|
|
@@ -18,15 +18,26 @@ if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) {
|
|
|
}
|
|
|
$v_username = $user;
|
|
|
|
|
|
+// Get all user domains
|
|
|
+exec (HESTIA_CMD."v-list-mail-domains ".escapeshellarg($user)." json", $output, $return_var);
|
|
|
+$user_domains = json_decode(implode('', $output), true);
|
|
|
+$user_domains = array_keys($user_domains);
|
|
|
+unset($output);
|
|
|
+
|
|
|
// List mail domain
|
|
|
-if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
|
|
|
- $v_domain = escapeshellarg($_GET['domain']);
|
|
|
- exec (HESTIA_CMD."v-list-mail-domain ".$user." ".$v_domain." json", $output, $return_var);
|
|
|
+if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
|
|
|
+
|
|
|
+ $v_domain = $_GET['domain'];
|
|
|
+ if(!in_array($v_domain, $user_domains)) {
|
|
|
+ header("Location: /list/mail/");
|
|
|
+ exit;
|
|
|
+ }
|
|
|
+
|
|
|
+ exec (HESTIA_CMD."v-list-mail-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
|
|
|
$data = json_decode(implode('', $output), true);
|
|
|
unset($output);
|
|
|
|
|
|
// Parse domain
|
|
|
- $v_domain = escapeshellarg($_GET['domain']);
|
|
|
$v_antispam = $data[$v_domain]['ANTISPAM'];
|
|
|
$v_antivirus = $data[$v_domain]['ANTIVIRUS'];
|
|
|
$v_dkim = $data[$v_domain]['DKIM'];
|
|
|
@@ -42,7 +53,7 @@ if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
|
|
|
|
|
|
$v_ssl = $data[$v_domain]['SSL'];
|
|
|
if (!empty($v_ssl)) {
|
|
|
- exec (HESTIA_CMD."v-list-mail-domain-ssl ".$user." '".$v_domain."' json", $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-list-mail-domain-ssl ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
|
|
|
$ssl_str = json_decode(implode('', $output), true);
|
|
|
unset($output);
|
|
|
$v_ssl_crt = $ssl_str[$v_domain]['CRT'];
|
|
|
@@ -61,17 +72,21 @@ if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
|
|
|
}
|
|
|
|
|
|
// List mail account
|
|
|
-if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
|
|
|
- $v_domain = escapeshellarg($_GET['domain']);
|
|
|
- $v_account = escapeshellarg($_GET['account']);
|
|
|
- exec (HESTIA_CMD."v-list-mail-account ".$user." ".$v_domain." ".$v_account." 'json'", $output, $return_var);
|
|
|
+if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
|
|
|
+
|
|
|
+ $v_domain = $_GET['domain'];
|
|
|
+ if(!in_array($v_domain, $user_domains)) {
|
|
|
+ header("Location: /list/mail/");
|
|
|
+ exit;
|
|
|
+ }
|
|
|
+
|
|
|
+ $v_account = $_GET['account'];
|
|
|
+ exec (HESTIA_CMD."v-list-mail-account ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." 'json'", $output, $return_var);
|
|
|
$data = json_decode(implode('', $output), true);
|
|
|
unset($output);
|
|
|
|
|
|
// Parse mail account
|
|
|
$v_username = $user;
|
|
|
- $v_domain = escapeshellarg($_GET['domain']);
|
|
|
- $v_account = escapeshellarg($_GET['account']);
|
|
|
$v_password = "";
|
|
|
$v_aliases = str_replace(',', "\n", $data[$v_account]['ALIAS']);
|
|
|
$valiases = explode(",", $data[$v_account]['ALIAS']);
|
|
|
@@ -91,7 +106,7 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
|
|
|
|
|
|
// Parse autoreply
|
|
|
if ( $v_autoreply == 'yes' ) {
|
|
|
- exec (HESTIA_CMD."v-list-mail-account-autoreply ".$user." '".$v_domain."' '".$v_account."' json", $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-list-mail-account-autoreply ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." json", $output, $return_var);
|
|
|
$autoreply_str = json_decode(implode('', $output), true);
|
|
|
unset($output);
|
|
|
$v_autoreply_message = $autoreply_str[$v_account]['MSG'];
|
|
|
@@ -102,7 +117,10 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
|
|
|
|
|
|
