Fix issue with composer.json visible in domain.com/phpmyadmin/composer.json (hestiacp#2148)

jaapmarcus · web-flow · commit d8227d9abf01 · 2021-09-27T15:37:10.000+02:00
* Limit access to composer.json for phpmyadmin

* Give access to /phpmyadmin/doc/html/

* Add upgrade script for phpmailer 

+ Fixed issue with update detection
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,8 @@ All notable changes to this project will be documented in this file.
 
 ### Bugfixes
 
+- Limit access to files/folders that are not required on default /phpmyadmin (*.json, templates, locale, vendor) #2143
+
 ## [1.4.14] - Service release 
 
 ### Bugfixes
diff --git a/func/upgrade.sh b/func/upgrade.sh
@@ -604,7 +604,7 @@ upgrade_roundcube(){
     if [ "UPGRADE_UPDATE_ROUNDCUBE" = "true" ]; then
         if [ ! -z "$(echo "$WEBMAIL_SYSTEM" | grep -w 'roundcube')" ]; then
             rc_version=$(cat /var/lib/roundcube/index.php | grep -o -E '[0-9].[0-9].[0-9]+' | head -1);
-            if [ "$rc_version" == "$rc_v" ]; then
+            if [ "$rc_version" != "$rc_v" ]; then
                 echo "[ * ] Upgrading Roundcube to version v$rc_v..."
                 $HESTIA/bin/v-add-sys-roundcube
             fi
@@ -616,14 +616,26 @@ upgrade_rainloop(){
     if [ "UPGRADE_UPDATE_RAINLOOP" = "true" ]; then
         if [ ! -z "$(echo "$WEBMAIL_SYSTEM" | grep -w 'rainloop')" ]; then
             rc_version=$(cat /var/lib/rainloop/data/VERSION);
-            if [ "$rc_version" == "$rc_v" ]; then
+            if [ "$rc_version" != "$rl_v" ]; then
                 echo "[ * ] Upgrading Rainloop to version v$rl_v..."
                 $HESTIA/bin/v-add-sys-rainloop
             fi
         fi
     fi
 }
 
+upgrade_phpmailer(){
+    if [ ! -d "$HESTIA/web/inc/vendor/" ]; then
+        echo "[ ! ] Install PHPmailer";
+        $HESTIA/bin/v-add-sys-phpmailer
+    fi
+    phpm_version=$(cat $HESTIA/web/inc/vendor/phpmailer/phpmailer/VERSION);
+    if [ "$phpm_version" != "$pm_v" ]; then
+    echo "[ * ] Upgrading Rainloop to version v$pm_v..."
+        $HESTIA/bin/v-add-sys-phpmailer
+    fi
+}
+
 upgrade_rebuild_web_templates() {
     if [ "$UPGRADE_UPDATE_WEB_TEMPLATES" = "true" ]; then
         echo "[ ! ] Updating default web domain templates..."
diff --git a/install/deb/nginx/phpmyadmin.inc b/install/deb/nginx/phpmyadmin.inc
@@ -1,7 +1,11 @@
 location /%pma_alias% {
     alias /usr/share/phpmyadmin/;
 
-    location ~ /(libraries|setup) {
+    location ~ /(libraries|setup|vendor|templates|locale|sql) {
+        deny all;
+        return 404;
+    }
+    location ~ /(.+\.(json|lock|md)) {
         deny all;
         return 404;
     }
diff --git a/install/deb/pma/apache.conf b/install/deb/pma/apache.conf
@@ -25,23 +25,36 @@ Alias /%pma_alias% /usr/share/phpmyadmin
     </IfModule>
 </Directory>
 
-# Authorize for setup
-<Directory /usr/share/phpmyadmin/setup>
-    <IfModule mod_authn_file.c>
-    AuthType Basic
-    AuthName "phpMyAdmin Setup"
-    AuthUserFile /etc/phpmyadmin/htpasswd.setup
-    </IfModule>
-    Require valid-user
-</Directory>
-
 # Disallow web access to directories that don't need it
 <Directory /usr/share/phpmyadmin/libraries>
     Order Deny,Allow
     Deny from All
 </Directory>
-<Directory /usr/share/phpmyadmin/setup/lib>
+<Directory /usr/share/phpmyadmin/setup>
+    Order Deny,Allow
+    Deny from All
+</Directory>
+<Directory /usr/share/phpmyadmin/sql>
     Order Deny,Allow
     Deny from All
 </Directory>
-
+<Directory /usr/share/phpmyadmin/vendor>
+    Order Deny,Allow
+    Deny from All
+</Directory>
+<Directory /usr/share/phpmyadmin/templates>
+    Order Deny,Allow
+    Deny from All
+</Directory>
+<Directory /usr/share/phpmyadmin/locale>
+    Order Deny,Allow
+    Deny from All
+</Directory>
+<Files ~ "\.json$">
+    Order Deny,Allow
+    Deny from all
+</Files>
+<Files ~ "\.lock$">
+    Order Deny,Allow
+    Deny from all
+</Files>
diff --git a/install/upgrade/versions/1.4.15.sh b/install/upgrade/versions/1.4.15.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.4.14
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+####### Pass trough information to the end user incase of a issue or problem    #######
+#######                                                                         #######
+####### Use add_upgrade_message "My message here" to include a message          #######
+####### to the upgrade email. Please add it using:                              #######
+#######                                                                         #######
+####### add_upgrade_message "My message here"                                   #######
+#######                                                                         #######
+####### You can use \n within the string to create new lines.                   #######
+#######################################################################################
+
+if [ ! -z "$DB_PMA_ALIAS" ]; then
+    $HESTIA/bin/v-change-sys-db-alias 'pma' $DB_PMA_ALIAS
+fi
diff --git a/src/deb/hestia/postinst b/src/deb/hestia/postinst
@@ -84,6 +84,9 @@ upgrade_roundcube | tee -a $LOG
 # Upgrade Rainloop if applicable
 upgrade_rainloop | tee -a $LOG
 
+# Upgrade PHPMailer if applicable
+upgrade_phpmailer | tee -a $LOG
+
 # Set new version number in hestia.conf
 upgrade_set_version $new_version
 upgrade_set_branch $new_version
