Skip to content

Commit eb6faae

Browse files
author
Kristan Kenney
committed
Merge branch 'main' into fix/domain-idn-handling
2 parents 1aca093 + 1d3376e commit eb6faae

File tree

54 files changed

+251
-78
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

54 files changed

+251
-78
lines changed

bin/v-change-sys-api

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
#!/bin/bash
2+
# info: Enable / Disable API access
3+
# options: STATUS
4+
# labels: hestia
5+
#
6+
# example: v-change-sys-api enable
7+
# # Enable API
8+
#
9+
# example: v-change-sys-api disable
10+
# # Disable API
11+
#
12+
# Enabled / Disable API
13+
14+
15+
status=$1
16+
17+
# Includes
18+
source $HESTIA/func/main.sh
19+
source $HESTIA/conf/hestia.conf
20+
21+
#----------------------------------------------------------#
22+
# Variable&Function #
23+
#----------------------------------------------------------#
24+
25+
check_args '1' "$#" "STATUS"
26+
is_type_valid "enable,disable" "$status"
27+
28+
# Perform verification if read-only mode is enabled
29+
check_hestia_demo_mode
30+
31+
#----------------------------------------------------------#
32+
# Action #
33+
#----------------------------------------------------------#
34+
35+
if [ "$status" = "enable" ]; then
36+
if [ $API = "no" ]; then
37+
if [ ! -f "$HESTIA/web/api/index.php" ]; then
38+
wget -q https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/api/index.php -O $HESTIA/web/api/index.php
39+
else
40+
sed -i 's|die("Error: Disabled");|//die("Error: Disabled");|g' $HESTIA/web/api/index.php
41+
fi
42+
$HESTIA/bin/v-change-sys-config-value "API" "yes"
43+
fi
44+
else
45+
if [ $API = "yes" ]; then
46+
$HESTIA/bin/v-change-sys-config-value "API" "no"
47+
sed -i 's|//die("Error: Disabled");|die("Error: Disabled");|g' $HESTIA/web/api/index.php
48+
fi
49+
fi
50+
51+
#----------------------------------------------------------#
52+
# Logging #
53+
#----------------------------------------------------------#
54+
55+
log_history "API status has been changed to $status" '' 'admin'
56+
log_event "$OK" "$ARGUMENTS"

bin/v-delete-web-php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,15 @@ fi
8888
# Cleanup php folder
8989
[[ -d /etc/php/$version ]] && rm -rf "/etc/php/$version"
9090

91+
if [ "$WEB_BACKEND" = "php-fpm" ]; then
92+
# Check if www.conf is still missing
93+
if [ ! -f "/etc/php/*/fpm/pool.d/www.conf" ]; then
94+
# If not grab the "last php version
95+
last=$($HESTIA/bin/v-list-sys-php "shell" | tail -n1);
96+
cp -f $HESTIA/install/deb/php-fpm/www.conf /etc/php/$last/fpm/pool.d/www.conf
97+
$HESTIA/bin/v-restart-web-backend
98+
fi
99+
fi
91100

92101
#----------------------------------------------------------#
93102
# Hestia #

bin/v-list-sys-config

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,9 @@ json_list() {
6868
"LOGIN_STYLE": "'$LOGIN_STYLE'",
6969
"INACTIVE_SESSION_TIMEOUT": "'$INACTIVE_SESSION_TIMEOUT'",
7070
"PHPMYADMIN_KEY": "'$PHPMYADMIN_KEY'",
71-
"ENFORCE_SUBDOMAIN_OWNERSHIP": "'$ENFORCE_SUBDOMAIN_OWNERSHIP'"
71+
"ENFORCE_SUBDOMAIN_OWNERSHIP": "'$ENFORCE_SUBDOMAIN_OWNERSHIP'",
72+
"API": "'$API'",
73+
"API_ALLOWED_IP": "'$API_ALLOWED_IP'"
7274
}
7375
}'
7476
}
@@ -151,6 +153,12 @@ shell_list() {
151153
if [ ! -z "$FILE_MANAGER" ]; then
152154
echo "File Manager enabled: $FILE_MANAGER"
153155
fi
156+
if [ ! -z "$API" ]; then
157+
echo "API enabled: $API"
158+
echo "Allowed IPS: $API_ALLOWED_IP"
159+
160+
fi
161+
154162
if [ ! -z "$SMTP_RELAY" ] && [ "$SMTP_RELAY" != 'false' ]; then
155163
echo "SMTP Relay enabled: $SMTP_RELAY"
156164
echo "SMTP Relay Server: $SMTP_RELAY_HOST"
@@ -175,7 +183,7 @@ plain_list() {
175183
echo -ne "$FILE_MANAGER\t$REPOSITORY\t$VERSION\t$DEMO_MODE\t$RELEASE_BRANCH\t"
176184
echo -ne "$SMTP_RELAY_HOST\t$SMTP_RELAY_PORT\t$SMTP_RELAY_USER\t"
177185
echo -ne "$UPGRADE_SEND_EMAIL\t$UPGRADE_SEND_EMAIL_LOG\t$THEME\t$LANGUAGE\t$BACKUP_GZIP\t"
178-
echo -e "$BACKUP\t$WEBMAIL_ALIAS\t$DB_PMA_URL\t$DB_PGA_URL"
186+
echo -e "$BACKUP\t$WEBMAIL_ALIAS\t$DB_PMA_URL\t$DB_PGA_URL\t$API\t$API_ALLOWED_IP"
179187
}
180188

