Merge branch 'staging/1.5.12' into release

CHANGELOG.md

@@ -1,6 +1,14 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.5.12] - Service release
+
+### Bugfixes
+
+- Fixed vulnerability with Sed [CVE-2022-XXXX](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-XXXX)
+- Remove localhost exception for invalidating sessions [SSD disclosure](https://ssd-disclosure.com/ssd-advisory-vestacp-multiple-vulnerabilities/)
+- 
+
 ## [1.5.11] - Service release
 
 ### Bugfixes

README.md

@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.5.11 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
+**Latest stable release:** Version 1.5.12 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>

bin/v-add-backup-host

@@ -104,7 +104,8 @@ EOF
 if [ "$type" != 'local' ];then
     check_args '4' "$#" "TYPE HOST USERNAME PASSWORD [PATH] [PORT]"
     is_format_valid 'host' 'path' 'port'
-    is_username_format_valid "$username" "username"
+    is_type_valid  'sftp,ftp,b2' "$type"
+    is_username_format_valid "$user" "username"
     is_password_valid
     format_no_quotes "$password" "password"
     

bin/v-add-cron-job

@@ -44,6 +44,7 @@ is_object_unsuspended 'user' 'USER' "$user"
 is_package_full 'CRON_JOBS'
 get_next_cronjob
 is_format_valid 'job'
+is_format_valid 'restart'
 is_object_new 'cron' 'JOB' "$job"
 
 # Perform verification if read-only mode is enabled

bin/v-add-dns-domain

@@ -66,6 +66,10 @@ if [ -z "$(is_ip_format_valid $domain)" ]; then
     exit 1
 fi
 
+if [ -n "$restart" ]; then 
+    is_format_valid 'restart'
+fi
+
 is_package_full 'DNS_DOMAINS'
 template=$(get_user_value '$DNS_TEMPLATE')
 is_dns_template_valid "$template"

bin/v-add-dns-record

@@ -96,6 +96,9 @@ is_object_new "dns/$domain" 'ID' "$id"
 is_dns_fqnd "$rtype" "$dvalue"
 is_dns_nameserver_valid "$domain" "$rtype" "$dvalue"
 is_format_valid 'ttl'
+if [ -n "$restart" ]; then
+    is_format_valid 'restart'
+fi
 
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode

bin/v-add-fastcgi-cache

@@ -31,7 +31,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 #----------------------------------------------------------#
 
 check_args '2' "$#" 'USER DOMAIN [DURATION] [DEBUG] [RESTART]'
-is_format_valid 'user' 'domain'
+is_format_valid 'user' 'domain' 'restart'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'web' 'DOMAIN' "$domain"

bin/v-add-firewall-chain

@@ -13,6 +13,7 @@
 # Argument definition
 chain=$(echo $1 | tr '[:lower:]' '[:upper:]')
 port=$2
+port_ext=$2
 protocol=${4-TCP}
 protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
 
@@ -40,7 +41,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 #----------------------------------------------------------#
 
 check_args '1' "$#" 'CHAIN [PORT] [PROTOCOL]'
-is_format_valid 'chain'
+is_format_valid 'chain' 'port_ext' 'protocol'
 is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 
 # Perform verification if read-only mode is enabled

bin/v-add-mail-domain

@@ -48,7 +48,7 @@ domain_utf=$(idn -t --quiet -u "$domain_idn")
 #----------------------------------------------------------#
 
 check_args '2' "$#" 'USER DOMAIN [ANTISPAM] [ANTIVIRUS] [DKIM] [DKIM_SIZE]'
-is_format_valid 'user' 'domain' 'antispam' 'antivirus' 'dkim' 'dkim_size'
+is_format_valid 'user' 'domain' 'antispam' 'antivirus' 'dkim' 'dkim_size' 'restart'
 is_system_enabled "$MAIL_SYSTEM" 'MAIL_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"

bin/v-add-mail-domain-ssl

@@ -63,6 +63,9 @@ is_web_domain_cert_valid
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
 
