Merge branch 'staging/1.6.5' into release

CHANGELOG.md

@@ -1,6 +1,24 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.6.5] - Service release 
+
+### Bugfixes
+
+- Add missing translation strings (#2778 @myrevery)
+- Add check if folder exists in v-change-web-domain-docroot (#2778)
+
+### Security
+
+- Improve random bytes generator (#2774)
+- Don't allow /inc/2fa/secret.php called from the web browser directly (#2784 @mayappear)
+- Improve CSRF Origin Check Bypass (#2785 @mayappear)
+- Fix vulnerability in Docuwiki Quick Install App @redstarp2 (CVE 2022-xxx-xxx)
+
+### Dependencies
+
+- Update Filegator to 7.8.2
+
 ## [1.6.4] - Service release 
 
 ### Bugfixes

README.md

@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.6.4 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
+**Latest stable release:** Version 1.6.5 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>

bin/v-change-web-domain-docroot

@@ -86,15 +86,12 @@ else
     # Check for existence of specified directory under target domain's public_html folder
     target_domain_directory="$HOMEDIR/$user/web/$target_domain"
     if [ -n "$target_directory" ]; then
-
         # Checking destination path
         real_target_directory="$(readlink -e "${target_domain_directory}/public_html/$target_directory/")"
-        if [ -z "$(echo $real_target_directory | egrep "^$target_domain_directory\b")" ]; then
-            check_result "$E_FORBIDEN" "Target dir outside of target domain dir"
-        fi
-
         if [ ! -e "$real_target_directory" ]; then
             check_result "$E_NOTEXIST" "Directory $target_directory does not exist under $HOMEDIR/$user/$target_domain/public_html/."
+        elif [ -z "$(echo $real_target_directory | egrep "^$target_domain_directory\b")" ]; then
+            check_result "$E_FORBIDEN" "Target dir outside of target domain dir"
         else
             CUSTOM_DOCROOT="$real_target_directory"
             if [ -n "$php" ]; then

install/hst-install-debian.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.6.4'
+HESTIA_INSTALL_VER='1.6.5'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1")
 fpm_v="8.0"

install/hst-install-ubuntu.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.6.4'
+HESTIA_INSTALL_VER='1.6.5'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1")
 fpm_v="8.0"

install/upgrade/upgrade.conf

@@ -50,7 +50,7 @@ rl_v='1.16.0'
 # UPGRADE_UPDATE_FILEMANAGER_CONFIG: Updates only the configuration file if changes are made but now new issue has been issued!
 UPGRADE_UPDATE_FILEMANAGER_CONFIG='false'
 # Set version of File manager to update during upgrade if not already installed
-fm_v='7.8.1'
+fm_v='7.8.2'
 
 # Set version of PHPMailer to update during upgrade if not already installed
 pm_v='6.6.3'

src/deb/hestia/control

@@ -1,7 +1,7 @@
 Source: hestia
 Package: hestia
 Priority: optional
-Version: 1.6.4
+Version: 1.6.5
 Section: admin
 Maintainer: HestiaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com

web/inc/2fa/secret.php

@@ -1,5 +1,8 @@
 <?php
 
+session_start();
+if ((isset($_SESSION['userContext']) === False) && (php_sapi_name() !== 'cli'))  exit;
+
 require_once '/usr/local/hestia/web/inc/2fa/loader.php';
 Loader::register('./','RobThree\\Auth');
 
@@ -10,4 +13,4 @@ $tfa = new TwoFactorAuth('Hestia Control Panel');
 $secret = $tfa->createSecret(160);  // Though the default is an 80 bits secret (for backwards compatibility reasons) we recommend creating 160+ bits secrets (see RFC 4226 - Algorithm Requirements)
 $qrcode = $tfa->getQRCodeImageAsDataUri(gethostname(), $secret);
 
-echo $secret . "-" . $qrcode;
+echo $secret . "-" . $qrcode;

web/inc/main.php

@@ -7,14 +7,16 @@ use PHPMailer\PHPMailer\PHPMailer;
 use PHPMailer\PHPMailer\SMTP;
 use PHPMailer\PHPMailer\Exception;
 
-if (!file_exists(dirname(__FILE__).'/vendor/autoload.php')) {
-    trigger_error('Unable able to load required libaries. Please run v-add-sys-phpmailer in command line');
-    echo 'Unable able to load required libaries. Please run v-add-sys-phpmailer in command line';
+
+try {
+    require_once 'vendor/autoload.php';
+} catch (Throwable $ex) {
+    $errstr = 'Unable able to load required libaries. