Skip to content

Commit d8584c5

Browse files
LupulKristan Kenney
Lupul
authored and
Kristan Kenney
committed
Fix missing information on Edit database page (hestiacp#291)
- removed double quoting shell arguments
1 parent de612de commit d8584c5

File tree

4 files changed

+30
-32
lines changed

4 files changed

+30
-32
lines changed

web/add/dns/index.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@
8080

8181
// Flush field values on success
8282
if (empty($_SESSION['error_msg'])) {
83-
$_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK',htmlentities($_POST[v_domain]),htmlentities($_POST[v_domain]));
83+
$_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK',htmlentities($_POST['v_domain']),htmlentities($_POST['v_domain']));
8484
unset($v_domain);
8585
}
8686
}
@@ -128,7 +128,7 @@
128128

129129
// Flush field values on success
130130
if (empty($_SESSION['error_msg'])) {
131-
$_SESSION['ok_msg'] = __('DNS_RECORD_CREATED_OK',htmlentities($_POST[v_rec]),htmlentities($_POST[v_domain]));
131+
$_SESSION['ok_msg'] = __('DNS_RECORD_CREATED_OK',htmlentities($_POST['v_rec']),htmlentities($_POST['v_domain']));
132132
unset($v_domain);
133133
unset($v_rec);
134134
unset($v_val);

web/add/web/index.php

Lines changed: 15 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,6 @@
4141

4242
// Set domain to lowercase and remove www prefix
4343
$v_domain = preg_replace("/^www\./i", "", $_POST['v_domain']);
44-
$v_domain = escapeshellarg($v_domain);
4544
$v_domain = strtolower($v_domain);
4645

4746
// Define domain ip address
@@ -118,23 +117,23 @@
118117

119118
// Add web domain
120119
if (empty($_SESSION['error_msg'])) {
121-
exec (HESTIA_CMD."v-add-web-domain ".$user." ".$v_domain." ".$v_ip." 'no' ".$aliases." ".$proxy_ext, $output, $return_var);
120+
exec (HESTIA_CMD."v-add-web-domain ".$user." ".escapeshellarg($v_domain)." ".$v_ip." 'no' ".$aliases." ".$proxy_ext, $output, $return_var);
122121
check_return_code($return_var,$output);
123122
unset($output);
124123
$domain_added = empty($_SESSION['error_msg']);
125124
}
126125

127126
// Add DNS domain
128127
if (($_POST['v_dns'] == 'on') && (empty($_SESSION['error_msg']))) {
129-
exec (HESTIA_CMD."v-add-dns-domain ".$user." ".$v_domain." ".$v_public_ip." '' '' '' '' '' '' '' '' 'no'", $output, $return_var);
128+
exec (HESTIA_CMD."v-add-dns-domain ".$user." ".escapeshellarg($v_domain)." ".$v_public_ip." '' '' '' '' '' '' '' '' 'no'", $output, $return_var);
130129
check_return_code($return_var,$output);
131130
unset($output);
132131
}
133132

134133
// Add DNS for domain aliases
135134
if (($_POST['v_dns'] == 'on') && (empty($_SESSION['error_msg']))) {
136135
foreach ($aliases_arr as $alias) {
137-
if ($alias != "www.".$_POST['v_domain']) {
136+
if ($alias != "www.".$v_domain) {
138137
$alias = escapeshellarg($alias);
139138
exec (HESTIA_CMD."v-add-dns-on-web-alias ".$user." ".$alias." ".$v_ip." 'no'", $output, $return_var);
140139
check_return_code($return_var,$output);
@@ -145,22 +144,22 @@
145144

146145
// Add mail domain
147146
if (($_POST['v_mail'] == 'on') && (empty($_SESSION['error_msg']))) {
148-
exec (HESTIA_CMD."v-add-mail-domain ".$user." ".$v_domain, $output, $return_var);
147+
exec (HESTIA_CMD."v-add-mail-domain ".$user." ".escapeshellarg($v_domain), $output, $return_var);
149148
check_return_code($return_var,$output);
150149
unset($output);
151150
}
152151

153152
// Delete proxy support
154153
if ((!empty($_SESSION['PROXY_SYSTEM'])) && ($_POST['v_proxy'] == 'off') && (empty($_SESSION['error_msg']))) {
155154
$ext = escapeshellarg($ext);
156-
exec (HESTIA_CMD."v-delete-web-domain-proxy ".$user." ".$v_domain." 'no'", $output, $return_var);
155+
exec (HESTIA_CMD."v-delete-web-domain-proxy ".$user." ".escapeshellarg($v_domain)." 'no'", $output, $return_var);
157156
check_return_code($return_var,$output);
158157
unset($output);
159158
}
160159

