Merge branch 'main' into release

Author: jaapmarcus

CHANGELOG.md

@@ -1,6 +1,26 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.4.13] - Service release 
+
+### Features
+- Introduce UPGRADE_MESSAGE variable to support custom messages in e-mail upgrade notification.
+
+### Bugfixes
+- Improve the hostname check to prevent invalid hostnames or the use of an ip address (RFC1178).
+- Prevent CSRF from other domains / websites
+- Fix #2096 Hostname SSL got overwritten by mail.hostname.com certificate
+- Add small wait for /usr/bin/iptables-restore [Forum](https://forum.hestiacp.com/t/clean-install-arm64-does-not-start-after-reboot-v-start-service-iptables/4395/7) + Fixed v-add-firewall / v-delete-firewall function (#2112) @myrevery
+- Fix bug in v-change-sys-api. When using  v-change-sys-api remove and then  v-change-sys-api enable + custom release branch the resetting of api failed + no "error" output was producted
+- Improve error reporting PMA Single sign on function function
+- Fixed an issue in v-change-web-domain-name where webserserver where not able to start because old config files where not propperly deleted #2104
+- Fixed potential XSS vulnerability in /list/keys/  @wtwwer [Disclosure](https://huntr.dev/bounties/0fefa2f6-7024-44c8-87c7-4d01fb93403e/)
+- Removed /edit/file as it has been replaced by Filegator and part of the old Vesta Filemanager 
+- Fixed potential External control / path vulnerability in /add/package @wtwwer [Disclosure](https://huntr.dev/bounties/e0a2c6ff-b4fe-45a2-9d79-1f4dc1b381ab/)
+- Add extra checks to prevent type juggling @vikychoi [Disclosure](https://huntr.dev/bounties/c24fb15c-3c84-45c8-af04-a660f8da388f/)
+- Improved and updated some missing translation strings @myrevery
+- Sync translations with Github
+
 ## [1.4.12] - Service release 
 
 ### Bugfixes

README.md

@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.4.11 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
+**Latest stable release:** Version 1.4.13 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>

bin/v-add-letsencrypt-domain

@@ -505,12 +505,12 @@ if [ -z "$mail" ]; then
     ssl_enabled="$(get_object_value 'web' 'DOMAIN' "$domain" '$SSL')"
     ssl_force="$(get_object_value 'web' 'DOMAIN' "$domain" '$SSL_FORCE')"
     [[ "$ssl_enabled" = "yes" ]] && $BIN/v-delete-web-domain-ssl $user $domain > /dev/null 2>&1
-    $BIN/v-add-web-domain-ssl $user $domain $ssl_dir $ssl_home
+    $BIN/v-add-web-domain-ssl $user $domain $ssl_dir $ssl_home updatessl
     [[ "$ssl_force" = "yes" ]] && $BIN/v-add-web-domain-ssl-force $user $domain > /dev/null 2>&1
 else
     ssl_enabled="$(get_object_value 'mail' 'DOMAIN' "$root_domain" '$SSL')"
     [[ "$ssl_enabled" = "yes" ]] && $BIN/v-delete-mail-domain-ssl $user $root_domain > /dev/null 2>&1
-    $BIN/v-add-mail-domain-ssl $user $root_domain $ssl_dir
+    $BIN/v-add-mail-domain-ssl $user $root_domain $ssl_dir updatessl
 fi
 
 if [ "$?" -ne '0' ]; then

bin/v-add-mail-domain

@@ -122,15 +122,19 @@ if [[ "$MAIL_SYSTEM" =~ exim ]]; then
     if [ ! -z "$local_ip" ]; then
         echo "$local_ip" > $HOMEDIR/$user/conf/mail/$domain/ip
     fi
-
-    # Adding antispam protection
-    if [ "$antispam" = 'yes' ]; then
-        touch $HOMEDIR/$user/conf/mail/$domain/antispam
+    
+    if [ -n "ANTIVIRUS_SYSTEM" ]; then 
+        # Adding antispam protection
+        if [ "$antispam" = 'yes' ]; then
+            touch $HOMEDIR/$user/conf/mail/$domain/antispam
+        fi
     fi
-
-    # Adding antivirus protection
-    if [ "$antivirus" = 'yes' ]; then
-        touch $HOMEDIR/$user/conf/mail/$domain/antivirus
+    
+    if [ -n "ANTISPAM_SYSTEM" ]; then
+        # Adding antivirus protection
+        if [ "$antivirus" = 'yes' ]; then
+            touch $HOMEDIR/$user/conf/mail/$domain/antivirus
+        fi
     fi
 
