Fix web ui + Imporve security by blocking html + Allow for the use of idn domains

jaapmarcus · jaapmarcus · commit c682ace94dce · 2021-03-23T07:57:07.000Z
diff --git a/bin/v-add-web-domain-redirect b/bin/v-add-web-domain-redirect
@@ -40,6 +40,23 @@ is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'web' 'DOMAIN' "$domain"
 is_object_unsuspended 'web' 'DOMAIN' "$domain"
 
+
+scheme=0
+if [[ "$3" =~ http://|https:// ]]; then
+    scheme=1
+    regex='(https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]'
+    if ! [[ "$3" =~ $regex ]]; then
+        echo "Invalid redirect"
+        exit 2;
+    fi
+else
+    regex='[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]'
+    if ! [[ "$3" =~ $regex ]]; then
+        echo "Invalid redirect"
+        exit 2;
+    fi
+fi
+
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
 
@@ -55,12 +72,19 @@ if [ "$WEB_SYSTEM" = 'nginx' ] || [ "$PROXY_SYSTEM" = 'nginx' ]; then
 fi
 # Insert redirect commands
 if [ ! -z "$PROXY_SYSTEM" ] || [ "$WEB_SYSTEM" = 'nginx' ]; then
-    echo "if (\$host != \"$redirect\") {" > $conf
-    echo "   return $code \$scheme://$redirect\$request_uri;" >> $conf
-    echo "}" >> $conf
-    
-    if [ ! -e "$sconf" ]; then
-        ln -s "$conf" "$sconf"
+    if [ "$scheme" = 1 ]; then
+        echo "   return $code $redirect\$request_uri;" > $conf        
+        if [ ! -e "$sconf" ]; then
+            ln -s "$conf" "$sconf"
+        fi
+    else
+        echo "if (\$host != \"$redirect\") {" > $conf
+        echo "   return $code \$scheme://$redirect\$request_uri;" >> $conf
+        echo "}" >> $conf
+        
+        if [ ! -e "$sconf" ]; then
+            ln -s "$conf" "$sconf"
+        fi
     fi
 else
     echo "Non supported please use .htaccess instead" 
@@ -72,12 +96,12 @@ fi
 #----------------------------------------------------------#
 
 if [ -z "$REDIRECT" ]; then
-    add_object_key "web" 'DOMAIN' "$domain" 'REDIRECT' 'STATS_CRYPT'
-    add_object_key "web" 'DOMAIN' "$domain" 'REDIRECT_CODE' 'STATS_CRYPT'
+    add_object_key "web" 'DOMAIN' "$domain" 'REDIRECT' 'U_DISK'
+    add_object_key "web" 'DOMAIN' "$domain" 'REDIRECT_CODE' 'U_DISK'
 fi
 
 update_object_value 'web' 'DOMAIN' "$domain" '$REDIRECT' "$redirect"
-
+update_object_value 'web' 'DOMAIN' "$domain" '$REDIRECT_CODE' "$code"
 # Restart web server
 $BIN/v-restart-web
 check_result $? "Web restart failed" > /dev/null
diff --git a/bin/v-delete-web-domain-redirect b/bin/v-delete-web-domain-redirect
@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: Delete force redirect to domain
-# options: USER DOMAIN REDIRECT [CUSTOM]
+# options: USER DOMAIN
 # labels: hestia web
 #
 # example: v-add-web-domain-redirect user domain.tld
@@ -27,7 +27,7 @@ source $HESTIA/conf/hestia.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '3' "$#" 'USER DOMAIN REDIRECT'
+check_args '2' "$#" 'USER DOMAIN'
 is_format_valid 'user' 'domain'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
@@ -58,7 +58,7 @@ fi
 #----------------------------------------------------------#
 
 update_object_value 'web' 'DOMAIN' "$domain" '$REDIRECT' ""
-
+update_object_value 'web' 'DOMAIN' "$domain" '$REDIRECT_CODE' ""
 # Restart web server
 $BIN/v-restart-web
 check_result $? "Web restart failed" > /dev/null
diff --git a/bin/v-list-web-domain b/bin/v-list-web-domain
@@ -45,6 +45,8 @@ json_list() {
         "PROXY": "'$PROXY'",
         "PROXY_EXT": "'$PROXY_EXT'",
         "FASTCGI_CACHE": "'$FASTCGI_CACHE'",
+        "REDIRECT": "'$REDIRECT'",
+        "REDIRECT_CODE": "'$REDIRECT_CODE'",
         "CUSTOM_DOCROOT": "'$CUSTOM_DOCROOT'",
         "SUSPENDED": "'$SUSPENDED'",
         "TIME": "'$TIME'",
diff --git a/web/edit/web/index.php b/web/edit/web/index.php
@@ -94,6 +94,12 @@
     }
 }
 
+$redirect_code_options = array(301,302);
+$v_redirect = $data[$v_domain]['REDIRECT'];
+$v_redirect_code = $data[$v_domain]['REDIRECT_CODE'];
+if ( !in_array($v_redirect, array('www.'.$v_domain, $v_domain))){
+    $v_redirect_custom = $v_redirect;
+}
 