181189

@@ -192,7 +200,7 @@ csv_list() {
192200
echo -n "'SMTP_RELAY','SMTP_RELAY_HOST','SMTP_RELAY_PORT','SMTP_RELAY_USER',"
193201
echo -n "'UPGRADE_SEND_EMAIL','UPGRADE_SEND_EMAIL_LOG',"
194202
echo -n "'THEME', 'LANGUAGE','BACKUP_GZIP','BACKUP','WEBMAIL_ALIAS',"
195-
echo -n "'DB_PMA_ALIAS','DB_PGA_ALIAS'"
203+
echo -n "'DB_PMA_ALIAS','DB_PGA_ALIAS','API','API_ALLOWED_IP'"
196204
echo
197205
echo -n "'$WEB_SYSTEM','$WEB_RGROUPS','$WEB_PORT','$WEB_SSL',"
198206
echo -n "'$WEB_SSL_PORT','$WEB_BACKEND','$PROXY_SYSTEM','$PROXY_PORT',"
@@ -204,6 +212,8 @@ csv_list() {
204212
echo -n "'$SMTP_RELAY','$SMTP_RELAY_HOST','$SMTP_RELAY_PORT','$SMTP_RELAY_USER',"
205213
echo -n "'$UPGRADE_SEND_EMAIL','$UPGRADE_SEND_EMAIL_LOG','$THEME','$LANGUAGE',"
206214
echo -n "'$BACKUP_GZIP','$BACKUP','$WEBMAIL_ALIAS','$DB_PMA_URL','$DB_PGA_URL'"
215+
echo -n "'$API','$API_ALLOWED_IP'"
216+
207217
echo
208218
}
209219

func/upgrade.sh

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -144,11 +144,16 @@ upgrade_health_check() {
144144
$BIN/v-change-sys-config-value "INACTIVE_SESSION_TIMEOUT" "60"
145145
fi
146146

147-
# Inactive session timeout
147+
# Enforce Subdomain ownership
148148
if [ -z "$ENFORCE_SUBDOMAIN_OWNERSHIP" ]; then
149149
echo "[ ! ] Adding missing variable to hestia.conf: ENFORCE_SUBDOMAIN_OWNERSHIP ('yes')"
150150
$BIN/v-change-sys-config-value "ENFORCE_SUBDOMAIN_OWNERSHIP" "yes"
151151
fi
152+
# API Allowed IP
153+
if [ -z "$API_ALLOWED_IP" ]; then
154+
echo "[ ! ] Adding missing variable to hestia.conf: API_ALLOWED_IP ('')"
155+
$BIN/v-change-sys-config-value "API_ALLOWED_IP" "127.0.0.1"
156+
fi
152157

153158
echo "[ * ] Health check complete. Starting upgrade from $VERSION to $new_version..."
154159
echo "============================================================================="
@@ -669,6 +674,12 @@ upgrade_rainloop(){
669674
fi
670675
}
671676

677+
disable_api(){
678+
if [ "$API" = "no" ]; then
679+
echo "[ ! ] Disable Api..."
680+
sed -i 's|//die("Error: Disabled");|die("Error: Disabled");|g' $HESTIA/web/api/index.php
681+
fi
682+
}
672683
upgrade_rebuild_web_templates() {
673684
if [ "$UPGRADE_UPDATE_WEB_TEMPLATES" = "true" ]; then
674685
echo "[ ! ] Updating default web domain templates..."

install/deb/themes/dark.css

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -502,7 +502,7 @@ div.l-content > div.l-separator:nth-of-type(4) {
502502

503503
.units .l-unit.l-unit--outdated {
504504
color: #d4d4d4;
505-
background-color: #760000;
505+
background-color: #981111;
506506
}
507507

508508
.l-unit--outdated.selected {

install/hst-install-debian.sh

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1641,13 +1641,11 @@ fi
16411641
# Configure API #
16421642
#----------------------------------------------------------#
16431643

1644-
if [ "$api" = 'yes' ]; then
1645-
echo "API='yes'" >> $HESTIA/conf/hestia.conf
1646-
else
1647-
rm -r $HESTIA/web/api
1648-
echo "API='no'" >> $HESTIA/conf/hestia.conf
1644+
echo "API='yes'" >> $HESTIA/conf/hestia.conf
1645+
if [ "$api" != "yes" ]; then
1646+
$HESTIA/bin/v-change-sys-api disable
16491647
fi
1650-
1648+
echo "API_ALLOWED_IP='127.0.0.1'" >> $HESTIA/conf/hestia.conf
16511649