// Check POST request for mail domain
|
|
|
if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['account']))) {
|
|
|
- $v_domain = escapeshellarg($_POST['v_domain']);
|
|
|
+ $v_domain = $_POST['v_domain'];
|
|
|
+ if(!in_array($v_domain, $user_domains)) {
|
|
|
+ check_return_code(3, ["Unknown domain"]);
|
|
|
+ }
|
|
|
|
|
|
// Check token
|
|
|
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
|
|
|
@@ -112,7 +130,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Delete antispam
|
|
|
if (($v_antispam == 'yes') && (empty($_POST['v_antispam'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-delete-mail-domain-antispam ".$v_username." ".$v_domain, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-delete-mail-domain-antispam ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
$v_antispam = 'no';
|
|
|
unset($output);
|
|
|
@@ -120,7 +138,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Add antispam
|
|
|
if (($v_antispam == 'no') && (!empty($_POST['v_antispam'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-add-mail-domain-antispam ".$v_username." ".$v_domain, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-add-mail-domain-antispam ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
$v_antispam = 'yes';
|
|
|
unset($output);
|
|
|
@@ -128,7 +146,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Delete antivirus
|
|
|
if (($v_antivirus == 'yes') && (empty($_POST['v_antivirus'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-delete-mail-domain-antivirus ".$v_username." ".$v_domain, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-delete-mail-domain-antivirus ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
$v_antivirus = 'no';
|
|
|
unset($output);
|
|
|
@@ -136,7 +154,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Add antivirs
|
|
|
if (($v_antivirus == 'no') && (!empty($_POST['v_antivirus'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-add-mail-domain-antivirus ".$v_username." ".$v_domain, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-add-mail-domain-antivirus ".$v_username." ".$escapeshellarg($v_domain), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
$v_antivirus = 'yes';
|
|
|
unset($output);
|
|
|
@@ -144,7 +162,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Delete DKIM
|
|
|
if (($v_dkim == 'yes') && (empty($_POST['v_dkim'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-delete-mail-domain-dkim ".$v_username." ".$v_domain, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-delete-mail-domain-dkim ".$v_username." ".$escapeshellarg($v_domain), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
$v_dkim = 'no';
|
|
|
unset($output);
|
|
|
@@ -152,7 +170,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Add DKIM
|
|
|
if (($v_dkim == 'no') && (!empty($_POST['v_dkim'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-add-mail-domain-dkim ".$v_username." ".$v_domain, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-add-mail-domain-dkim ".$v_username." ".$escapeshellarg($v_domain), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
$v_dkim = 'yes';
|
|
|
unset($output);
|
|
|
@@ -160,7 +178,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Delete catchall
|
|
|
if ((!empty($v_catchall)) && (empty($_POST['v_catchall'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-delete-mail-domain-catchall ".$v_username." ".$v_domain, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-delete-mail-domain-catchall ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
$v_catchall = '';
|
|
|
unset($output);
|
|
|
@@ -170,7 +188,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
if ((!empty($v_catchall)) && (!empty($_POST['v_catchall'])) && (empty($_SESSION['error_msg']))) {
|
|
|
if ($v_catchall != $_POST['v_catchall']) {
|
|
|
$v_catchall = escapeshellarg($_POST['v_catchall']);
|
|
|
- exec (HESTIA_CMD."v-change-mail-domain-catchall ".$v_username." ".$v_domain." ".$v_catchall, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-change-mail-domain-catchall ".$v_username." ".escapeshellarg($v_domain)." ".$v_catchall, $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
}
|
|
|
@@ -179,7 +197,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
// Add catchall
|
|
|
if ((empty($v_catchall)) && (!empty($_POST['v_catchall'])) && (empty($_SESSION['error_msg']))) {
|
|
|
$v_catchall = escapeshellarg($_POST['v_catchall']);
|
|
|
- exec (HESTIA_CMD."v-add-mail-domain-catchall ".$v_username." ".$v_domain." ".$v_catchall, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-add-mail-domain-catchall ".$v_username." ".escapeshellarg($v_domain)." ".$v_catchall, $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
}
|
|
|
@@ -192,7 +210,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Certificate
|
|
|
if (!empty($_POST['v_ssl_crt'])) {
|
|
|
- $fp = fopen($tmpdir."/".$_POST['v_domain'].".crt", 'w');
|
|
|
+ $fp = fopen($tmpdir."/".$v_domain.".crt", 'w');
|
|
|
fwrite($fp, str_replace("\r\n", "\n", $_POST['v_ssl_crt']));
|
|
|
fwrite($fp, "\n");
|
|
|
fclose($fp);
|
|
|
@@ -200,7 +218,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Key
|
|
|
if (!empty($_POST['v_ssl_key'])) {
|
|
|
- $fp = fopen($tmpdir."/".$_POST['v_domain'].".key", 'w');
|
|
|
+ $fp = fopen($tmpdir."/".$v_domain.".key", 'w');
|
|
|
fwrite($fp, str_replace("\r\n", "\n", $_POST['v_ssl_key']));
|
|
|
fwrite($fp, "\n");
|
|
|
fclose($fp);
|
|
|
@@ -208,19 +226,19 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// CA
|
|
|
if (!empty($_POST['v_ssl_ca'])) {
|
|
|
- $fp = fopen($tmpdir."/".$_POST['v_domain'].".ca", 'w');
|
|
|
+ $fp = fopen($tmpdir."/".$v_domain.".ca", 'w');
|
|
|
fwrite($fp, str_replace("\r\n", "\n", $_POST['v_ssl_ca']));
|
|
|
fwrite($fp, "\n");
|
|
|
fclose($fp);
|
|
|
}
|
|
|
|
|
|
- exec (HESTIA_CMD."v-change-mail-domain-sslcert ".$user." ".$v_domain." ".$tmpdir." 'no'", $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-change-mail-domain-sslcert ".$user." ".escapeshellarg($v_domain)." ".$tmpdir." 'no'", $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
$restart_web = 'yes';
|
|
|
$restart_proxy = 'yes';
|
|
|
|
|
|
- exec (HESTIA_CMD."v-list-mail-domain-ssl ".$user." '".$v_domain."' json", $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-list-mail-domain-ssl ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
|
|
|
$ssl_str = json_decode(implode('', $output), true);
|
|
|
unset($output);
|
|
|
$v_ssl_crt = $ssl_str[$v_domain]['CRT'];
|
|
|
@@ -235,16 +253,16 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
$v_ssl_issuer = $ssl_str[$v_domain]['ISSUER'];
|
|
|
|
|
|
// Cleanup certificate tempfiles
|
|
|
- if (!empty($_POST['v_ssl_crt'])) unlink($tmpdir."/".$_POST['v_domain'].".crt");
|
|
|
- if (!empty($_POST['v_ssl_key'])) unlink($tmpdir."/".$_POST['v_domain'].".key");
|
|
|
- if (!empty($_POST['v_ssl_ca'])) unlink($tmpdir."/".$_POST['v_domain'].".ca");
|
|
|
+ if (!empty($_POST['v_ssl_crt'])) unlink($tmpdir."/".$v_domain.".crt");
|
|
|
+ if (!empty($_POST['v_ssl_key'])) unlink($tmpdir."/".$v_domain.".key");
|
|
|
+ if (!empty($_POST['v_ssl_ca'])) unlink($tmpdir."/".$v_domain.".ca");
|
|
|
rmdir($tmpdir);
|
|
|
}
|
|
|
}
|
|
|
|
|
|
// Delete Lets Encrypt support
|
|
|
if (( $v_letsencrypt == 'yes' ) && (empty($_POST['v_letsencrypt'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-delete-letsencrypt-domain ".$user." ".$v_domain." ' ' 'yes'", $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-delete-letsencrypt-domain ".$user." ".escapeshellarg($v_domain)." ' ' 'yes'", $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
$v_ssl_crt = '';
|
|
|
@@ -258,7 +276,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Delete SSL certificate
|
|
|
if (( $v_ssl == 'yes' ) && (empty($_POST['v_ssl'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-delete-mail-domain-ssl ".$v_username." ".$v_domain, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-delete-mail-domain-ssl ".$v_username." ".escapeshellarg($v_domain), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
$v_ssl_crt = '';
|
|
|
@@ -270,7 +288,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Add Lets Encrypt support
|
|
|
if ((!empty($_POST['v_ssl'])) && ( $v_letsencrypt == 'no' ) && (!empty($_POST['v_letsencrypt'])) && empty($_SESSION['error_msg'])) {
|
|
|
- exec (HESTIA_CMD."v-add-letsencrypt-domain ".$user." ".$v_domain." ' ' 'yes'", $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-add-letsencrypt-domain ".$user." ".escapeshellarg($v_domain)." ' ' 'yes'", $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
$v_letsencrypt = 'yes';
|
|
|
@@ -297,49 +315,49 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['accou
|
|
|
|
|
|
// Certificate
|
|
|
if (!empty($_POST['v_ssl_crt'])) {
|
|
|
- $fp = fopen($tmpdir."/".$_POST['v_domain'].".crt", 'w');
|
|
|
+ $fp = fopen($tmpdir."/".$v_domain.".crt", 'w');
|
|
|
fwrite($fp, str_replace("\r\n", "\n", $_POST['v_ssl_crt']));
|
|
|
fclose($fp);
|
|
|
}
|
|
|
|
|
|
// Key
|
|
|
if (!empty($_POST['v_ssl_key'])) {
|
|
|
- $fp = fopen($tmpdir."/".$_POST['v_domain'].".key", 'w');
|
|
|
+ $fp = fopen($tmpdir."/".$v_domain.".key", 'w');
|
|
|
fwrite($fp, str_replace("\r\n", "\n", $_POST['v_ssl_key']));
|
|
|
fclose($fp);
|
|
|
}
|
|
|
|
|
|
// CA
|
|
|
if (!empty($_POST['v_ssl_ca'])) {
|
|
|
- $fp = fopen($tmpdir."/".$_POST['v_domain'].".ca", 'w');
|
|
|
+ $fp = fopen($tmpdir."/".$v_domain.".ca", 'w');
|
|
|
fwrite($fp, str_replace("\r\n", "\n", $_POST['v_ssl_ca']));
|
|
|
fclose($fp);
|
|
|
}
|
|
|
- exec (HESTIA_CMD."v-add-mail-domain-ssl ".$user." ".$v_domain." ".$tmpdir." 'no'", $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-add-mail-domain-ssl ".$user." ".escapeshellarg($v_domain)." ".$tmpdir." 'no'", $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
$v_ssl = 'yes';
|
|
|
$restart_web = 'yes';
|
|
|
$restart_proxy = 'yes';
|
|
|
|
|
|
- exec (HESTIA_CMD."v-list-mail-domain-ssl ".$user." '".$v_domain."' json", $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-list-mail-domain-ssl ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
|
|
|
$ssl_str = json_decode(implode('', $output), true);
|
|
|
unset($output);
|
|
|
- $v_ssl_crt = $ssl_str[$_POST['v_domain']]['CRT'];
|
|
|
- $v_ssl_key = $ssl_str[$_POST['v_domain']]['KEY'];
|
|
|
- $v_ssl_ca = $ssl_str[$_POST['v_domain']]['CA'];
|
|
|
- $v_ssl_subject = $ssl_str[$_POST['v_domain']]['SUBJECT'];
|
|
|
- $v_ssl_aliases = $ssl_str[$_POST['v_domain']]['ALIASES'];
|
|
|
- $v_ssl_not_before = $ssl_str[$_POST['v_domain']]['NOT_BEFORE'];
|
|
|
- $v_ssl_not_after = $ssl_str[$_POST['v_domain']]['NOT_AFTER'];
|
|
|
- $v_ssl_signature = $ssl_str[$_POST['v_domain']]['SIGNATURE'];
|
|
|
- $v_ssl_pub_key = $ssl_str[$_POST['v_domain']]['PUB_KEY'];
|
|
|
- $v_ssl_issuer = $ssl_str[$_POST['v_domain']]['ISSUER'];
|
|
|
+ $v_ssl_crt = $ssl_str[$v_domain]['CRT'];
|
|
|
+ $v_ssl_key = $ssl_str[$v_domain]['KEY'];
|
|
|
+ $v_ssl_ca = $ssl_str[$v_domain]['CA'];
|
|
|
+ $v_ssl_subject = $ssl_str[$v_domain]['SUBJECT'];