161160
// Add Lets Encrypt support
162161
if ((!empty($_POST['v_letsencrypt'])) && (empty($_SESSION['error_msg']))) {
163-
exec (HESTIA_CMD."v-schedule-letsencrypt-domain ".$user." ".$v_domain, $output, $return_var);
162+
exec (HESTIA_CMD."v-schedule-letsencrypt-domain ".$user." ".escapeshellarg($v_domain), $output, $return_var);
164163
check_return_code($return_var,$output);
165164
unset($output);
166165
} else {
@@ -195,7 +194,7 @@
195194
}
196195

197196
$v_ssl_home = escapeshellarg($_POST['v_ssl_home']);
198-
exec (HESTIA_CMD."v-add-web-domain-ssl ".$user." ".$v_domain." ".$tmpdir." ".$v_ssl_home." 'no'", $output, $return_var);
197+
exec (HESTIA_CMD."v-add-web-domain-ssl ".$user." ".escapeshellarg($v_domain)." ".$tmpdir." ".$v_ssl_home." 'no'", $output, $return_var);
199198
check_return_code($return_var,$output);
200199
unset($output);
201200
}
@@ -204,7 +203,7 @@
204203
// Add web stats
205204
if ((!empty($_POST['v_stats'])) && ($_POST['v_stats'] != 'none' ) && (empty($_SESSION['error_msg']))) {
206205
$v_stats = escapeshellarg($_POST['v_stats']);
207-
exec (HESTIA_CMD."v-add-web-domain-stats ".$user." ".$v_domain." ".$v_stats, $output, $return_var);
206+
exec (HESTIA_CMD."v-add-web-domain-stats ".$user." ".escapeshellarg($v_domain)." ".$v_stats, $output, $return_var);
208207
check_return_code($return_var,$output);
209208
unset($output);
210209
}
@@ -216,7 +215,7 @@
216215
$fp = fopen($v_stats_password, "w");
217216
fwrite($fp, $_POST['v_stats_password']."\n");
218217
fclose($fp);
219-
exec (HESTIA_CMD."v-add-web-domain-stats-user ".$user." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
218+
exec (HESTIA_CMD."v-add-web-domain-stats-user ".$user." ".escapeshellarg($v_domain)." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
220219
check_return_code($return_var,$output);
221220
unset($output);
222221
unlink($v_stats_password);
@@ -286,15 +285,15 @@
286285
$fp = fopen($v_ftp_password, "w");
287286
fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
288287
fclose($fp);
289-
exec (HESTIA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_user." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
288+
exec (HESTIA_CMD."v-add-web-domain-ftp ".$user." ".escapeshellarg($v_domain)." ".$v_ftp_user." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
290289
check_return_code($return_var,$output);
291290
unset($output);
292291
unlink($v_ftp_password);
293292
if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) {
294293
$to = $v_ftp_user_data['v_ftp_email'];
295294
$subject = __("FTP login credentials");
296-
$from = __('MAIL_FROM',$_POST['v_domain']);
297-
$mailtext = __('FTP_ACCOUNT_READY',$_POST['v_domain'],$user,$v_ftp_user_data['v_ftp_user'],$v_ftp_user_data['v_ftp_password']);
295+
$from = __('MAIL_FROM', $v_domain );
296+
$mailtext = __('FTP_ACCOUNT_READY',$v_domain,$user,$v_ftp_user_data['v_ftp_user'],$v_ftp_user_data['v_ftp_password']);
298297
send_email($to, $subject, $mailtext, $from);
299298
unset($v_ftp_email);
300299
}
@@ -323,17 +322,17 @@
323322
}
324323

325324
if (!empty($_SESSION['error_msg']) && $domain_added) {
326-
$_SESSION['ok_msg'] = __('WEB_DOMAIN_CREATED_OK',htmlentities($_POST[v_domain]),htmlentities($_POST[v_domain]));
325+
$_SESSION['ok_msg'] = __('WEB_DOMAIN_CREATED_OK',htmlentities($v_domain),htmlentities($v_domain));
327326
$_SESSION['flash_error_msg'] = $_SESSION['error_msg'];
328-
$url = '/edit/web/?domain='.strtolower(preg_replace("/^www\./i", "", $_POST['v_domain']));
327+
$url = '/edit/web/?domain='.strtolower(preg_replace("/^www\./i", "", $v_domain));
329328
header('Location: ' . $url);
330329
exit;
331330
}
332331
}
333332