16521650
#----------------------------------------------------------#
16531651
# Configure Admin User #

install/hst-install-ubuntu.sh

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1666,13 +1666,11 @@ fi
16661666
# Configure API #
16671667
#----------------------------------------------------------#
16681668

1669-
if [ "$api" = 'yes' ]; then
1670-
echo "API='yes'" >> $HESTIA/conf/hestia.conf
1671-
else
1672-
rm -r $HESTIA/web/api
1673-
echo "API='no'" >> $HESTIA/conf/hestia.conf
1669+
echo "API='yes'" >> $HESTIA/conf/hestia.conf
1670+
if [ "$api" != "yes" ]; then
1671+
$HESTIA/bin/v-change-sys-api disable
16741672
fi
1675-
1673+
echo "API_ALLOWED_IP='127.0.0.1'" >> $HESTIA/conf/hestia.conf
16761674

16771675
#----------------------------------------------------------#
16781676
# Configure Admin User #

src/deb/hestia/postinst

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,8 @@ upgrade_roundcube | tee -a $LOG
7272
# Upgrade Rainloop if applicable
7373
upgrade_rainloop | tee -a $LOG
7474

75+
# Check disabled API
76+
disable_api | tee -a $LOG
7577
# Set new version number in hestia.conf
7678
upgrade_set_version $new_version
7779

web/api/index.php

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,32 +1,57 @@
11
<?php
22
define('HESTIA_CMD', '/usr/bin/sudo /usr/local/hestia/bin/');
3+
//die("Error: Disabled");
34

45
function get_real_user_ip(){
56
$ip = $_SERVER['REMOTE_ADDR'];
67
if(isset($_SERVER['HTTP_CLIENT_IP'])){
78
$ip = $_SERVER['HTTP_CLIENT_IP'];
89
}
910
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
10-
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
11+
if (filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP)){
12+
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
13+
}
1114
}
1215
if(isset($_SERVER['HTTP_FORWARDED_FOR'])){
13-
$ip = $_SERVER['HTTP_FORWARDED_FOR'];
16+
if (filter_var($_SERVER['HTTP_FORWARDED_FOR'], FILTER_VALIDATE_IP)){
17+
$ip = $_SERVER['HTTP_FORWARDED_FOR'];
18+
}
1419
}
1520
if(isset($_SERVER['HTTP_X_FORWARDED'])){
16-
$ip = $_SERVER['HTTP_X_FORWARDED'];
21+
if (filter_var($_SERVER['HTTP_X_FORWARDED'], FILTER_VALIDATE_IP)){
22+
$ip = $_SERVER['HTTP_X_FORWARDED'];
23+
}
1724
}
1825
if(isset($_SERVER['HTTP_FORWARDED'])){
19-
$ip = $_SERVER['HTTP_FORWARDED'];
26+
if (filter_var($_SERVER['HTTP_FORWARDED'], FILTER_VALIDATE_IP)){
27+
$ip = $_SERVER['HTTP_FORWARDED'];
28+
}
2029
}
2130
if(isset($_SERVER['HTTP_CF_CONNECTING_IP'])){
2231
if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){
23-
$ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
32+
if (filter_var($_SERVER['HTTP_FORWARDED'], FILTER_VALIDATE_IP)){
33+
$ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
34+
}
2435
}
2536
}
2637
return $ip;
2738
}
2839

2940
function api($hst_hash, $hst_user, $hst_password, $hst_returncode, $hst_cmd, $hst_arg1, $hst_arg2, $hst_arg3, $hst_arg4, $hst_arg5, $hst_arg6, $hst_arg7, $hst_arg8, $hst_arg9){
41+
exec (HESTIA_CMD."v-list-sys-config json" , $output, $return_var);
42+
$settings = json_decode(implode('', $output), true);
43+
unset($output);
44+
if( $settings['config']['API'] != 'yes' ){
45+
echo 'Error: authentication failed';
46+
exit;
47+
}
48+
if ( $settings['config']['API_ALLOWED_IP'] != '' ){
49+
$ip_list = explode(',',$settings['config']['API_ALLOWED_IP']);
50+
if ( !in_array(get_real_user_ip(), $ip_list)){
51+
echo 'Error: authentication failed';
52+
exit;
53+
}
54+
}
3055
//This exists, so native JSON can be used without the repeating the code twice, so future code changes are easier and don't need to be replicated twice
3156
// Authentication
3257
if (empty($hst_hash)) {

web/css/src/styles.css

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1710,6 +1710,10 @@ div.l-content > div.l-separator:nth-of-type(4) {
17101710
color: #4b4b4b;
17111711
}
17121712

1713+
.body-updates .units .l-unit.l-unit--outdated .fas.fa-box-open {
1714+
color: #da1010;
1715+
}
1716+
17131717
.l-unit--suspended .l-unit__name,
17141718
.l-unit--suspended b,
17151719
.l-unit--outdated .l-unit__name,

0 commit comments

Comments
 (0)