+if [ -n "$restart" ]; then 
+    is_format_valid "$restart"
+fi
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#

bin/v-add-mail-domain-webmail

@@ -61,7 +61,7 @@ if [ -z "$webmail" ]; then
 fi
 
 check_args '2' "$#" 'USER DOMAIN [WEBMAIL] [RESTART]'
-is_format_valid 'user' 'domain'
+is_format_valid 'user' 'domain' 'restart'
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 is_system_enabled "$IMAP_SYSTEM" 'IMAP_SYSTEM'
 is_type_valid "$WEBMAIL_SYSTEM disabled" "$webmail"

bin/v-add-remote-dns-domain

@@ -32,6 +32,9 @@ source_conf "$HESTIA/conf/hestia.conf"
 
 check_args '2' "$#" 'USER DOMAIN [FLUSH]'
 is_format_valid 'user' 'domain'
+if [ -n "$flush" ]; then
+    is_type_valid "records yes no" "$flush" 
+fi
 is_system_enabled "$DNS_CLUSTER" 'DNS_CLUSTER'
 is_procces_running
 remote_dns_health_check

bin/v-add-remote-dns-host

@@ -46,7 +46,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 
 args_usage='HOST PORT USER [PASSWORD] [TYPE] [DNS_USER]'
 check_args '3' "$#" "$args_usage"
-is_format_valid 'host' 'port' 'type' 'dns_user'
+is_format_valid 'host' 'port' 'dns_user'
 if [ -z "$password" ]; then
     is_format_valid 'hash'
 else

bin/v-change-user-ns

@@ -38,29 +38,31 @@ check_args '3' "$#" 'USER NS1 NS2 [NS3] [NS4] [NS5] [NS6] [NS7] [NS8]'
 
 # Checking argument format
 is_format_valid 'user' 'ns1' 'ns2'
+
+ns="$ns1,$ns2"
 if [ -n "$ns3" ]; then
-    ns3=$(echo "$4" | sed -e 's/\.*$//g' -e 's/^\.*//g')
     is_format_valid 'ns3'
+    ns="$ns,$ns3"
 fi
 if [ -n "$ns4" ]; then
-    ns4=$(echo "$5" | sed -e 's/\.*$//g' -e 's/^\.*//g')
     is_format_valid 'ns4'
+    ns="$ns,$ns4"
 fi
 if [ -n "$ns5" ]; then
-    ns5=$(echo "$6" | sed -e 's/\.*$//g' -e 's/^\.*//g')
     is_format_valid 'ns5'
+    ns="$ns,$ns5"
 fi
 if [ -n "$ns6" ]; then
-    ns6=$(echo "$7" | sed -e 's/\.*$//g' -e 's/^\.*//g')
     is_format_valid 'ns6'
+    ns="$ns,$ns6"
 fi
 if [ -n "$ns7" ]; then
-    ns7=$(echo "$8" | sed -e 's/\.*$//g' -e 's/^\.*//g')
     is_format_valid 'ns7'
+    ns="$ns,$ns7"
 fi
 if [ -n "$ns8" ]; then
-    ns8=$(echo "$9" | sed -e 's/\.*$//g' -e 's/^\.*//g')
     is_format_valid 'ns8'
+    ns="$ns,$ns8"
 fi
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
@@ -72,10 +74,6 @@ check_hestia_demo_mode
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Merging values
-ns="$ns1,$ns2,$ns3,$ns4,$ns5,$ns6,$ns7,$ns8"
-ns=$(echo "$ns" | sed -e "s/,,//g" -e "s/,$//")
-
 # Changing ns values
 update_user_value "$user" '$NS' "$ns"
 

bin/v-change-user-theme

@@ -27,7 +27,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-is_format_valid 'user'
+is_format_valid 'user' 'theme'
 is_common_format_valid "$theme" "theme"
 is_object_valid 'user' 'USER' "$user"
 

