, $return_var);
+    exec(HESTIA_CMD."v-list-web-templates-backend json", $output, $return_var);
     $backend_templates = json_decode(implode('', $output), true);
     unset($output);
 }
 
 // List web templates for proxy
 if (!empty($_SESSION['PROXY_SYSTEM'])) {
-    exec (HESTIA_CMD."v-list-web-templates-proxy json", $output, $return_var);
+    exec(HESTIA_CMD."v-list-web-templates-proxy json", $output, $return_var);
     $proxy_templates = json_decode(implode('', $output), true);
     unset($output);
 }
 
 // List DNS templates
-exec (HESTIA_CMD."v-list-dns-templates json", $output, $return_var);
+exec(HESTIA_CMD."v-list-dns-templates json", $output, $return_var);
 $dns_templates = json_decode(implode('', $output), true);
 unset($output);
 
 // List system shells
-exec (HESTIA_CMD."v-list-sys-shells json", $output, $return_var);
+exec(HESTIA_CMD."v-list-sys-shells json", $output, $return_var);
 $shells = json_decode(implode('', $output), true);
 unset($output);
 
 // Set default values
-if (empty($v_web_template)) $v_web_template = 'default';
-if (empty($v_backend_template)) $v_backend_template = 'default';
-if (empty($v_proxy_template)) $v_proxy_template = 'default';
-if (empty($v_dns_template)) $v_dns_template = 'default';
-if (empty($v_shell)) $v_shell = 'nologin';
-if (empty($v_web_domains)) $v_web_domains = "'1'";
-if (empty($v_web_aliases)) $v_web_aliases = "'1'";
-if (empty($v_dns_domains)) $v_dns_domains = "'1'";
-if (empty($v_dns_records)) $v_dns_records = "'1'";
-if (empty($v_mail_domains)) $v_mail_domains = "'1'";
-if (empty($v_mail_accounts)) $v_mail_accounts = "'1'";
-if (empty($v_databases)) $v_databases = "'1'";
-if (empty($v_cron_jobs)) $v_cron_jobs = "'1'";
-if (empty($v_backups)) $v_backups = "'1'";
-if (empty($v_disk_quota)) $v_disk_quota = "'1000'";
-if (empty($v_bandwidth)) $v_bandwidth = "'1000'";
-if (empty($v_ns1)) $v_ns1 = 'ns1.example.ltd';
-if (empty($v_ns2)) $v_ns2 = 'ns2.example.ltd';
+if (empty($v_web_template)) {
+    $v_web_template = 'default';
+}
+if (empty($v_backend_template)) {
+    $v_backend_template = 'default';
+}
+if (empty($v_proxy_template)) {
+    $v_proxy_template = 'default';
+}
+if (empty($v_dns_template)) {
+    $v_dns_template = 'default';
+}
+if (empty($v_shell)) {
+    $v_shell = 'nologin';
+}
+if (empty($v_web_domains)) {
+    $v_web_domains = "'1'";
+}
+if (empty($v_web_aliases)) {
+    $v_web_aliases = "'1'";
+}
+if (empty($v_dns_domains)) {
+    $v_dns_domains = "'1'";
+}
+if (empty($v_dns_records)) {
+    $v_dns_records = "'1'";
+}
+if (empty($v_mail_domains)) {
+    $v_mail_domains = "'1'";
+}
+if (empty($v_mail_accounts)) {
+    $v_mail_accounts = "'1'";
+}
+if (empty($v_databases)) {
+    $v_databases = "'1'";
+}
+if (empty($v_cron_jobs)) {
+    $v_cron_jobs = "'1'";
+}
+if (empty($v_backups)) {
+    $v_backups = "'1'";
+}
+if (empty($v_disk_quota)) {
+    $v_disk_quota = "'1000'";
+}
+if (empty($v_bandwidth)) {
+    $v_bandwidth = "'1000'";
+}
+if (empty($v_ns1)) {
+    $v_ns1 = 'ns1.example.ltd';
+}
+if (empty($v_ns2)) {
+    $v_ns2 = 'ns2.example.ltd';
+}
 
 // Render page
 render_page($user, $TAB, 'add_package');
diff --git a/web/edit/file/index.php b/web/edit/file/index.php