334333
// Flush field values on success
335334
if (empty($_SESSION['error_msg'])) {
336-
$_SESSION['ok_msg'] = __('WEB_DOMAIN_CREATED_OK',htmlentities($_POST['v_domain']),htmlentities($_POST['v_domain']));
335+
$_SESSION['ok_msg'] = __('WEB_DOMAIN_CREATED_OK',htmlentities($v_domain),htmlentities($v_domain));
337336
unset($v_domain);
338337
unset($v_aliases);
339338
unset($v_ssl);

web/edit/db/index.php

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -19,15 +19,14 @@
1919
}
2020

2121
// List datbase
22-
$v_database = escapeshellarg($_GET['database']);
23-
exec (HESTIA_CMD."v-list-database ".$user." ".$v_database." 'json'", $output, $return_var);
22+
$v_database = $_GET['database'];
23+
exec (HESTIA_CMD."v-list-database ".$user." ".escapeshellarg($v_database)." 'json'", $output, $return_var);
2424
check_return_code($return_var,$output);
2525
$data = json_decode(implode('', $output), true);
2626
unset($output);
2727

2828
// Parse database
2929
$v_username = $user;
30-
$v_database = escapeshellarg($_GET['database']);
3130
$v_dbuser = $data[$v_database]['DBUSER'];
3231
$v_password = "";
3332
$v_host = $data[$v_database]['HOST'];
@@ -56,7 +55,7 @@
5655
if (($v_dbuser != $_POST['v_dbuser']) && (empty($_SESSION['error_msg']))) {
5756
$v_dbuser = preg_replace("/^".$user."_/", "", $_POST['v_dbuser']);
5857
$v_dbuser = escapeshellarg($v_dbuser);
59-
exec (HESTIA_CMD."v-change-database-user ".$v_username." ".$v_database." ".$v_dbuser, $output, $return_var);
58+
exec (HESTIA_CMD."v-change-database-user ".$v_username." ".escapeshellarg($v_database)." ".$v_dbuser, $output, $return_var);
6059
check_return_code($return_var,$output);
6160
unset($output);
6261
$v_dbuser = $user."_".preg_replace("/^".$user."_/", "", $_POST['v_dbuser']);
@@ -68,7 +67,7 @@
6867
$fp = fopen($v_password, "w");
6968
fwrite($fp, $_POST['v_password']."\n");
7069
fclose($fp);
71-
exec (HESTIA_CMD."v-change-database-password ".$v_username." ".$v_database." ".$v_password, $output, $return_var);
70+
exec (HESTIA_CMD."v-change-database-password ".$v_username." ".escapeshellarg($v_database)." ".$v_password, $output, $return_var);
7271
check_return_code($return_var,$output);
7372
unset($output);
7473
unlink($v_password);

