Sync with upstream development branch

bin/v-add-letsencrypt-domain

@@ -125,6 +125,9 @@ fi
 url="$LE_API/acme/new-order"
 payload='{"identifiers":['
 for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
+    if [[ "$identifier" = *[![:ascii:]]* ]]; then
+        identifier=$(idn -t --quiet -a $identifier)
+    fi
     payload=$payload'{"type":"dns","value":"'$identifier'"},'
 done
 payload=$(echo "$payload"|sed "s/,$//")

func/rebuild.sh

@@ -667,7 +667,7 @@ rebuild_pgsql_database() {
     query="GRANT ALL PRIVILEGES ON DATABASE $DB TO $DBUSER"
     psql -h $HOST -U $USER -c "$query" > /dev/null 2>&1
 
-    query="GRANT CONNECT ON DATABASE template1 to $dbuser"
+    query="GRANT CONNECT ON DATABASE template1 to $DBUSER"
     psql -h $HOST -U $USER -c "$query" > /dev/null 2>&1
 }
 

install/hst-install-debian.sh

@@ -1108,7 +1108,7 @@ if [ "$nginx" = 'yes' ]; then
             v_tpl=$(echo "$v" | sed -e 's/[.]//')
             cp -f $hestiacp/multiphp/nginx/PHP-$v_tpl.* $HESTIA/data/templates/web/nginx/
             cp -f $hestiacp/php-fpm/dummy.conf /etc/php/$v/fpm/pool.d/
-            sed -i "/s/9999/9999$v_tpl/g" /etc/php/$v/fpm/pool.d/dummy.conf
+            sed -i "s/9999/99$v_tpl/g" /etc/php/$v/fpm/pool.d/dummy.conf
         done
         cp -f $hestiacp/php-fpm/www.conf /etc/php/$fpm_v/fpm/pool.d/
         chmod a+x $HESTIA/data/templates/web/nginx/*.sh

install/hst-install-ubuntu.sh

@@ -1076,7 +1076,7 @@ if [ "$nginx" = 'yes' ]; then
             v_tpl=$(echo "$v" | sed -e 's/[.]//')
             cp -f $hestiacp/multiphp/nginx/PHP-$v_tpl.* $HESTIA/data/templates/web/nginx/
             cp -f $hestiacp/php-fpm/dummy.conf /etc/php/$v/fpm/pool.d/
-            sed -i "/s/9999/9999$v_tpl/g" /etc/php/$v/fpm/pool.d/dummy.conf
+            sed -i "s/9999/99$v_tpl/g" /etc/php/$v/fpm/pool.d/dummy.conf
         done
         cp -f $hestiacp/php-fpm/www.conf /etc/php/$fpm_v/fpm/pool.d/
         chmod a+x $HESTIA/data/templates/web/nginx/*.sh

install/upgrade/0.9.8-29.sh

@@ -233,7 +233,7 @@ if [ "$php_versions" -gt 1 ]; then
     for v in $(ls /etc/php/); do
         cp -f $hestiacp/php-fpm/dummy.conf /etc/php/$d/fpm/pool.d/
         v1=$(echo "$v" | sed -e 's/[.]//')
-        sed -i "s/9999/9999$v1/g" /etc/php/$v/fpm/pool.d/dummy.conf
+        sed -i "s/9999/99$v1/g" /etc/php/$v/fpm/pool.d/dummy.conf
     done
 fi
 

src/hst_autocompile.sh

@@ -1,7 +1,8 @@
 # Autocompile Script for HestiaCP deb Files.
 
 # Set compiling directory
-BUILD_DIR='/root'
+BUILD_DIR='/tmp/hestiacp-src/'
+DEB_DIR="$BUILD_DIR/debs/"
 INSTALL_DIR='/usr/local/hestia'
 
 # Set Version for compiling
@@ -12,6 +13,10 @@ PCRE_V='8.42'
 ZLIB_V='1.2.11'
 PHP_V='7.3.4'
 
+# Create build directories
+rm -rf $BUILD_DIR
+mkdir -p $DEB_DIR
+
 # Set package dependencies for compiling
 SOFTWARE='build-essential libxml2-dev libz-dev libcurl4-gnutls-dev unzip openssl libssl-dev pkg-config'
 
