Skip to content

Commit fc68baf

Browse files
jaapmarcusjaapmarcus
authored
Merge pull request hestiacp#2120 from jaapmarcus/fix/csrf-juggling
Rewrite session token check to prevent juggling
2 parents 0e0f312 + 2d4295c commit fc68baf

File tree

118 files changed

+2882
-2479
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

118 files changed

+2882
-2479
lines changed

install/upgrade/versions/1.4.13.sh

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,3 +48,8 @@ fi
4848
if [ -d "$HESTIA/web/edit/file/" ]; then
4949
rm -fr $HESTIA/web/edit/file/
5050
fi
51+
52+
# Not used any more
53+
if [ -d "$HESTIA/web/edit/server/theme/" ]; then
54+
rm -fr $HESTIA/web/edit/server/theme/
55+
fi

web/add/cron/autoupdate/index.php

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,16 @@
11
<?php
2+
23
// Init
3-
error_reporting(NULL);
4+
error_reporting(null);
45
ob_start();
56
session_start();
67
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
78

89
// Check token
9-
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
10-
header('location: /login/');
11-
exit();
12-
}
10+
verify_csrf($_GET);
1311

1412
if ($_SESSION['user'] == 'admin') {
15-
exec (HESTIA_CMD."v-add-cron-hestia-autoupdate", $output, $return_var);
13+
exec(HESTIA_CMD."v-add-cron-hestia-autoupdate", $output, $return_var);
1614
unset($output);
1715
}
1816

web/add/cron/index.php

Lines changed: 25 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
<?php
2-
error_reporting(NULL);
2+
3+
error_reporting(null);
34
ob_start();
45
$TAB = 'CRON';
56

@@ -10,27 +11,36 @@
1011
if (!empty($_POST['ok'])) {
1112

1213
// Check token
13-
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
14-
header('location: /login/');
15-
exit();
16-
}
14+
verify_csrf($_POST);
1715

1816
// Check empty fields
19-
if ((!isset($_POST['v_min'])) || ($_POST['v_min'] == '')) $errors[] = _('minute');
20-
if ((!isset($_POST['v_hour'])) || ($_POST['v_hour'] == '')) $errors[] = _('hour');
21-
if ((!isset($_POST['v_day'])) || ($_POST['v_day'] == '')) $errors[] = _('day');
22-
if ((!isset($_POST['v_month'])) || ($_POST['v_month'] == '')) $errors[] = _('month');
23-
if ((!isset($_POST['v_wday'])) || ($_POST['v_wday'] == '')) $errors[] = _('day of week');
24-
if ((!isset($_POST['v_cmd'])) || ($_POST['v_cmd'] == '')) $errors[] = _('cmd');
17+
if ((!isset($_POST['v_min'])) || ($_POST['v_min'] == '')) {
18+
$errors[] = _('minute');
19+
}
20+
if ((!isset($_POST['v_hour'])) || ($_POST['v_hour'] == '')) {
21+
$errors[] = _('hour');
22+
}
23+
if ((!isset($_POST['v_day'])) || ($_POST['v_day'] == '')) {
24+
$errors[] = _('day');
25+
}
26+
if ((!isset($_POST['v_month'])) || ($_POST['v_month'] == '')) {
27+
$errors[] = _('month');
28+
}
29+
if ((!isset($_POST['v_wday'])) || ($_POST['v_wday'] == '')) {
30+
$errors[] = _('day of week');
31+
}
32+
if ((!isset($_POST['v_cmd'])) || ($_POST['v_cmd'] == '')) {
33+
$errors[] = _('cmd');
34+
}
2535
if (!empty($errors[0])) {
2636
foreach ($errors as $i => $error) {
27-
if ( $i == 0 ) {
37+
if ($i == 0) {
2838
$error_msg = $error;
2939
} else {
3040
$error_msg = $error_msg.", ".$error;
3141
}
3242
}
33-
$_SESSION['error_msg'] = sprintf(_('Field "%s" can not be blank.'),$error_msg);
43+
$_SESSION['error_msg'] = sprintf(_('Field "%s" can not be blank.'), $error_msg);
3444
}
3545

3646
// Protect input
@@ -43,8 +53,8 @@
4353

4454
// Add cron job
4555
if (empty($_SESSION['error_msg'])) {
46-
exec (HESTIA_CMD."v-add-cron-job ".$user." ".$v_min." ".$v_hour." ".$v_day." ".$v_month." ".$v_wday." ".$v_cmd, $output, $return_var);
47-
check_return_code($return_var,$output);
56+
exec(HESTIA_CMD."v-add-cron-job ".$user." ".$v_min." ".$v_hour." ".$v_day." ".$v_month." ".$v_wday." ".$v_cmd, $output, $return_var);
57+
check_return_code($return_var, $output);
4858
unset($output);
4959
}
5060

web/add/cron/reports/index.php

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,15 @@
11
<?php
2+
23
// Init
3-
error_reporting(NULL);
4+
error_reporting(null);
45
ob_start();
56
session_start();
67
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
78