     # Adding dkim support

bin/v-add-mail-domain-ssl

@@ -16,7 +16,7 @@
 user=$1
 domain=$2
 ssl_dir=$3
-restart="$3"
+restart="$4"
 
 # Additional argument formatting
 if [[ "$domain" =~ [[:upper:]] ]]; then

bin/v-add-sys-firewall

@@ -1,7 +1,7 @@
 #!/bin/bash
 # info: add system firewall
 # options: NONE
-# labels: 
+# labels: panel
 #
 # example: v-add-sys-firewall
 #
@@ -30,25 +30,18 @@ fi
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
 
+
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Adding firewall directory
-mkdir -p $HESTIA/data/firewall/
-
 # Adding default ruleset
-if [ ! -e "$HESTIA/data/firewall/rules.conf" ]; then
-    cp $HESTIA/install/rhel/7/* $HESTIA/data/firewall/
+if [ -z "$(ls -A $HESTIA/data/firewall 2>/dev/null)" ]; then
+    cp -rf $HESTIA_INSTALL_DIR/firewall $HESTIA/data/
 fi
 
 # Updating FIREWAL_SYSTEM value
-if [ -z "$(grep FIREWALL_SYSTEM $HESTIA/conf/hestia.conf)" ]; then
-    echo "FIREWALL_SYSTEM='iptables'" >> $HESTIA/conf/hestia.conf
-else
-    sed -i "s/FIREWALL_SYSTEM.*/FIREWALL_SYSTEM='iptables'/g" \
-        $HESTIA/conf/hestia.conf
-fi
+$BIN/v-change-sys-config-value "FIREWALL_SYSTEM" "iptables"
 
 # Updating firewall rules
 $BIN/v-update-firewall
@@ -59,6 +52,7 @@ $BIN/v-update-firewall
 #----------------------------------------------------------#
 
 # Logging
+$BIN/v-log-action "system" "Info" "Firewall" "System firewall enabled."
 log_event "$OK" "$ARGUMENTS"
 
 exit

bin/v-add-user-package

@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: adding user package
-# options: PKG_DIR PACKAGE [REWRITE]
+# options: tmpfile PACKAGE [REWRITE]
 # labels: 
 #
 # The function adds new user package to the system.
@@ -11,7 +11,7 @@
 #----------------------------------------------------------#
 
 # Argument definition
-pkg_dir=$1
+tmpfile=$1
 package=$2
 rewrite=$3
 
@@ -31,7 +31,7 @@ is_package_new() {
 }
 
 is_package_consistent() {
-    source $pkg_dir/$package.pkg
+    source $tmpfile
     if [ "$WEB_DOMAINS" != 'unlimited' ]; then
         is_int_format_valid $WEB_DOMAINS 'WEB_DOMAINS'
     fi
@@ -78,7 +78,12 @@ is_format_valid 'pkg_dir' 'package'
 if [ "$rewrite" != 'yes' ]; then
     is_package_new
 fi
-is_package_valid "$pkg_dir"
+
+if [ ! -f "$tmpfile" ]; then 
+    echo "$tmpfile does not exists"
+    exit $E_NOTEXIST;
+fi
+
 is_package_consistent
 
 # Perform verification if read-only mode is enabled
@@ -89,7 +94,7 @@ check_hestia_demo_mode
 #                       Action                             #
 #----------------------------------------------------------#
 
-cp -f $pkg_dir/$package.pkg $HESTIA/data/packages/
+cp -f $tmpfile $HESTIA/data/packages/$package.pkg
 chmod 644 $HESTIA/data/packages/$package.pkg
 