@@ -20,6 +25,24 @@ timestamp() {
     date +%s
 }
 
+branch=$2
+install=$3
+
+# Set install flags
+if [ ! -z "$2" ]; then
+  branch=$2
+else
+  echo -n "Please enter the name of the branch to build from (e.g. master): "
+  read branch
+fi
+
+if [ ! -z "$3" ]; then
+  install=$3
+else
+  echo -n 'Would you like to install the compiled packages? [y/N] '
+  read install
+fi
+
 # Install needed software
 echo "Updating system APT repositories..."
 apt-get -qq update > /dev/null 2>&1
@@ -55,22 +78,22 @@ for arg; do
 done
 
 if [[ $# -eq 0 ]] ; then
-  echo "(!) Invalid compilation flag specified. Valid flags:"
-  echo "--all"
-  echo "--hestia"
-  echo "--nginx"
-  echo "--php"
+  echo "ERROR: Invalid compilation flag specified. Valid flags include:"
+  echo "--all:      Build all hestia packages."
+  echo "--hestia:   Build only the Control Panel package."
+  echo "--nginx:    Build only the backend nginx engine package."
+  echo "--php:      Build only the backend php engine package"
+  echo ""
+  echo "For automated builds and installatioms, you may specify the branch"
+  echo "after one of the above flags. To install the packages, specify 'Y'"
+  echo "following the branch name."
+  echo ""
+  echo "Example: bash hst_autocompile.sh --hestia develop Y"
+  echo "This would install a Hestia Control Panel package compiled with the"
+  echo "develop branch code."
   exit 1
 fi
 
-# Ask for branch
-echo -n "Please enter the name of the branch to build from (e.g. master): "
-read branch
-
-# Ask if package should be installed after compilation
-echo -n 'Would you like to install the compiled packages? [y/N] '
-read INSTALL
-
 # Set git repository raw path
 GIT_REP='https://raw.githubusercontent.com/hestiacp/hestiacp/'$branch'/src/deb'
 
@@ -171,6 +194,7 @@ if [ "$NGINX_B" = true ] ; then
     cd $BUILD_DIR
     chown -R  root:root hestia-nginx_$NGINX_V
     dpkg-deb --build hestia-nginx_$NGINX_V
+    mv *.deb $DEB_DIR
 
     # clear up the source folder
     rm -r hestia-nginx_$NGINX_V
@@ -245,6 +269,7 @@ if [ "$PHP_B" = true ] ; then
     cd $BUILD_DIR
     chown -R  root:root hestia-php_$PHP_V
     dpkg-deb --build hestia-php_$PHP_V
+    mv *.deb $DEB_DIR
 
     # clear up the source folder
     rm -r hestia-php_$PHP_V
@@ -300,6 +325,7 @@ if [ "$HESTIA_B" = true ] ; then
     cd $BUILD_DIR
     chown -R root:root hestia_$HESTIA_V
     dpkg-deb --build hestia_$HESTIA_V
+    mv *.deb $DEB_DIR
 
     # clear up the source folder
     rm -r hestia_$HESTIA_V
@@ -313,8 +339,8 @@ fi
 #
 #################################################################################
 
-if [ "$INSTALL" = 'y' ] || [ "$INSTALL" = 'Y'  ]; then
-    for i in $BUILD_DIR/*hestia*.deb; do
+if [ "$install" = 'yes' ] || [ "$install" = 'YES' ] || [ "$install" = 'y' ] || [ "$install" = 'Y' ]; then
+    for i in $DEB_DIR/*.deb; do
       # Install all available packages
       dpkg -i $i
     done

web/add/cron/autoupdate/index.php

@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     exec (HESTIA_CMD."v-add-cron-hestia-autoupdate", $output, $return_var);
     $_SESSION['error_msg'] = __('Autoupdate has been successfully enabled');

web/add/cron/reports/index.php

@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 exec (HESTIA_CMD."v-add-cron-reports ".$user, $output, $return_var);
 $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled');
 unset($output);

web/add/firewall/banlist/index.php

@@ -6,6 +6,12 @@ $TAB = 'FIREWALL';
 // Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 // Check user
 if ($_SESSION['user'] != 'admin') {
     header("Location: /list/user");

web/delete/cron/autoupdate/index.php

@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     exec (HESTIA_CMD."v-delete-cron-hestia-autoupdate", $output, $return_var);
     $_SESSION['error_msg'] = __('Autoupdate has been successfully disabled');

web/delete/cron/reports/index.php

@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 exec (HESTIA_CMD."v-delete-cron-reports ".$user, $output, $return_var);
 $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully disabled');
 unset($output);

web/edit/db/index.php

@@ -27,7 +27,7 @@ unset($output);
 