web/edit/server/index.php

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@
6666
if ($backup_type == 'local') {
6767
$v_backup = 'yes';
6868
} else {
69-
exec (HESTIA_CMD."v-list-backup-host ".$backup_type. " json", $output, $return_var);
69+
exec (HESTIA_CMD."v-list-backup-host ".escapeshellarg($backup_type)." json", $output, $return_var);
7070
$v_remote_backup = json_decode(implode('', $output), true);
7171
unset($output);
7272
$v_backup_host = $v_remote_backup[$backup_type]['HOST'];
@@ -186,7 +186,7 @@
186186
// Update mysql pasword
187187
if (empty($_SESSION['error_msg'])) {
188188
if (!empty($_POST['v_mysql_password'])) {
189-
exec (HESTIA_CMD."v-change-database-host-password mysql localhost root '".escapeshellarg($_POST['v_mysql_password'])."'", $output, $return_var);
189+
exec (HESTIA_CMD."v-change-database-host-password mysql localhost root ".escapeshellarg($_POST['v_mysql_password']), $output, $return_var);
190190
check_return_code($return_var,$output);
191191
unset($output);
192192
$v_db_adv = 'yes';
@@ -196,7 +196,7 @@
196196
// Update webmail url
197197
if (empty($_SESSION['error_msg'])) {
198198
if ($_POST['v_mail_url'] != $_SESSION['MAIL_URL']) {
199-
exec (HESTIA_CMD."v-change-sys-config-value MAIL_URL '".escapeshellarg($_POST['v_mail_url'])."'", $output, $return_var);
199+
exec (HESTIA_CMD."v-change-sys-config-value MAIL_URL ".escapeshellarg($_POST['v_mail_url']), $output, $return_var);
200200
check_return_code($return_var,$output);
201201
unset($output);
202202
$v_mail_adv = 'yes';
@@ -206,7 +206,7 @@
206206
// Update phpMyAdmin url
207207
if (empty($_SESSION['error_msg'])) {
208208
if ($_POST['v_mysql_url'] != $_SESSION['DB_PMA_URL']) {
209-
exec (HESTIA_CMD."v-change-sys-config-value DB_PMA_URL '".escapeshellarg($_POST['v_mysql_url'])."'", $output, $return_var);
209+
exec (HESTIA_CMD."v-change-sys-config-value DB_PMA_URL ".escapeshellarg($_POST['v_mysql_url']), $output, $return_var);
210210
check_return_code($return_var,$output);
211211
unset($output);
212212
$v_db_adv = 'yes';
@@ -216,7 +216,7 @@
216216
// Update phpPgAdmin url
217217
if (empty($_SESSION['error_msg'])) {
218218
if ($_POST['v_pgsql_url'] != $_SESSION['DB_PGA_URL']) {
219-
exec (HESTIA_CMD."v-change-sys-config-value DB_PGA_URL '".escapeshellarg($_POST['v_pgsql_url'])."'", $output, $return_var);
219+
exec (HESTIA_CMD."v-change-sys-config-value DB_PGA_URL ".escapeshellarg($_POST['v_pgsql_url']), $output, $return_var);
220220
check_return_code($return_var,$output);
221221
unset($output);
222222
$v_db_adv = 'yes';
@@ -275,7 +275,7 @@
275275
$v_backup_username = escapeshellarg($_POST['v_backup_username']);
276276
$v_backup_password = escapeshellcmd($_POST['v_backup_password']);
277277
$v_backup_bpath = escapeshellarg($_POST['v_backup_bpath']);
278-
exec (HESTIA_CMD."v-add-backup-host '". $v_backup_type ."' '". $v_backup_host ."' '". $v_backup_username ."' '". $v_backup_password ."' '". $v_backup_bpath ."'", $output, $return_var);
278+
exec (HESTIA_CMD."v-add-backup-host ". $v_backup_type ." ". $v_backup_host ." ". $v_backup_username ." '". $v_backup_password ."' ". $v_backup_bpath, $output, $return_var);
279279
check_return_code($return_var,$output);
280280
unset($output);
281281
if (empty($_SESSION['error_msg'])) $v_backup_host = $_POST['v_backup_host'];
@@ -300,7 +300,7 @@
300300
$v_backup_username = escapeshellarg($_POST['v_backup_username']);
301301
$v_backup_password = escapeshellcmd($_POST['v_backup_password']);
302302
$v_backup_bpath = escapeshellarg($_POST['v_backup_bpath']);
303-
exec (HESTIA_CMD."v-add-backup-host '". $v_backup_type ."' '". $v_backup_host ."' '". $v_backup_username ."' '". $v_backup_password ."' '". $v_backup_bpath ."'", $output, $return_var);
303+
exec (HESTIA_CMD."v-add-backup-host ". $v_backup_type ." ". $v_backup_host ." ". $v_backup_username ." '". $v_backup_password ."' ". $v_backup_bpath, $output, $return_var);
304304
check_return_code($return_var,$output);
305305
unset($output);
306306
if (empty($_SESSION['error_msg'])) $v_backup_host = $_POST['v_backup_host'];
@@ -322,7 +322,7 @@
322322
$v_backup_username = escapeshellarg($_POST['v_backup_username']);
323323
$v_backup_password = escapeshellcmd($_POST['v_backup_password']);
324324
$v_backup_bpath = escapeshellarg($_POST['v_backup_bpath']);
325-
exec (HESTIA_CMD."v-add-backup-host '". $v_backup_type ."' '". $v_backup_host ."' '". $v_backup_username ."' '". $v_backup_password ."' '". $v_backup_bpath ."'", $output, $return_var);
325+
exec (HESTIA_CMD."v-add-backup-host ". $v_backup_type ." ". $v_backup_host ." ". $v_backup_username ." '". $v_backup_password ."' ". $v_backup_bpath, $output, $return_var);
326326
check_return_code($return_var,$output);
327327
unset($output);
328328
if (empty($_SESSION['error_msg'])) $v_backup_host = $_POST['v_backup_host'];
@@ -339,7 +339,7 @@
339339
// Delete remote backup host
340340
if (empty($_SESSION['error_msg'])) {
341341
if ((empty($_POST['v_backup_host'])) && (!empty($v_backup_host))) {
342-
exec (HESTIA_CMD."v-delete-backup-host '". $v_backup_type ."'", $output, $return_var);
342+
exec (HESTIA_CMD."v-delete-backup-host ".escapeshellarg($v_backup_type), $output, $return_var);
343343
check_return_code($return_var,$output);
344344
unset($output);
345345
if (empty($_SESSION['error_msg'])) $v_backup_host = '';

0 commit comments

Comments
 (0)