bin/v-change-web-domain-name

@@ -40,6 +40,7 @@ format_domain_idn
 
 check_args '3' "$#" 'USER DOMAIN NEW_DOMAIN [RESTART]'
 is_format_valid 'user' 'domain'
+is_domain_format_valid "$new_domain"
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"

bin/v-delete-database-temp-user

@@ -33,7 +33,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 #----------------------------------------------------------#
 
 check_args '3' "$#" 'USER DATABASE DBUSER [TYPE] [HOST]'
-is_format_valid 'user' 'dbuser'
+is_format_valid 'user' 'database' 'dbuser'
 is_system_enabled "$DB_SYSTEM" 'DB_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"

bin/v-delete-dns-on-web-alias

@@ -13,6 +13,7 @@
 # Argument definition
 user=$1
 domain=$2
+alias=$3
 domain_idn=$2
 dom_alias=$(idn -t --quiet -u "$3" )
 dom_alias=$(echo $dom_alias |sed -e 's/\.*$//g' -e 's/^\.*//g')
@@ -43,7 +44,7 @@ check_hestia_demo_mode
 #----------------------------------------------------------#
 
 check_args '3' "$#" 'USER DOMAIN ALIAS [RESTART]'
-is_format_valid 'user' 'domain'
+is_format_valid 'user' 'domain' 'alias' 'restart'
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 is_system_enabled "$DNS_SYSTEM" 'DNS_SYSTEM'
 is_object_valid 'user' 'USER' "$user"

bin/v-delete-mail-account-forward

@@ -36,6 +36,7 @@ format_domain_idn
 #----------------------------------------------------------#
 
 check_args '4' "$#" 'USER DOMAIN ACCOUNT FORWARD'
+is_format_valid 'user' 'domain' 'account'
 if [ "$forward"  != ':blackhole:' ]; then
     is_format_valid 'forward'
 fi

bin/v-delete-user-notification

@@ -12,7 +12,7 @@
 
 # Argument definition
 user=$1
-nid=$2
+id=$2
 
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
@@ -27,7 +27,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 #----------------------------------------------------------#
 
 check_args '2' "$#" 'USER NOTIFICATION'
-is_format_valid 'user' 'nid'
+is_format_valid 'user' 'id'
 is_object_valid 'user' 'USER' "$user"
 
 # Perform verification if read-only mode is enabled
@@ -38,7 +38,7 @@ check_hestia_demo_mode
 #----------------------------------------------------------#
 
 # Deleting notification
-sed -i "/NID='$nid' /d" $USER_DATA/notifications.conf 2>/dev/null
+sed -i "/NID='$id' /d" $USER_DATA/notifications.conf 2>/dev/null
 
 # Checking last notification
 if [ -e "$USER_DATA/notifications.conf" ]; then

bin/v-delete-user-ssh-key

@@ -29,6 +29,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 
 check_args '2' "$#" 'USER KEYID'
 is_format_valid 'user'
+is_no_new_line_format "$key_id"
 is_object_valid 'user' 'USER' "$user"
 
 source "$USER_DATA/user.conf"

bin/v-generate-ssl-cert

@@ -72,6 +72,11 @@ fi
 args_usage='DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT]'
 check_args '7' "$#" "$args_usage"
 is_format_valid 'domain' 'aliases' 'format' 'email'
+is_common_format_valid $country "country"
+is_common_format_valid $state "state"
+is_common_format_valid $org "org"
+is_common_format_valid $unit "unit"
+
 
 release="$(lsb_release -s -r)"
 

bin/v-get-user-salt

@@ -64,7 +64,7 @@ csv_list() {
 
 
 check_args '1' "$#" 'USER [IP] [SALT]'
-is_format_valid 'user'
+is_format_valid 'user' 'ip'
 
