Merge pull request #4 from serghey-rodin/master

updates from master branch

bin/v-add-mail-domain

@@ -45,6 +45,7 @@ is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_domain_new 'mail' "$domain"
 is_package_full 'MAIL_DOMAINS'
+is_dir_symlink $HOMEDIR/$user/mail
 
 
 #----------------------------------------------------------#

bin/v-add-web-domain

@@ -47,6 +47,7 @@ is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_package_full 'WEB_DOMAINS' 'WEB_ALIASES'
 is_domain_new 'web' "$domain,$aliases"
+is_dir_symlink $HOMEDIR/$user/web
 if [ ! -z "$ip" ]; then
     is_ip_valid "$ip" "$user"
 else

bin/v-check-user-hash

@@ -75,15 +75,15 @@ else
     method='des'
 fi
 
+# Checking salt
 if [ -z "$salt" ]; then
     echo "Error: password missmatch"
     echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log
     exit 9
 fi
 
-# Checking hash
-result=$(grep "^$user:$hash:" /etc/shadow 2>/dev/null)
-if [[ -z "$result" ]]; then
+# Comparing hashes
+if [[ "$shadow" != "$hash" ]]; then
     echo "Error: password missmatch"
     echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log
     exit 9

bin/v-list-user-log

@@ -23,7 +23,10 @@ json_list() {
     objects=$(echo "$logs" |wc -l)
     echo "{"
     for str in $logs; do
-        eval $str
+        ID=$(echo "$str" |cut -f 2 -d \')
+        DATE=$(echo "$str" |cut -f 4 -d \')
+        TIME=$(echo "$str" |cut -f 6 -d \')
+        CMD=$(echo "$str" |cut -f 8 -d \')
         CMD=${CMD//\"/\\\"}
         echo -n '    "'$ID'": {
         "CMD": "'$CMD'",
@@ -46,13 +49,9 @@ shell_list() {
     echo "DATE~TIME~CMD"
     echo "----~----~---"
     for str in $logs; do
-        eval $str
-        if [ -z "$DATE" ]; then
-            DATE='no'
-        fi
-        if [ -z "$TIME" ]; then
-            TIME='no'
-        fi
+        DATE=$(echo "$str" |cut -f 4 -d \')
+        TIME=$(echo "$str" |cut -f 6 -d \')
+        CMD=$(echo "$str" |cut -f 8 -d \')
         echo "$DATE~$TIME~$CMD"
     done
 }
@@ -61,7 +60,9 @@ shell_list() {
 plain_list() {
     IFS=$'\n'
     for str in $logs; do
-        eval $str
+        DATE=$(echo "$str" |cut -f 4 -d \')
+        TIME=$(echo "$str" |cut -f 6 -d \')
+        CMD=$(echo "$str" |cut -f 8 -d \')
         echo -e "$ID\t$CMD\t$UNDO\t$TIME\t$DATE"
     done
 }
@@ -71,7 +72,9 @@ csv_list() {
     IFS=$'\n'
     echo "ID,CMD,UNDO,TIME,DATE"
     for str in $logs; do
-        eval $str
+        DATE=$(echo "$str" |cut -f 4 -d \')
+        TIME=$(echo "$str" |cut -f 6 -d \')
+        CMD=$(echo "$str" |cut -f 8 -d \')
         echo "$ID,\"$CMD\",\"$UNDO\",$TIME,$DATE"
     done
 }

bin/v-update-sys-rrd-mysql

@@ -14,6 +14,7 @@ period=${1-daily}
 
 # Includes
 source $VESTA/func/main.sh
+source $VESTA/func/db.sh
 source $VESTA/conf/vesta.conf
 
 
@@ -66,23 +67,10 @@ for host in $hosts; do
     fi
 
     if [ "$period" = 'daily' ]; then
-        # Defining host credentials
-        host_str=$(grep "HOST='$host'" $conf)
-        for key in $host_str; do
-            eval ${key%%=*}=${key#*=}
-        done
-        sql="mysql -h $HOST -u $USER -p$PASSWORD -e"
-
-        # Checking empty vars
-        if [ -z $HOST ] || [ -z $USER ] || [ -z $PASSWORD ]; then
-            echo "Error: config is broken"
-            log_event "$E_PARSING" "$ARGUMENTS"
-            exit $E_PARSING
-        fi
-
-        # Parsing data
-        status=$($sql "SHOW GLOBAL STATUS" 2>/dev/null); code="$?"
-        if [ '0' -ne "$code" ]; then
+        mysql_connect $host
+        query='SHOW GLOBAL STATUS'
+        status=$(mysql_query "$query" 2>/dev/null)
+        if [ $? -ne 0 ]; then
             active=0
             slow=0
         else