 

bin/v-change-sys-api

@@ -37,13 +37,15 @@ check_hestia_demo_mode
 if [ "$status" = "enable" ]; then
     if [ ! -f "$HESTIA/web/api/index.php" ]; then
         wget -q https://raw.githubusercontent.com/hestiacp/hestiacp/$RELEASE_BRANCH/web/api/index.php -O $HESTIA/web/api/index.php
-        check_api_download=$(cat $HESTIA/web/api/index.php)
-        if [ -z "$HESTIA/web/api/index.php" ]; then
-            # Throw error message to user
-            echo "ERROR: API installation failed."
-            # Remove empty file created by wget output
-            rm -f "$HESTIA/web/api/index.php"
-            exit 1
+        if [ ! -s $HESTIA/web/api/index.php ]; then
+            wget -q https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/api/index.php -O $HESTIA/web/api/index.php    
+            if [ ! -s $HESTIA/web/api/index.php ]; then
+                # Throw error message to user
+                echo "ERROR: API installation failed."
+                # Remove empty file created by wget output
+                rm -f "$HESTIA/web/api/index.php"
+                exit 1
+            fi
         fi
     else
         sed -i 's|die("Error: Disabled");|//die("Error: Disabled");|g' $HESTIA/web/api/index.php

bin/v-change-web-domain-name

@@ -85,13 +85,30 @@ rm -f $HOMEDIR/$user/web/$new_domain/logs/$domain.*
 # Updating domain certificates
 if [ -e "$USER_DATA/ssl/$domain.crt" ]; then
     cd $USER_DATA/ssl
-    mv $domain.crt $new_domain.crt
-    mv $domain.ca $new_domain.ca
-    mv $domain.pem $new_domain.pem
-    mv $domain.key $new_domain.key
+    mv $USER_DATA/ssl/$domain.crt $USER_DATA/ssl/$new_domain.crt
+    mv $USER_DATA/ssl/$domain.ca $USER_DATA/ssl/$new_domain.ca
+    mv $USER_DATA/ssl/$domain.pem $USER_DATA/ssl/$new_domain.pem
+    mv $USER_DATA/ssl/$domain.key $USER_DATA/ssl/$new_domain.key
     rm -f $HOMEDIR/$user/conf/web/$domain/ssl/$domain.*
 fi
 
+# Deleting vhost configuration
+del_web_config "$WEB_SYSTEM" "$TPL.tpl"
+# Deleting SSL configuration and certificates
+if [ "$SSL" = 'yes' ]; then
+    del_web_config "$WEB_SYSTEM" "$TPL.stpl"
+fi
+
+# Deleting proxy
+if [ ! -z "$PROXY_SYSTEM" ]; then
+    del_web_config "$PROXY_SYSTEM" "$PROXY.tpl"
+    if [ "$SSL" = 'yes' ]; then
+        del_web_config "$PROXY_SYSTEM" "$PROXY.stpl"
+    fi
+    if [ -e "/etc/$PROXY_SYSTEM/conf.d/01_caching_pool.conf" ]; then
+        sed -i "/=$domain:/d" /etc/$PROXY_SYSTEM/conf.d/01_caching_pool.conf
+    fi
+fi
 
 #----------------------------------------------------------#
 #                       Hestia                             #

bin/v-delete-sys-firewall

@@ -35,23 +35,19 @@ check_hestia_demo_mode
 #                       Action                             #
 #----------------------------------------------------------#
 
+# Updating FIREWALL_SYSTEM value
+$BIN/v-change-sys-config-value "FIREWALL_SYSTEM" ""
+
 # Stopping firewall
 $BIN/v-stop-firewall
 
-# Updating FIREWALL_SYSTEM value
-if [ -z "$(grep FIREWALL_SYSTEM $HESTIA/conf/hestia.conf)" ]; then
-    echo "FIREWALL_SYSTEM=''" >> $HESTIA/conf/hestia.conf
-else
-    sed -i "s/FIREWALL_SYSTEM=.*/FIREWALL_SYSTEM=''/g" $HESTIA/conf/hestia.conf
-fi
-
 
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#
 
 # Logging
-$BIN/v-log-action "system" "Error" "Firewall" "System firewall has been disabled."
+$BIN/v-log-action "system" "Warning" "Firewall" "System firewall disabled."
 log_event "$OK" "$ARGUMENTS"
 
 exit