 # Checking user
 if [ ! -d "$HESTIA/data/users/$user" ]; then

bin/v-log-action

@@ -31,6 +31,8 @@ event_level=$2
 export event_category=$3
 event_details=$4
 
+is_common_format_valid "$event_level" "event level"
+
 # Validate event type input
 if [ "$event_level" != "Info" ] && [ "$event_level" != "Warning" ] && [ "$event_level" != "Error" ]; then 
     echo "Error: Invalid event type specified."
@@ -47,6 +49,7 @@ fi
 
 check_args '4' "$#" 'USER TYPE CATEGORY DETAILS'
 if [ "$user" != "system" ]; then
+    is_format_valid 'user'
     is_object_valid 'user' 'USER' "$user"
 fi
 

bin/v-log-user-logout

@@ -24,6 +24,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 
 check_args '2' "$#" 'USER SESSION_ID'
 is_format_valid 'user'
+is_common_format_valid "$session_id" "Session ID"
 is_object_valid 'user' 'USER' "$user"
 
 if [ ! -f "$USER_DATA/auth.log" ]; then

bin/v-purge-nginx-cache

@@ -13,6 +13,7 @@
 # Argument definition
 user=$1
 domain=$2
+rstart=$3
 
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
@@ -28,8 +29,8 @@ source_conf "$HESTIA/conf/hestia.conf"
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '2' "$#" 'USER DOMAIN'
-is_format_valid 'user' 'domain'
+check_args '2' "$#" 'USER DOMAIN [RESTART]'
+is_format_valid 'user' 'domain' 'restart'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'web' 'DOMAIN' "$domain"

bin/v-schedule-letsencrypt-domain

@@ -30,7 +30,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 #----------------------------------------------------------#
 
 check_args '2' "$#" 'USER DOMAIN [ALIASES]'
-is_format_valid 'user' 'domain'
+is_format_valid 'user' 'domain' 'aliases'
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 is_system_enabled "$WEB_SSL" 'SSL_SUPPORT'
 is_object_valid 'user' 'USER' "$user"

bin/v-update-host-certificate

@@ -36,6 +36,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 
 check_args '1' "$#" '[USER] [HOSTNAME]'
 is_format_valid 'user'
+is_domain_format_valid "$hostname" "hostname"
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 is_system_enabled "$WEB_SSL" 'SSL_SUPPORT'
 is_object_valid 'user' 'USER' "$user"

bin/v-update-letsencrypt-ssl

@@ -175,7 +175,10 @@ for user in $($HESTIA/bin/v-list-sys-users plain); do
 
 done
 
+# Restart related services
 $HESTIA/bin/v-restart-web yes
+$HESTIA/bin/v-restart-mail yes
+
 if [ -n "$PROXY_SYSTEM" ]; then
     $HESTIA/bin/v-restart-proxy yes
 fi

bin/v-update-user-backup-exclusions

@@ -40,7 +40,7 @@ is_file_valid() {
 #----------------------------------------------------------#
 
 check_args '2' "$#" 'USER FILE'
-is_format_valid 'user' 'vfile'
+is_format_valid 'user'
 is_object_valid 'user' 'USER' "$user"
 is_file_available
 is_file_valid

func/main.sh

@@ -672,13 +672,13 @@ is_user_format_valid() {
 }
 
 # Domain format validator
-# removed "" around  \.\. and $(printf '\t'): SC2076: Don't quote right-hand side of =~, it'll match literally rather than as a regex. And we need regex match!
 is_domain_format_valid() {
     object_name=${2-domain}
     exclude="[!|@|#|$|^|&|*|(|)|+|=|{|}|:|,|<|>|?|_|/|\|\"|'|;|%|\`| ]"
     if [[ $1 =~ $exclude ]] || [[ $1 =~ ^[0-9]+$ ]] || [[ $1 =~ \.\. ]] || [[ $1 =~ $(printf '\t') ]] ||  [[ "$1" = "www" ]]; then
         check_result "$E_INVALID" "invalid $object_name format :: $1"
     fi
+    is_no_new_line_format "$1";
 }
 
 # Alias forman validator
@@ -815,6 +815,7 @@ is_extention_format_valid() {
     if [[ "$1" =~ $exclude ]]; then
         check_result "$E_INVALID" "invalid proxy extention format :: $1"
     fi
+    is_no_new_line_format "$1";
 }
 
 # Number format validator
@@ -871,6 +872,14 @@ is_common_format_valid() {
     if [[ $(echo -n "$1" | grep -c '\_\_') -gt 0 ]]; then
            check_result "$E_INVALID" "invalid $2 format :: $1"
     fi
+    is_no_new_line_format "$1";
+}
+
+is_no_new_line_format() {
+    test=$(echo $1 | sed -e 's/\.*$//g' -e 's/^\.*//g');
+    if [[ "$test" != "$1" ]]; then
+      check_result "$E_INVALID" "invalid value :: $1"
+    fi
 }
 
 is_string_format_valid() {
@@ -878,6 +887,7 @@ is_string_format_valid() {
   if [[ "$1" =~ $exclude ]]; then
       check_result "$E_INVALID" "invalid $2 format :: $1"
   fi
+  is_no_new_line_format "$1";
 }
 
 # Database format validator
@@ -886,6 +896,7 @@ is_database_format_valid() {
     if [[ "$1" =~ $exclude ]] || [ 64 -le ${#1} ]; then
         check_result "$E_INVALID" "invalid $2 format :: $1"
     fi
+    is_no_new_line_format "$1";
 }
 
 # Date format validator
@@ -904,6 +915,7 @@ is_dbuser_format_valid() {
     if [[ "$1" =~ $exclude ]]; then
         check_result "$E_INVALID" "invalid $2 format :: $1"
     fi
+    is_no_new_line_format "$1"
 }
 
 # DNS record type validator
@@ -926,7 +938,7 @@ is_dns_record_format_valid() {
         is_domain_format_valid "${1::-1}" 'mx_record'
         is_int_format_valid "$priority" 'priority_record'
     fi
-
+    is_no_new_line_format "$1";
 }
 
 # Email format validator
@@ -1052,7 +1064,7 @@ is_object_format_valid() {
 
 # Role validator 
 is_role_valid (){
-    if ! [[ "$1" =~ ^admin|user$ ]]; then
+    if ! [[ "$1" =~ ^admin$|^user$ ]]; then
         check_result "$E_INVALID" "invalid $2 format :: $1"
     fi
 }
@@ -1097,12 +1109,14 @@ is_format_valid() {
                 action)         is_fw_action_format_valid "$arg";;
                 active)         is_boolean_format_valid "$arg" 'active' ;;
                 aliases)        is_alias_format_valid "$arg" ;;
+                alias)          is_alias_format_valid "$arg" ;;        
                 antispam)       is_boolean_format_valid "$arg" 'antispam' ;;
                 antivirus)      is_boolean_format_valid "$arg" 'antivirus' ;;
                 autoreply)      is_autoreply_format_valid "$arg" ;;
                 backup)         is_object_format_valid "$arg" 'backup' ;;
                 charset)        is_object_format_valid "$arg" "$arg_name" ;;
                 charsets)       is_common_format_valid "$arg" 'charsets' ;;
+                chain)          is_object_format_valid "$arg" 'chain' ;;
                 comment)        is_object_format_valid "$arg" 'comment' ;;
                 database)       is_database_format_valid "$arg" 'database';;
                 day)            is_cron_format_valid "$arg" $arg_name ;;
@@ -1111,11 +1125,13 @@ is_format_valid() {
                 dkim)           is_boolean_format_valid "$arg" 'dkim' ;;
                 dkim_size)      is_int_format_valid "$arg" ;;
                 domain)         is_domain_format_valid "$arg" ;;
+                dom_alias)      is_alias_format_valid "$arg" ;;
                 dvalue)         is_dns_record_format_valid "$arg";;
                 email)          is_email_format_valid "$arg" ;;
                 email_forward)  is_email_format_valid "$arg" ;;
                 exp)            is_date_format_valid "$arg" ;;
                 extentions)     is_common_format_valid "$arg" 'extentions' ;;
+                format)         is_type_valid 'plain json shell csv' "$arg" ;;
                 ftp_password)   is_password_format_valid "$arg" ;;
                 ftp_user)       is_user_format_valid "$arg" "$arg_name" ;;
                 hash)           is_hash_format_valid "$arg" "$arg_name" ;;
@@ -1163,9 +1179,11 @@ is_format_valid() {
                 soa)            is_domain_format_valid "$arg" 'SOA' ;;	
                 #missing command: is_format_valid_shell
                 shell)          is_format_valid_shell "$arg" ;;
+                ssl_dir)        is_folder_exists "$arg" "$arg_name" ;;
                 stats_pass)     is_password_format_valid "$arg" ;;
                 stats_user)     is_user_format_valid "$arg" "$arg_name" ;;
                 template)       is_object_format_valid "$arg" "$arg_name" ;;
+                theme)          is_common_format_valid "$arg" "$arg_name" ;;
                 ttl)            is_int_format_valid "$arg" 'ttl';;
                 user)           is_user_format_valid "$arg" $arg_name;;
                 wday)           is_cron_format_valid "$arg" $arg_name ;;
@@ -1175,6 +1193,11 @@ is_format_valid() {
     done
 }
 