func/db.sh

@@ -47,7 +47,10 @@ mysql_connect() {
 }
 
 mysql_query() {
-    mysql --defaults-file=$mycnf -e "$1" 2>/dev/null
+    sql_tmp=$(mktemp)
+    echo "$1" > $sql_tmp
+    mysql --defaults-file=$mycnf < "$sql_tmp"  2>/dev/null
+    rm -f "$sql_tmp"
 }
 
 mysql_dump() {
@@ -89,7 +92,10 @@ psql_connect() {
 }
 
 psql_query() {
-    psql -h $HOST -U $USER -c "$1" 2>/dev/null
+    sql_tmp=$(mktemp)
+    echo "$1" > $sql_tmp
+    psql -h $HOST -U $USER -f "$sql_tmp" 2>/dev/null
+    rm -f $sql_tmp
 }
 
 psql_dump() {

func/main.sh

@@ -287,6 +287,13 @@ is_hash_valid() {
     fi
 }
 
+# Check if directory is a symlink
+is_dir_symlink() {
+    if [[ -L "$1" ]]; then
+        check_result $E_FORBIDEN "$1 directory is a symlink"
+    fi
+}
+
 # Get object value
 get_object_value() {
     object=$(grep "$2='$3'" $USER_DATA/$1.conf)

func/rebuild.sh

@@ -71,6 +71,9 @@ rebuild_user_conf() {
         echo "$BIN/v-update-web-domains-disk $user" \
             >> $VESTA/data/queue/disk.pipe
 
+        if [[ -L "$HOMEDIR/$user/web" ]]; then
+            rm $HOMEDIR/$user/web
+        fi
         mkdir -p $HOMEDIR/$user/conf/web
         mkdir -p $HOMEDIR/$user/web
         mkdir -p $HOMEDIR/$user/tmp
@@ -105,6 +108,9 @@ rebuild_user_conf() {
         echo "$BIN/v-update-mail-domains-disk $user" \
             >> $VESTA/data/queue/disk.pipe
 
+        if [[ -L "$HOMEDIR/$user/mail" ]]; then
+            rm $HOMEDIR/$user/mail
+        fi
         mkdir -p $HOMEDIR/$user/conf/mail
         mkdir -p $HOMEDIR/$user/mail
         chmod 751 $HOMEDIR/$user/mail

src/deb/ioncube/control

@@ -1,7 +1,7 @@
 Source: vesta-ioncube
 Package: vesta-ioncube
 Priority: optional
-Version: 0.9.8-20
+Version: 0.9.8-21
 Section: admin
 Maintainer: Serghey Rodin <skid@vestacp.com>
 Homepage: https://www.ioncube.com

src/deb/nginx/control

@@ -1,7 +1,7 @@
 Source: vesta-nginx
 Package: vesta-nginx
 Priority: optional
-Version: 0.9.8-20
+Version: 0.9.8-21
 Section: admin
 Maintainer: Serghey Rodin <skid@vestacp.com>
 Homepage: http://vestacp.com

src/deb/php/control

@@ -1,7 +1,7 @@
 Source: vesta-php
 Package: vesta-php
 Priority: optional
-Version: 0.9.8-20
+Version: 0.9.8-21
 Section: admin
 Maintainer: Serghey Rodin <skid@vestacp.com>
 Homepage: http://vestacp.com

src/deb/softaculous/control

@@ -1,7 +1,7 @@
 Source: vesta-softaculous
 Package: vesta-softaculous
 Priority: optional
-Version: 0.9.8-20
+Version: 0.9.8-21
 Section: admin
 Maintainer: Serghey Rodin <skid@vestacp.com>
 Homepage: https://www.softaculous.com

src/deb/vesta/control

@@ -1,7 +1,7 @@
 Source: vesta
 Package: vesta
 Priority: optional
-Version: 0.9.8-20
+Version: 0.9.8-21
 Section: admin
 Maintainer: Serghey Rodin <skid@vestacp.com>
 Homepage: http://vestacp.com

src/deb/vesta/postinst

@@ -20,8 +20,12 @@ if [ -x "/usr/local/vesta/upd/fix_sessions.sh" ]; then
     /usr/local/vesta/upd/fix_sessions.sh
 fi
 