89
// Check token
9-
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
10-
header('location: /login/');
11-
exit();
12-
}
10+
verify_csrf($_GET);
1311

14-
exec (HESTIA_CMD."v-add-cron-reports ".$user, $output, $return_var);
12+
exec(HESTIA_CMD."v-add-cron-reports ".$user, $output, $return_var);
1513
unset($output);
1614

1715
header("Location: /list/cron/");

web/add/db/index.php

Lines changed: 57 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
<?php
2-
error_reporting(NULL);
2+
3+
error_reporting(null);
34
ob_start();
45
$TAB = 'DB';
56

@@ -10,27 +11,36 @@
1011
if (!empty($_POST['ok'])) {
1112

1213
// Check token
13-
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
14-
header('location: /login/');
15-
exit();
16-
}
14+
verify_csrf($_POST);
1715

1816
// Check empty fields
19-
if (empty($_POST['v_database'])) $errors[] = _('database');
20-
if (empty($_POST['v_dbuser'])) $errors[] = _('username');
21-
if (empty($_POST['v_password'])) $errors[] = _('password');
22-
if (empty($_POST['v_type'])) $errors[] = _('type');
23-
if (empty($_POST['v_host'])) $errors[] = _('host');
24-
if (empty($_POST['v_charset'])) $errors[] = _('charset');
17+
if (empty($_POST['v_database'])) {
18+
$errors[] = _('database');
19+
}
20+
if (empty($_POST['v_dbuser'])) {
21+
$errors[] = _('username');
22+
}
23+
if (empty($_POST['v_password'])) {
24+
$errors[] = _('password');
25+
}
26+
if (empty($_POST['v_type'])) {
27+
$errors[] = _('type');
28+
}
29+
if (empty($_POST['v_host'])) {
30+
$errors[] = _('host');
31+
}
32+
if (empty($_POST['v_charset'])) {
33+
$errors[] = _('charset');
34+
}
2535
if (!empty($errors[0])) {
2636
foreach ($errors as $i => $error) {
27-
if ( $i == 0 ) {
37+
if ($i == 0) {
2838
$error_msg = $error;
2939
} else {
3040
$error_msg = $error_msg.", ".$error;
3141
}
3242
}
33-
$_SESSION['error_msg'] = sprintf(_('Field "%s" can not be blank.'),$error_msg);
43+
$_SESSION['error_msg'] = sprintf(_('Field "%s" can not be blank.'), $error_msg);
3444
}
3545

3646
// Validate email
@@ -42,7 +52,9 @@
4252

4353
// Check password length
4454
if (empty($_SESSION['error_msg'])) {
45-
if (!validate_password($_POST['v_password'])) { $_SESSION['error_msg'] = _('Password does not match the minimum requirements');}
55+
if (!validate_password($_POST['v_password'])) {
56+
$_SESSION['error_msg'] = _('Password does not match the minimum requirements');
57+
}
4658
}
4759