 // Parse database
 $v_username = $user;
-$v_database = $_GET['database'];
+$v_database = escapeshellarg($_GET['database']);
 $v_dbuser = $data[$v_database]['DBUSER'];
 $v_password = "";
 $v_host = $data[$v_database]['HOST'];

web/edit/mail/index.php

@@ -26,7 +26,7 @@ if ((!empty($_GET['domain'])) && (empty($_GET['account'])))  {
     unset($output);
 
     // Parse domain
-    $v_domain = $_GET['domain'];
+    $v_domain = escapeshellarg($_GET['domain']);
     $v_antispam = $data[$v_domain]['ANTISPAM'];
     $v_antivirus = $data[$v_domain]['ANTIVIRUS'];
     $v_dkim = $data[$v_domain]['DKIM'];
@@ -70,8 +70,8 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account'])))  {
 
     // Parse mail account
     $v_username = $user;
-    $v_domain = $_GET['domain'];
-    $v_account = $_GET['account'];
+    $v_domain = escapeshellarg($_GET['domain']);
+    $v_account = escapeshellarg($_GET['account']);
     $v_password = "";
     $v_aliases = str_replace(',', "\n", $data[$v_account]['ALIAS']);
     $valiases = explode(",", $data[$v_account]['ALIAS']);
@@ -398,7 +398,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
 
     // Change account aliases
     if (empty($_SESSION['error_msg'])) {
-        $waliases = preg_replace("/\n/", " ", $_POST['v_aliases']);
+        $waliases = preg_replace("/\n/", " ", escapeshellarg($_POST['v_aliases']));
         $waliases = preg_replace("/,/", " ", $waliases);
         $waliases = preg_replace('/\s+/', ' ',$waliases);
         $waliases = trim($waliases);
@@ -424,7 +424,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
 
     // Change forwarders
     if (empty($_SESSION['error_msg'])) {
-        $wfwd = preg_replace("/\n/", " ", $_POST['v_fwd']);
+        $wfwd = preg_replace("/\n/", " ", escapeshellarg($_POST['v_fwd']));
         $wfwd = preg_replace("/,/", " ", $wfwd);
         $wfwd = preg_replace('/\s+/', ' ',$wfwd);
         $wfwd = trim($wfwd);

web/edit/web/index.php

@@ -26,7 +26,7 @@ unset($output);
 
 // Parse domain
 $v_username = $user;
-$v_domain = $_GET['domain'];
+$v_domain = escapeshellarg($_GET['domain']);
 $v_ip = $data[$v_domain]['IP'];
 $v_template = $data[$v_domain]['TPL'];
 $v_aliases = str_replace(',', "\n", $data[$v_domain]['ALIAS']);
@@ -116,6 +116,7 @@ if (!empty($_POST['save'])) {
     }
 
     // Change web domain IP
+    
     if (($v_ip != $_POST['v_ip']) && (empty($_SESSION['error_msg']))) {
         $v_ip = escapeshellarg($_POST['v_ip']);
         exec (HESTIA_CMD."v-change-web-domain-ip ".$v_username." ".$v_domain." ".$v_ip." 'no'", $output, $return_var);
@@ -162,7 +163,7 @@ if (!empty($_POST['save'])) {
 