-if [ -e /usr/local/vesta/upd/fix_nginx_auth.sh ]; then
+if [ -x /usr/local/vesta/upd/fix_nginx_auth.sh ]; then
     /usr/local/vesta/upd/fix_nginx_auth.sh
 fi
 
+if [ -x /usr/local/vesta/upd/fix_roundcube.sh ]; then
+    /usr/local/vesta/upd/fix_roundcube.sh
+fi
+
 exit 0

src/rpm/specs/vesta-ioncube.spec

@@ -1,6 +1,6 @@
 Name:           vesta-ioncube
 Version:        0.9.8
-Release:        20
+Release:        21
 Summary:        ionCube Loader
 Group:          System Environment/Base
 License:        "Freely redistributable without restriction"

src/rpm/specs/vesta-nginx.spec

@@ -1,6 +1,6 @@
 Name:           vesta-nginx
 Version:        0.9.8
-Release:        20
+Release:        21
 Summary:        Vesta Control Panel
 Group:          System Environment/Base
 License:        BSD-like

src/rpm/specs/vesta-php.spec

@@ -1,6 +1,6 @@
 Name:           vesta-php
 Version:        0.9.8
-Release:        20
+Release:        21
 Summary:        Vesta Control Panel
 Group:          System Environment/Base
 License:        GPL

src/rpm/specs/vesta-softaculous.spec

@@ -1,6 +1,6 @@
 Name:           vesta-softaculous
 Version:        0.9.8
-Release:        20
+Release:        21
 Summary:        Vesta Control Panel
 Group:          System Environment/Base
 License:        Softaculous License

src/rpm/specs/vesta.spec

@@ -1,6 +1,6 @@
 Name:           vesta
 Version:        0.9.8
-Release:        20
+Release:        21
 Summary:        Vesta Control Panel
 Group:          System Environment/Base
 License:        GPL
@@ -30,18 +30,21 @@ rm -rf %{buildroot}
 
 %post
 if [ $1 -ge 2 ]; then
-    if [ -e /usr/local/vesta/upd/add_sudo.sh ]; then
+    if [ -x /usr/local/vesta/upd/add_sudo.sh ]; then
         /usr/local/vesta/upd/add_sudo.sh
     fi
-    if [ -e /usr/local/vesta/upd/add_notifications.sh ]; then
+    if [ -x /usr/local/vesta/upd/add_notifications.sh ]; then
         /usr/local/vesta/upd/add_notifications.sh
     fi
-    if [ -e /usr/local/vesta/upd/fix_sessions.sh ]; then
+    if [ -x /usr/local/vesta/upd/fix_sessions.sh ]; then
         /usr/local/vesta/upd/fix_sessions.sh
     fi
-    if [ -e /usr/local/vesta/upd/fix_nginx_auth.sh ]; then
+    if [ -x /usr/local/vesta/upd/fix_nginx_auth.sh ]; then
         /usr/local/vesta/upd/fix_nginx_auth.sh
     fi
+    if [ -x /usr/local/vesta/upd/fix_roundcube.sh ]; then
+        /usr/local/vesta/upd/fix_roundcube.sh
+    fi
 fi
 %files
 %{_vestadir}
@@ -56,6 +59,9 @@ fi
 %config(noreplace) %{_vestadir}/web/css/uploadify.css
 