+is_folder_exists () {
+  if [ ! -d "$1" ]; then 
+    check_result "$E_NOTEXIST" "folder $1 does not exist"
+  fi
+}
 # Domain argument formatting
 format_domain() {
     if [[ "$domain" = *[![:ascii:]]* ]]; then
@@ -1370,6 +1393,7 @@ format_no_quotes() {
     if [[ "$1" =~ $exclude ]]; then
        check_result "$E_INVALID" "Invalid $2 contains qoutes (\" or ') :: $1"
     fi
+    is_no_new_line_format "$1"
 }
 
 is_username_format_valid(){

install/hst-install-debian.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.5.11'
+HESTIA_INSTALL_VER='1.5.12'
 # Dependencies
 pma_v='5.1.3'
 rc_v="1.5.2"

install/hst-install-ubuntu.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.5.11'
+HESTIA_INSTALL_VER='1.5.12'
 # Dependencies
 pma_v='5.1.3'
 rc_v="1.5.2"

src/deb/hestia/control

@@ -1,7 +1,7 @@
 Source: hestia
 Package: hestia
 Priority: optional
-Version: 1.5.11
+Version: 1.5.12
 Section: admin
 Maintainer: HestiaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com

test/checks.bats

@@ -0,0 +1,349 @@
+#!/usr/bin/env bats
+
+if [ "${PATH#*/usr/local/hestia/bin*}" = "$PATH" ]; then
+    . /etc/profile.d/hestia.sh
+fi
+
+load 'test_helper/bats-support/load'
+load 'test_helper/bats-assert/load'
+load 'test_helper/bats-file/load'
+
+function random() {
+head /dev/urandom | tr -dc 0-9 | head -c$1
+}
+
+function setup() {
+    # echo "# Setup_file" > &3
+    if [ $BATS_TEST_NUMBER = 1 ]; then
+        echo 'user=test-5285' > /tmp/hestia-test-env.sh
+        echo 'user2=test-5286' >> /tmp/hestia-test-env.sh
+        echo 'userbk=testbk-5285' >> /tmp/hestia-test-env.sh
+        echo 'userpass1=test-5285' >> /tmp/hestia-test-env.sh
+        echo 'userpass2=t3st-p4ssw0rd' >> /tmp/hestia-test-env.sh
+        echo 'HESTIA=/usr/local/hestia' >> /tmp/hestia-test-env.sh
+        echo 'domain=test-5285.hestiacp.com' >> /tmp/hestia-test-env.sh
+        echo 'domainuk=test-5285.hestiacp.com.uk' >> /tmp/hestia-test-env.sh
+        echo 'rootdomain=testhestiacp.com' >> /tmp/hestia-test-env.sh
+        echo 'subdomain=cdn.testhestiacp.com' >> /tmp/hestia-test-env.sh
+        echo 'database=test-5285_database' >> /tmp/hestia-test-env.sh
+        echo 'dbuser=test-5285_dbuser' >> /tmp/hestia-test-env.sh
+    fi
+    
+    source /tmp/hestia-test-env.sh
+    source $HESTIA/func/main.sh
+    source $HESTIA/conf/hestia.conf
+    source $HESTIA/func/ip.sh
+}
+
+@test "is_access_key_id_format_valid valid" {
+    run is_access_key_id_format_valid 'M0ocDoIKbsoXSqtk1mgc' "key"
+    assert_success
+}
+@test "is_access_key_id_format_valid short" {
+    run is_access_key_id_format_valid 'M0ocDoIKbsoXSqtk1mg' "key"
+    assert_failure $E_INVALID
+}
+@test "is_access_key_id_format_valid long" {
+    run is_access_key_id_format_valid 'M0ocDoIKbsoXSqtk1mgca' "key"
+    assert_failure $E_INVALID
+}
+@test "is_access_key_id_format_valid non alpha" {
+    run is_access_key_id_format_valid 'M0ocDoIKbsoX$qtk1mgc' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_access_key_id_format_valid LHF" {
+    run is_access_key_id_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_user_format_valid valid" {
+    run is_user_format_valid 'hxh54SKbALne4s69VsqJRMbMd8Br' "key"
+    assert_success
+}