 $v_ftp_user = $data[$v_domain]['FTP_USER'];
 $v_ftp_path = $data[$v_domain]['FTP_PATH'];
@@ -835,7 +841,38 @@
     }else{
         unset($v_custom_doc_root);
     }   
+    
+    if ( !empty($v_redirect) && empty($_POST['v-redirect-checkbox']) ) {
+        exec(HESTIA_CMD."v-delete-web-domain-redirect ".$v_username." ".escapeshellarg($v_domain),  $output, $return_var);
+        check_return_code($return_var,$output);
+        unset($output);    
+        unset($_POST['v-redirect']);
+    }
+    
+    if (!empty($_POST['v-redirect']) && !empty($_POST['v-redirect-checkbox']) ){
+        if (empty($v_redirect)){
+            if ($_POST['v-redirect']  == 'custom' && empty($_POST['v-redirect-custom'])){
+            }else{
+                if($_POST['v-redirect']  == 'custom'){
+                    $_POST['v-redirect'] = $_POST['v-redirect-custom'];
+                }
+            exec(HESTIA_CMD."v-add-web-domain-redirect ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($_POST['v-redirect'])." ".escapeshellarg($_POST['v-redirect-code']),  $output, $return_var);
+            check_return_code($return_var,$output);
+            unset($output);  
+     
+            }
 
+        }else {
+             if ($_POST['v-redirect'] == 'custom') {
+                 $_POST['v-redirect'] = $_POST['v-redirect-custom'];
+             }
+             if ( $_POST['v-redirect'] != $v_redirect || $_POST['v-redirect-code'] != $v_redirect_code ) {
+                 exec(HESTIA_CMD."v-add-web-domain-redirect ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($_POST['v-redirect'])." ".escapeshellarg($_POST['v-redirect-code']),  $output, $return_var);
+                 check_return_code($return_var,$output);
+                 unset($output);  
+             }
+        }
+    }
     // Restart web server
     if (!empty($restart_web) && (empty($_SESSION['error_msg']))) {
         exec (HESTIA_CMD."v-restart-web", $output, $return_var);
diff --git a/web/js/pages/edit_web.js b/web/js/pages/edit_web.js
@@ -2,7 +2,7 @@ App.Actions.WEB.update_custom_doc_root = function(elm, hint) {
     var prepath = $('input[name="v-custom-doc-root_prepath"]').val();
     var domain = $('select[name="v-custom-doc-domain"]').val();
     var folder = $('input[name="v-custom-doc-folder"]').val();
-    console.log(domain, folder);
+
     $('.custom_docroot_hint').html(prepath+domain+'/public_html/'+folder);
 }
 App.Listeners.DB.keypress_custom_folder = function() {
@@ -294,3 +294,12 @@ function elementHideShow(elementToHideOrShow){
     var el = document.getElementById(elementToHideOrShow);
     el.style.display = el.style.display === 'none' ? 'block' : 'none';
 }
+
+$('#v-redirect-custom-value').change( function(){
+    console.log($('#v-redirect-custom-value').is(":checked"));
+    if($('#v-redirect-custom-value').is(":checked")){
+        $('#custom_redirect').show();
+    }else{
+        $('#custom_redirect').hide();
+    }
+})
diff --git a/web/templates/admin/edit_web.html b/web/templates/admin/edit_web.html
@@ -316,7 +316,65 @@
                                     </table>
                                 </td>
                             </tr>
-
+                            <tr>
+                                <td class="vst-text step-top">
+                                    <label><input type="checkbox" size="20" class="vst-checkbox" name="v-redirect-checkbox" <?php if (!empty($v_redirect)) echo "checked=yes" ?> onclick="javascript:elementHideShow('v_redirect');"> <?php print _('Redirect');?></label>
+                                </td>
+                            </tr>
+                            <tr>
+                                <td class="step-left">
+                                    <table style="display:<?php if (empty($v_redirect)) { echo 'none';} else {echo 'block';}?> ;" id="v_redirect">
+                                        <tr>
+                                            <td class="vst-text input-label">
+                                                <?php $v_redirect;?>
+                                                <?=_('Redirect');?>
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td>
+                                                <input type="radio" name="v-redirect" value="<?php echo 'www.'.$domain;?>" <?php if ($v_redirect == "www.".$domain) echo "checked"; ?>/> <?=sprintf(_('Always redirect to %s'),"www.".$domain);?><br />
+                                                <input type="radio" name="v-redirect" value="<?php echo $domain;?>" <?php if( $v_redirect == $domain) echo "checked";?>/> <?=sprintf(_('Always redirect to %s'),$domain);?><br />
+                                                <input type="radio" name="v-redirect" value="custom" <?php if( !empty($v_redirect_custom)) echo "checked";?> id="v-redirect-custom-value"/> <?=_("Redirect to custom URL or domain");?>
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td>
+                                                <table id="custom_redirect" style="display:<?php if (empty($v_redirect_custom)) { echo 'none';} else {echo 'block';}?> ;">
+                                                    <tr>
+                                                        <td class="vst-text input-label">
+                                                            <?=_('Address');?>
+                                                        </td>
+                                                    </tr>
+                                                    <tr>
+                                                        <td class="vst-text input-label">
+                                                            <input type="text" name="v-redirect-custom" class="vst-input" value="<?=$v_redirect_custom;?>" />
+                                                        </td>
+                                                    </tr>
+                                                </table>   
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td class="vst-text input-label">
+                                               <?=_('Status code');?>
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td class="vst-text input-label">
+                                                <select  class="vst-list" name="v-redirect-code">
+                                                    <?php foreach ($redirect_code_options as $status_code): ?>
+                                                    <option value="<?php echo $status_code;?>"
+                                                        <?=($v_redirect_code === $status_code || (empty($v_redirect_code) && $status_code === $v_redirect_code))?' selected="selected" ':''; ?>>
+                                                        <?php echo $status_code;?>
+                                                    </option>
+                                                <?php endforeach; ?>
+                                                </select>
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                        </tr>
+                                    </table>
+                                </td>
+                            </tr>
                             <tr>
                                 <td class="vst-text step-top">
                                     <label><input type="checkbox" size="20" class="vst-checkbox" name="v_ssl" <?php if ($v_ssl == 'yes') echo "checked=yes" ?> onclick="javascript:App.Actions.WEB.toggle_ssl(this);"> <?php print _('SSL Support');?></label>