 %changelog
+* Fri May 11 2018 Serghey Rodin <builder@vestacp.com> - 0.9.8-21
+- Additional security fixes
+
 * Sun Apr 08 2018 Serghey Rodin <builder@vestacp.com> - 0.9.8-20
 - Hardening password checks
 

upd/add_sudo.sh

@@ -3,7 +3,7 @@
 
 if [ ! -e '/etc/sudoers.d/admin' ]; then
     if [ ! -d '/etc/sudoers.d' ]; then
-        mkidr /etc/sudoers.d
+        mkdir /etc/sudoers.d
         chmod 750 /etc/sudoers.d
     fi
     echo '# Created by vesta update-trigger' > /etc/sudoers.d/admin

upd/fix_roundcube.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Locate roundcube directory
+if [ -d '/etc/roundcube' ]; then
+    rc_dir='/etc/roundcube'
+fi
+if [ -d '/etc/roundcubemail' ]; then
+    rc_dir='/etc/roundcubemail'
+fi
+
+if [ -z "$rc_dir" ]; then
+    exit
+fi
+
+# Check for eval
+cd $rc_dir
+for config in $(grep eval *.php |cut -f1 -d:); do
+    sed -i '/eval/d' $config
+done

web/inc/i18n/sr.php

@@ -489,7 +489,7 @@ $LANG['sr'] = array(
     'Welcome'  => 'Dobrodošli',
     'LOGGED_IN_AS'  => 'Ulogovani ste kao %s',
     'Error'  => 'Greška',
-    'Invalid username or password'  => 'Pogrešani login podaci',
+    'Invalid username or password'  => 'Pogrešni login podaci',
     'Invalid username or code'  => 'Pogrešno korisničko ime ili kod',
     'Passwords not match'  => 'Passwordi se ne poklapaju',
     'Please enter valid email address.'  => 'Potrebno je uneti validnu email adresu.',
@@ -512,8 +512,8 @@ $LANG['sr'] = array(
 
     'Welcome to Vesta Control Panel'  => 'Dobrodošli u Vesta kontrolni panel',
     'MAIL_FROM'  => 'Vesta kontrolni panel <noreply@%s>',
-    'GREETINGS_GORDON_FREEMAN' => "Poštovanje, %s %s,\n",
-    'GREETINGS' => "Poštovanje,\n",
+    'GREETINGS_GORDON_FREEMAN' => "Poštovani %s %s,\n",
+    'GREETINGS' => "Poštovani,\n",
     'ACCOUNT_READY' => "Vaš hosting nalog je kreiran i spreman za korišćenje.\n\nhttps://%s/login/\nKorisničko ime: %s\nŠifra: %s\n\n--\nVesta kontrolni panel\n",
 
     'FTP login credentials'  => 'FTP podaci',

web/upload/UploadHandler.php

@@ -1117,37 +1117,12 @@ class UploadHandler
             $append_file = $content_range && is_file($file_path) &&
                 $file->size > $this->get_file_size($file_path);
             if ($uploaded_file && is_uploaded_file($uploaded_file)) {
-                // multipart/formdata uploads (POST method uploads)
-                if ($append_file) {
-                    file_put_contents(
-                        $file_path,
-                        fopen($uploaded_file, 'r'),
-                        FILE_APPEND
-                    );
-                } else {
-                    chmod($uploaded_file, 0644);
-//                    move_uploaded_file($uploaded_file, $file_path);
-                    exec (VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} '{$file_path}'", $output, $return_var);
-
-                    $error = check_return_code($return_var, $output);
-                    if ($return_var != 0) {
-                        //var_dump(VESTA_CMD . "v-copy-fs-file {$user} {$fn} {$path}");
-                        //var_dump($path);
-                        //var_dump($output);
-                        $file->error = 'Error while saving file ';
-//                        var_dump(VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} {$file_path}");
-//                        var_dump($return_var);
-//                        var_dump($output);
-//                        exit();
-                    }
+                chmod($uploaded_file, 0644);
+                exec (VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} '{$file_path}'", $output, $return_var);
+                $error = check_return_code($return_var, $output);
+                if ($return_var != 0) {
+                    $file->error = 'Error while saving file ';
                 }
-            } else {
-                // Non-multipart uploads (PUT method support)
-                file_put_contents(
-                    $file_path,
-                    fopen('php://input', 'r'),
-                    $append_file ? FILE_APPEND : 0
-                );
             }
             $file_size = $this->get_file_size($file_path, $append_file);
 

web/view/file/index.php

@@ -16,7 +16,7 @@ if (!empty($_REQUEST['path'])) {
     $path = $_REQUEST['path'];
     if (!empty($_REQUEST['raw'])) {
         header('content-type: image/jpeg');
-        passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg($_REQUEST['path']));
+        passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg(htmlspecialchars($_REQUEST['path'], ENT_QUOTES, 'UTF-8')));
         exit;
     }
 }