|
|
|
+ $v_ssl_aliases = $ssl_str[$v_domain]['ALIASES'];
|
|
|
+ $v_ssl_not_before = $ssl_str[$v_domain]['NOT_BEFORE'];
|
|
|
+ $v_ssl_not_after = $ssl_str[$v_domain]['NOT_AFTER'];
|
|
|
+ $v_ssl_signature = $ssl_str[$v_domain]['SIGNATURE'];
|
|
|
+ $v_ssl_pub_key = $ssl_str[$v_domain]['PUB_KEY'];
|
|
|
+ $v_ssl_issuer = $ssl_str[$v_domain]['ISSUER'];
|
|
|
|
|
|
// Cleanup certificate tempfiles
|
|
|
- if (!empty($_POST['v_ssl_crt'])) unlink($tmpdir."/".$_POST['v_domain'].".crt");
|
|
|
- if (!empty($_POST['v_ssl_key'])) unlink($tmpdir."/".$_POST['v_domain'].".key");
|
|
|
- if (!empty($_POST['v_ssl_ca'])) unlink($tmpdir."/".$_POST['v_domain'].".ca");
|
|
|
+ if (!empty($_POST['v_ssl_crt'])) unlink($tmpdir."/".$v_domain.".crt");
|
|
|
+ if (!empty($_POST['v_ssl_key'])) unlink($tmpdir."/".$v_domain.".key");
|
|
|
+ if (!empty($_POST['v_ssl_ca'])) unlink($tmpdir."/".$v_domain.".ca");
|
|
|
rmdir($tmpdir);
|
|
|
}
|
|
|
}
|
|
|
@@ -366,8 +384,12 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
}
|
|
|
}
|
|
|
|
|
|
- $v_domain = escapeshellarg($_POST['v_domain']);
|
|
|
- $v_account = escapeshellarg($_POST['v_account']);
|
|
|
+ $v_domain = $_POST['v_domain'];
|
|
|
+ if(!in_array($v_domain, $user_domains)) {
|
|
|
+ check_return_code(3, ["Unknown domain"]);
|
|
|
+ }
|
|
|
+
|
|
|
+ $v_account = $_POST['v_account'];
|
|
|
$v_send_email = $_POST['v_send_email'];
|
|
|
$v_credentials = $_POST['v_credentials'];
|
|
|
|
|
|
@@ -377,7 +399,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
$fp = fopen($v_password, "w");
|
|
|
fwrite($fp, $_POST['v_password']."\n");
|
|
|
fclose($fp);
|
|
|
- exec (HESTIA_CMD."v-change-mail-account-password ".$v_username." ".$v_domain." ".$v_account." ".$v_password, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-change-mail-account-password ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." ".$v_password, $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
unlink($v_password);
|
|
|
@@ -391,14 +413,14 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
} else {
|
|
|
$v_quota = escapeshellarg($_POST['v_quota']);
|
|
|
}
|
|
|
- exec (HESTIA_CMD."v-change-mail-account-quota ".$v_username." ".$v_domain." ".$v_account." ".$v_quota, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-change-mail-account-quota ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." ".$v_quota, $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
}
|
|
|
|
|
|
// Change account aliases
|
|
|
if (empty($_SESSION['error_msg'])) {
|
|
|
- $waliases = preg_replace("/\n/", " ", escapeshellarg($_POST['v_aliases']));
|
|
|
+ $waliases = preg_replace("/\n/", " ", $_POST['v_aliases']);
|
|
|
$waliases = preg_replace("/,/", " ", $waliases);
|
|
|
$waliases = preg_replace('/\s+/', ' ',$waliases);
|
|
|
$waliases = trim($waliases);
|
|
|
@@ -407,7 +429,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
$result = array_diff($valiases, $aliases);
|
|
|
foreach ($result as $alias) {
|
|
|
if ((empty($_SESSION['error_msg'])) && (!empty($alias))) {
|
|
|
- exec (HESTIA_CMD."v-delete-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-delete-mail-account-alias ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." ".escapeshellarg($alias), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
}
|
|
|
@@ -415,7 +437,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
$result = array_diff($aliases, $valiases);
|
|
|
foreach ($result as $alias) {
|
|
|
if ((empty($_SESSION['error_msg'])) && (!empty($alias))) {
|
|
|
