Merge branch 'staging/1.6.10' into release

CHANGELOG.md

@@ -1,6 +1,17 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.6.10] - Service release 
+
+### Security
+
+- Delete temp files after password has been verified (#2958)
+
+### Dependencies
+
+- Update Filegator to 7.8.3
+- Update PHPmailer to 6.6.5
+
 ## [1.6.9] - Service release 
 
 - Fixed an issue when Installing Wordpress in a non english locale (#2788 #2818)

install/hst-install-debian.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.6.9'
+HESTIA_INSTALL_VER='1.6.10'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1")
 fpm_v="8.0"

install/hst-install-ubuntu.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.6.9'
+HESTIA_INSTALL_VER='1.6.10'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1")
 fpm_v="8.0"

install/upgrade/upgrade.conf

@@ -60,7 +60,7 @@ UPGRADE_UPDATE_FILEMANAGER_CONFIG='false'
 fm_v='7.8.2'
 
 # Set version of PHPMailer to update during upgrade if not already installed
-pm_v='6.6.4'
+pm_v='6.6.5'
 
 # Backblaze
 b2_v='3.5.0'

install/upgrade/versions/1.6.10.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.6.9
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+####### Pass through information to the end user in case of a issue or problem  #######
+#######                                                                         #######
+####### Use add_upgrade_message "My message here" to include a message          #######
+####### in the upgrade notification email. Example:                             #######
+#######                                                                         #######
+####### add_upgrade_message "My message here"                                   #######
+#######                                                                         #######
+####### You can use \n within the string to create new lines.                   #######
+#######################################################################################
+
+upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'no'
+upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'no'
+upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'no'
+upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'no'
+upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
+
+# Delete all tmp files create by hestia that are left in place
+rm -fr /tmp/vst*

src/deb/hestia/control

@@ -1,7 +1,7 @@
 Source: hestia
 Package: hestia
 Priority: optional
-Version: 1.6.9
+Version: 1.6.10
 Section: admin
 Maintainer: HestiaCP <[email protected]>
 Homepage: https://www.hestiacp.com

web/api/index.php

@@ -94,14 +94,14 @@ function api_legacy(array $request_data) {
             $hash = str_replace('$rounds=5000', '', $hash);
         }
         if ($method == 'yescrypt') {
-            $v_password = tempnam("/tmp", "vst");
-            $fp = fopen($v_password, "w");
+            $fp = tmpfile();
+            $v_password = stream_get_meta_data($fp)['uri'];
             fwrite($fp, $password."\n");
-            fclose($fp);
             unset($output);
-            exec(HESTIA_CMD . 'v-check-user-password "admin" '. $password. ' '.$v_ip.' yes', $output, $return_var);
+            exec(HESTIA_CMD . 'v-check-user-password "admin" '. escapeshellarg($v_password). ' '.$v_ip.' yes', $output, $return_var);
             $hash = $output[0];
-            unset($output);
+            fclose($fp);
+            unset($output, $fp, $v_password);
         }
         if ($method == 'des') {
             $hash = crypt($password, $salt);

web/inc/composer.lock

@@ -8,16 +8,16 @@
     "packages": [
         {
             "name": "phpmailer/phpmailer",
-            "version": "v6.6.3",
+            "version": "v6.6.5",
             "source": {
                 "type": "git",
                 "url": "https://github.com/PHPMailer/PHPMailer.git",
-                "reference": "9400f305a898f194caff5521f64e5dfa926626f3"
+                "reference": "8b6386d7417526d1ea4da9edb70b8352f7543627"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/9400f305a898f194caff5521f64e5dfa926626f3",
-                "reference": "9400f305a898f194caff5521f64e5dfa926626f3",
+                "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/8b6386d7417526d1ea4da9edb70b8352f7543627",
+                "reference": "8b6386d7417526d1ea4da9edb70b8352f7543627",
                 "shasum": ""
             },
             "require": {
@@ -41,8 +41,8 @@
                 "hayageek/oauth2-yahoo": "Needed for Yahoo XOAUTH2 authentication",
                 "league/oauth2-google": "Needed for Google XOAUTH2 authentication",
                 "psr/log": "For optional PSR-3 debug logging",
-                "stevenmaguire/oauth2-microsoft": "Needed for Microsoft XOAUTH2 authentication",
-                "symfony/polyfill-mbstring": "To support UTF-8 if the Mbstring PHP extension is not enabled (^1.2)"
+                "symfony/polyfill-mbstring": "To support UTF-8 if the Mbstring PHP extension is not enabled (^1.2)",
+                "thenetworg/oauth2-azure": "Needed for Microsoft XOAUTH2 authentication"
             },
             "type": "library",
             "autoload": {
@@ -74,7 +74,7 @@
             "description": "PHPMailer is a full-featured email creation and transfer class for PHP",
             "support": {
                 "issues": "https://github.com/PHPMailer/PHPMailer/issues",
-                "source": "https://github.com/PHPMailer/PHPMailer/tree/v6.6.3"
+                "source": "https://github.com/PHPMailer/PHPMailer/tree/v6.6.5"
             },
             "funding": [
                 {
@@ -82,7 +82,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2022-06-20T09:21:02+00:00"
+            "time": "2022-10-07T12:23:10+00:00"
         }
     ],
     "packages-dev": [],

web/login/index.php

@@ -129,13 +129,13 @@ function authenticate_user($user, $password, $twofa = '')
                 $hash = str_replace('$rounds=5000', '', $hash);
             }
             if ($method == 'yescrypt') {
-                $v_password = tempnam("/tmp", "vst");
-                $fp = fopen($v_password, "w");
+                $fp = tmpfile();
+                $v_password = stream_get_meta_data($fp)['uri'];
                 fwrite($fp, $password."\n");
-                fclose($fp);
-                exec(HESTIA_CMD . 'v-check-user-password '. $v_user.' '. $v_password. ' '.$v_ip.' yes', $output, $return_var);
+                exec(HESTIA_CMD . 'v-check-user-password '. $v_user.' '. escapeshellarg($v_password). ' '.$v_ip.' yes', $output, $return_var);
                 $hash = $output[0];
-                unset($output);
+                fclose($fp);
+                unset($output,$fp, $v_password);
             }
             if ($method == 'des') {
                 $hash = crypt($password, $salt);