4860
// Protect input
@@ -58,12 +70,12 @@
5870
$v_type = escapeshellarg($_POST['v_type']);
5971
$v_charset = escapeshellarg($_POST['v_charset']);
6072
$v_host = escapeshellarg($_POST['v_host']);
61-
$v_password = tempnam("/tmp","vst");
73+
$v_password = tempnam("/tmp", "vst");
6274
$fp = fopen($v_password, "w");
6375
fwrite($fp, $_POST['v_password']."\n");
6476
fclose($fp);
65-
exec (HESTIA_CMD."v-add-database ".$user." ".$v_database." ".$v_dbuser." ".$v_password." ".$v_type." ".$v_host." ".$v_charset, $output, $return_var);
66-
check_return_code($return_var,$output);
77+
exec(HESTIA_CMD."v-add-database ".$user." ".$v_database." ".$v_dbuser." ".$v_password." ".$v_type." ".$v_host." ".$v_charset, $output, $return_var);
78+
check_return_code($return_var, $output);
6779
unset($output);
6880
unlink($v_password);
6981
$v_password = escapeshellarg($_POST['v_password']);
@@ -75,13 +87,27 @@
7587
// Get database manager url
7688
if (empty($_SESSION['error_msg'])) {
7789
list($http_host, $port) = explode(':', $_SERVER["HTTP_HOST"] . ":");
78-
if ($_POST['v_host'] != 'localhost' ) $http_host = $_POST['v_host'];
79-
if ($_POST['v_type'] == 'mysql') $db_admin = "phpMyAdmin";
80-
if ($_POST['v_type'] == 'mysql') $db_admin_link = "http://".$http_host."/phpmyadmin/";
81-
if (($_POST['v_type'] == 'mysql') && (!empty($_SESSION['DB_PMA_ALIAS']))) $db_admin_link = "http://".$http_host."/".$_SESSION['DB_PMA_ALIAS'];
82-
if ($_POST['v_type'] == 'pgsql') $db_admin = "phpPgAdmin";
83-
if ($_POST['v_type'] == 'pgsql') $db_admin_link = "http://".$http_host."/phppgadmin/";
84-
if (($_POST['v_type'] == 'pgsql') && (!empty($_SESSION['DB_PGA_ALIAS']))) $db_admin_link = "http://".$http_host."/".$_SESSION['DB_PGA_ALIAS'];
90+
if ($_POST['v_host'] != 'localhost') {
91+
$http_host = $_POST['v_host'];
92+
}
93+
if ($_POST['v_type'] == 'mysql') {
94+
$db_admin = "phpMyAdmin";
95+
}
96+
if ($_POST['v_type'] == 'mysql') {
97+
$db_admin_link = "http://".$http_host."/phpmyadmin/";
98+
}
99+
if (($_POST['v_type'] == 'mysql') && (!empty($_SESSION['DB_PMA_ALIAS']))) {
100+
$db_admin_link = "http://".$http_host."/".$_SESSION['DB_PMA_ALIAS'];
101+
}
102+
if ($_POST['v_type'] == 'pgsql') {
103+
$db_admin = "phpPgAdmin";
104+
}
105+
if ($_POST['v_type'] == 'pgsql') {
106+
$db_admin_link = "http://".$http_host."/phppgadmin/";
107+
}
108+
if (($_POST['v_type'] == 'pgsql') && (!empty($_SESSION['DB_PGA_ALIAS']))) {
109+
$db_admin_link = "http://".$http_host."/".$_SESSION['DB_PGA_ALIAS'];
110+
}
85111
}
86112

87113
// Email login credentials
@@ -91,14 +117,14 @@
91117
$hostname = exec('hostname');
92118
$from = "noreply@".$hostname;
93119
$from_name = _('Hestia Control Panel');
94-
$mailtext = sprintf(_('DATABASE_READY'),$user."_".$_POST['v_database'],$user."_".$_POST['v_dbuser'],$_POST['v_password'],$db_admin_link);
120+
$mailtext = sprintf(_('DATABASE_READY'), $user."_".$_POST['v_database'], $user."_".$_POST['v_dbuser'], $_POST['v_password'], $db_admin_link);
95121
send_email($to, $subject, $mailtext, $from, $from_name);
96122
}
97123

98124
// Flush field values on success
99125
if (empty($_SESSION['error_msg'])) {
100-
$_SESSION['ok_msg'] = sprintf(_('DATABASE_CREATED_OK'),htmlentities($user)."_".htmlentities($_POST['v_database']),htmlentities($user)."_".htmlentities($_POST['v_database']));
101-
$_SESSION['ok_msg'] .= " / <a href=".$db_admin_link." target='_blank'>" . sprintf(_('open %s'),$db_admin) . "</a>";
126+
$_SESSION['ok_msg'] = sprintf(_('DATABASE_CREATED_OK'), htmlentities($user)."_".htmlentities($_POST['v_database']), htmlentities($user)."_".htmlentities($_POST['v_database']));
127+
$_SESSION['ok_msg'] .= " / <a href=".$db_admin_link." target='_blank'>" . sprintf(_('open %s'), $db_admin) . "</a>";
102128
unset($v_database);
103129
unset($v_dbuser);
104130
unset($v_password);
@@ -114,9 +140,11 @@
114140
$db_types = explode(',', $_SESSION['DB_SYSTEM']);
115141

116142
// List available database servers
117-
exec (HESTIA_CMD."v-list-database-hosts json", $output, $return_var);
143+
exec(HESTIA_CMD."v-list-database-hosts json", $output, $return_var);
118144
$db_hosts_tmp1 = json_decode(implode('', $output), true);
119-
$db_hosts_tmp2 = array_map(function($host){return $host['HOST'];}, $db_hosts_tmp1);
145+
$db_hosts_tmp2 = array_map(function ($host) {
146+
return $host['HOST'];
147+
}, $db_hosts_tmp1);
120148
$db_hosts = array_values(array_unique($db_hosts_tmp2));
121149
unset($output);
122150
unset($db_hosts_tmp1);

0 commit comments

Comments
 (0)