- exec (HESTIA_CMD."v-add-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." ".escapeshellarg($alias), $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-add-mail-account-alias ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." ".escapeshellarg($alias), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
}
|
|
|
@@ -424,7 +446,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
|
|
|
// Change forwarders
|
|
|
if (empty($_SESSION['error_msg'])) {
|
|
|
- $wfwd = preg_replace("/\n/", " ", escapeshellarg($_POST['v_fwd']));
|
|
|
+ $wfwd = preg_replace("/\n/", " ", $_POST['v_fwd']);
|
|
|
$wfwd = preg_replace("/,/", " ", $wfwd);
|
|
|
$wfwd = preg_replace('/\s+/', ' ',$wfwd);
|
|
|
$wfwd = trim($wfwd);
|
|
|
@@ -433,7 +455,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
$result = array_diff($vfwd, $fwd);
|
|
|
foreach ($result as $forward) {
|
|
|
if ((empty($_SESSION['error_msg'])) && (!empty($forward))) {
|
|
|
- exec (HESTIA_CMD."v-delete-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-delete-mail-account-forward ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." ".escapeshellarg($forward), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
}
|
|
|
@@ -441,7 +463,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
$result = array_diff($fwd, $vfwd);
|
|
|
foreach ($result as $forward) {
|
|
|
if ((empty($_SESSION['error_msg'])) && (!empty($forward))) {
|
|
|
- exec (HESTIA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." ".escapeshellarg($forward), $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-add-mail-account-forward ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." ".escapeshellarg($forward), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
}
|
|
|
@@ -450,7 +472,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
|
|
|
// Delete FWD_ONLY flag
|
|
|
if (($v_fwd_only == 'yes') && (empty($_POST['v_fwd_only'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-delete-mail-account-fwd-only ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-delete-mail-account-fwd-only ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
$v_fwd_only = '';
|
|
|
@@ -458,7 +480,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
|
|
|
// Add FWD_ONLY flag
|
|
|
if (($v_fwd_only != 'yes') && (!empty($_POST['v_fwd_only'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-add-mail-account-fwd-only ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-add-mail-account-fwd-only ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
$v_fwd_only = 'yes';
|
|
|
@@ -466,7 +488,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
|
|
|
// Delete autoreply
|
|
|
if (($v_autoreply == 'yes') && (empty($_POST['v_autoreply'])) && (empty($_SESSION['error_msg']))) {
|
|
|
- exec (HESTIA_CMD."v-delete-mail-account-autoreply ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-delete-mail-account-autoreply ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account), $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
$v_autoreply = 'no';
|
|
|
@@ -478,7 +500,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|
|
if ( $v_autoreply_message != str_replace("\r\n", "\n", $_POST['v_autoreply_message'])) {
|
|
|
$v_autoreply_message = str_replace("\r\n", "\n", $_POST['v_autoreply_message']);
|
|
|
$v_autoreply_message = escapeshellarg($v_autoreply_message);
|
|
|
- exec (HESTIA_CMD."v-add-mail-account-autoreply ".$v_username." ".$v_domain." ".$v_account." ".$v_autoreply_message, $output, $return_var);
|
|
|
+ exec (HESTIA_CMD."v-add-mail-account-autoreply ".$v_username." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." ".$v_autoreply_message, $output, $return_var);
|
|
|
check_return_code($return_var,$output);
|
|
|
unset($output);
|
|
|
$v_autoreply = 'yes';
|
Robert Zollner