+@test "is_user_format_valid short" {
+    run is_user_format_valid 'hxh54SKbALne4s69VsqJR' "key"
+    assert_success
+}
+@test "is_user_format_valid long" {
+    run is_user_format_valid 'hxh54SKbALne4s69VsqJRMbMd8Braaa' "key"
+    assert_failure $E_INVALID
+}
+@test "is_user_format_valid dash" {
+    run is_user_format_valid 'hxh54SKbALne4-s6-VsqJRMbMd8Br' "key"
+    assert_success
+}
+
+@test "is_user_format_valid dash repeat" {
+    run is_user_format_valid 'hxh54SKbALne4s6--VsqJRMbMd8Br' "key"
+    assert_success
+}
+@test "is_user_format_valid dash start" {
+    run is_user_format_valid '-hxh54SKbALne4s6VsqJRMbMd8Br' "key"
+    assert_failure $E_INVALID
+}
+@test "is_user_format_valid dash end" {
+    run is_user_format_valid 'hxh54SKbALne4s6VsqJRMbMd8Br-' "key"
+    assert_failure $E_INVALID
+}
+@test "is_user_format_valid LHF" {
+    run is_user_format_valid 'M0ocDoIK
+    soXSqtk1mgc' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_fw_action_format_valid ACCEPT" {
+    run is_fw_action_format_valid 'ACCEPT' "key"
+    assert_success
+}
+@test "is_fw_action_format_valid DROP" {
+    run is_fw_action_format_valid 'DROP' "key"
+    assert_success
+}
+@test "is_fw_action_format_valid TEST" {
+    run is_fw_action_format_valid 'TEST' "key"
+    assert_failure $E_INVALID
+}
+@test "is_fw_action_format_valid LHF" {
+    run is_fw_protocol_format_valid 'M0ocDoIK
+    soXSqtk1mgc' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_fw_protocol_format_valid ICMP" {
+    run is_fw_protocol_format_valid 'ICMP' "key"
+    assert_success
+}
+
+@test "is_fw_protocol_format_valid UDP" {
+    run is_fw_protocol_format_valid 'UDP' "key"
+    assert_success
+}
+@test "is_fw_protocol_format_valid TCP" {
+    run is_fw_protocol_format_valid 'TCP' "key"
+    assert_success
+}
+@test "is_fw_protocol_format_valid TEST" {
+    run is_fw_protocol_format_valid 'TEST' "key"
+    assert_failure $E_INVALID
+}
+
+
+@test "is_domain_format_valid success" {
+     run is_domain_format_valid 'hestiacp.com' "key"
+    assert_success
+}
+
+@test "is_domain_format_valid www" {
+     run is_domain_format_valid 'www' "key"
+    assert_failure $E_INVALID
+}
+@test "is_domain_format_valid number" {
+     run is_domain_format_valid '12345' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_domain_format_valid .." {
+     run is_domain_format_valid '..' "key"
+    assert_failure $E_INVALID
+}
+@test "is_domain_format_valid LF." {
+     run is_domain_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_alias_format_valid success" {
+     run is_domain_format_valid 'hestiacp.com' "key"
+    assert_success
+}
+
+@test "is_alias_format_valid www" {
+     run is_domain_format_valid 'www' "key"
+    assert_failure $E_INVALID
+}
+@test "is_alias_format_valid number" {
+     run is_domain_format_valid '12345' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_alias_format_valid .." {
+     run is_domain_format_valid '..' "key"
+    assert_failure $E_INVALID
+}
+@test "is_alias_format_valid LF." {
+     run is_domain_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_extention_format_valid test" {
+     run is_extention_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_string_format_valid test" {