     // Change aliases
     if (empty($_SESSION['error_msg'])) {
-        $waliases = preg_replace("/\n/", " ", $_POST['v_aliases']);
+        $waliases = preg_replace("/\n/", " ", escapeshellarg($_POST['v_aliases']));
         $waliases = preg_replace("/,/", " ", $waliases);
         $waliases = preg_replace('/\s+/', ' ',$waliases);
         $waliases = trim($waliases);
@@ -588,7 +589,7 @@ if (!empty($_POST['save'])) {
                         $subject = __("FTP login credentials");
                         $hostname = exec('hostname');
                         $from = __('MAIL_FROM',$hostname);
-                        $mailtext = __('FTP_ACCOUNT_READY',$_GET['domain'],$user,$v_ftp_username,$v_ftp_user_data['v_ftp_password']);
+                        $mailtext = __('FTP_ACCOUNT_READY',escapeshellarg($_GET['domain']),$user,$v_ftp_username,$v_ftp_user_data['v_ftp_password']);
                         send_email($to, $subject, $mailtext, $from);
                         unset($v_ftp_email);
                     }
@@ -662,7 +663,7 @@ if (!empty($_POST['save'])) {
                     $subject = __("FTP login credentials");
                     $hostname = exec('hostname');
                     $from = __('MAIL_FROM',$hostname);
-                    $mailtext = __('FTP_ACCOUNT_READY',$_GET['domain'],$user,$v_ftp_username_for_emailing,$v_ftp_user_data['v_ftp_password']);
+                    $mailtext = __('FTP_ACCOUNT_READY',escapeshellarg($_GET['domain']),$user,$v_ftp_username_for_emailing,$v_ftp_user_data['v_ftp_password']);
                     send_email($to, $subject, $mailtext, $from);
                     unset($v_ftp_email);
                 }

web/list/directory/index.php

@@ -18,8 +18,8 @@ if (empty($panel)) {
     $panel = json_decode(implode('', $output), true);
 }
 
-$path_a = !empty($_REQUEST['dir_a']) ? $_REQUEST['dir_a'] : '';
-$path_b = !empty($_REQUEST['dir_b']) ? $_REQUEST['dir_b'] : '';
+$path_a = !empty($_REQUEST['dir_a']) ? htmlentities($_REQUEST['dir_a']) : '';
+$path_b = !empty($_REQUEST['dir_b']) ? htmlentities($_REQUEST['dir_b']) : '';
 $GLOBAL_JS  = '<script type="text/javascript">GLOBAL.START_DIR_A = "' . $path_a . '";</script>';
 $GLOBAL_JS .= '<script type="text/javascript">GLOBAL.START_DIR_B = "' . $path_b . '";</script>';
 $GLOBAL_JS .= '<script type="text/javascript">GLOBAL.ROOT_DIR = "' . $panel[$user]['HOME'] . '";</script>';

web/restart/system/index.php

@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     if (!empty($_GET['hostname'])) {
         exec (HESTIA_CMD."v-restart-system yes", $output, $return_var);

web/templates/admin/list_dns_rec.html

@@ -89,11 +89,11 @@ v_unit_id="<?=$key?>" v_section="dns_rec">
           <!-- l-unit-toolbar__col -->
           <div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
             <div class="actions-panel clearfix">
-              <div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/dns/?domain=<?=$_GET['domain']?>&record_id=<?=$data[$key]['ID']?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
+              <div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/dns/?domain=<?=htmlspecialchars($_GET['domain'])?>&record_id=<?=$data[$key]['ID']?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
               <div class="actions-panel__col actions-panel__delete shortcut-delete" key-action="js">
                 <a id="delete_link_<?=$i?>" class="data-controls do_delete">
                   <?=__('delete')?> <i class="do_delete"></i>
-                  <input type="hidden" name="delete_url" value="/delete/dns/?domain=<?=$_GET['domain']?>&record_id=<?=$data[$key]['ID']?>&token=<?=$_SESSION['token']?>" />
+                  <input type="hidden" name="delete_url" value="/delete/dns/?domain=<?=htmlspecialchars($_GET['domain'])?>&record_id=<?=$data[$key]['ID']?>&token=<?=$_SESSION['token']?>" />
                   <div id="delete_dialog_<?=$i?>" class="confirmation-text-delete hidden" title="<?=__('Confirmation')?>">
                     <p class="confirmation"><?=__('DELETE_RECORD_CONFIRMATION',$data[$key]['RECORD'])?></p>
                   </div>

web/templates/admin/list_mail_acc.html

@@ -96,11 +96,11 @@ sort-star="<? if($_SESSION['favourites']['MAIL_ACC'][$key."@".$_GET['domain']] =
           <!-- l-unit-toolbar__col -->
           <div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
             <div class="actions-panel clearfix">
-              <div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/mail/?domain=<?=$_GET['domain']?>&account=<?=$key?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
+              <div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?=$key?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
               <div class="actions-panel__col actions-panel__suspend shortcut-s" key-action="js">
                 <a id="<?=$spnd_action ?>_link_<?=$i?>" class="data-controls do_<?=$spnd_action?>">
                   <?=__($spnd_action)?> <i class="do_<?=$spnd_action?>"></i>
-                  <input type="hidden" name="<?=$spnd_action?>_url" value="/<?=$spnd_action?>/mail/?domain=<?=$_GET['domain']?>&account=<?php echo $key ?>&token=<?=$_SESSION['token']?>" />
+                  <input type="hidden" name="<?=$spnd_action?>_url" value="/<?=$spnd_action?>/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?php echo $key ?>&token=<?=$_SESSION['token']?>" />
                   <div id="<?=$spnd_action?>_dialog_<?=$i?>" class="confirmation-text-suspention hidden" title="<?=__('Confirmation')?>">
                     <p class="confirmation"><?=__($spnd_confirmation,$key)?></p>
                   </div>
@@ -110,7 +110,7 @@ sort-star="<? if($_SESSION['favourites']['MAIL_ACC'][$key."@".$_GET['domain']] =
               <div class="actions-panel__col actions-panel__delete shortcut-delete" key-action="js">
                 <a id="delete_link_<?=$i?>" class="data-controls do_delete">
                   <?=__('delete')?> <i class="do_delete"></i>
-                  <input type="hidden" name="delete_url" value="/delete/mail/?domain=<?=$_GET['domain']?>&account=<?=$key?>&token=<?=$_SESSION['token']?>" />
+                  <input type="hidden" name="delete_url" value="/delete/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?=$key?>&token=<?=$_SESSION['token']?>" />
                   <div id="delete_dialog_<?=$i?>" class="confirmation-text-delete hidden" title="<?=__('Confirmation')?>">
                     <p class="confirmation"><?=__('DELETE_MAIL_ACCOUNT_CONFIRMATION',$key)?></p>
                   </div>

web/templates/admin/list_services.html

@@ -54,7 +54,7 @@
           <div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
             <div class="actions-panel clearfix">
               <div class="actions-panel__col actions-panel__configure shortcut-enter" key-action="href"><a href="/edit/server/"><?=__('configure')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
-              <div class="actions-panel__col actions-panel__restart shortcut-r" key-action="href"><a href="/restart/system/?hostname=<?php echo $sys['sysinfo']['HOSTNAME'] ?>"><?=__('restart')?> <i></i></a><span class="shortcut">&nbsp;R</span></div>
+              <div class="actions-panel__col actions-panel__restart shortcut-r" key-action="href"><a href="/restart/system/?hostname=<?php echo $sys['sysinfo']['HOSTNAME'] ?>&token=<?=$_SESSION['token']?>"><?=__('restart')?> <i></i></a><span class="shortcut">&nbsp;R</span></div>
             </div>
             <!-- /.actions-panel -->
           </div>

web/templates/user/list_mail_acc.html

@@ -88,11 +88,11 @@ sort-star="<? if($_SESSION['favourites']['MAIL_ACC'][$key."@".$_GET['domain']] =
           <!-- l-unit-toolbar__col -->
           <div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
             <div class="actions-panel clearfix">
-              <div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/mail/?domain=<?=$_GET['domain']?>&account=<?=$key?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
+              <div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?=$key?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
               <div class="actions-panel__col actions-panel__delete shortcut-delete" key-action="js">
                 <a id="delete_link_<?=$i?>" class="data-controls do_delete">
                   <?=__('delete')?> <i class="do_delete"></i>
-                  <input type="hidden" name="delete_url" value="/delete/mail/?domain=<?=$_GET['domain']?>&account=<?=$key?>&token=<?=$_SESSION['token']?>" />
+                  <input type="hidden" name="delete_url" value="/delete/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?=$key?>&token=<?=$_SESSION['token']?>" />
                   <div id="delete_dialog_<?=$i?>" class="confirmation-text-delete hidden" title="<?=__('Confirmation')?>">
                     <p class="confirmation"><?=__('DELETE_MAIL_ACCOUNT_CONFIRMATION',$key)?></p>
                   </div>

web/update/hestia/index.php

@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     if (!empty($_GET['pkg'])) {
         $v_pkg = escapeshellarg($_GET['pkg']);