+     run is_string_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_database_format_valid test" {
+     run is_database_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_date_format_valid test" {
+     run is_date_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_dbuser_format_valid test" {
+     run is_dbuser_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_dns_type_format_valid test" {
+     run is_dns_type_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_dns_record_format_valid test" {
+     run is_dns_record_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_email_format_valid test" {
+     run is_email_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_fw_port_format_valid test" {
+     run is_fw_port_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_int_format_valid test" {
+     run is_int_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_interface_format_valid test" {
+     run is_interface_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_ip_status_format_valid test" {
+     run is_ip_status_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_cron_format_valid test" {
+     run is_cron_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_name_format_valid test" {
+     run is_name_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+
+@test "is_role_valid test" {
+     run is_role_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_object_format_valid test" {
+     run is_object_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+
+@test "is_common_format_valid test" {
+     run is_common_format_valid 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "format_no_quotes test" {
+     run format_no_quotes 'c
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}
+
+@test "is_type_valid" {
+    run is_type_valid 'c
+    1eshutdown
+    r' "test,key"
+    assert_failure $E_INVALID
+}
+
+@test "is_command_valid_format v-list-users" {
+    run is_command_valid_format 'v-list-users'
+    assert_success
+}
+
+@test "is_command_valid_format v-list--users (Fail)" {
+    run is_command_valid_format 'v-list--users'
+    assert_failure $E_INVALID
+}
+
+@test "is_command_valid_format h-list-users (Fail)" {
+    run is_command_valid_format 'h-list-users'
+    assert_failure $E_INVALID
+}
+
+@test "is_command_valid_format list-users (Fail)" {
+    run is_command_valid_format 'list-users'
+    assert_failure $E_INVALID
+}
+
+@test "is_command_valid_format vlist-users (Fail)" {
+    run is_command_valid_format 'vlist-users'
+    assert_failure $E_INVALID
+}
+
+@test "is_command_valid_format LF (Fail)" {
+     run is_command_valid_format 'v-
+1eshutdown
+r' "key"
+    assert_failure $E_INVALID
+}

web/inc/main.php

@@ -64,7 +64,7 @@ if (!isset($_SESSION['user_combined_ip'])) {
 }
 
 // Checking user to use session from the same IP he has been logged in
-if ($_SESSION['user_combined_ip'] != $user_combined_ip && $_SERVER['REMOTE_ADDR'] != '127.0.0.1') {
+if ($_SESSION['user_combined_ip'] != $user_combined_ip) {
     $v_user = escapeshellarg($_SESSION['user']);
     $v_session_id = escapeshellarg($_SESSION['token']);
     exec(HESTIA_CMD . 'v-log-user-logout ' . $v_user . ' ' . $v_session_id, $output, $return_var);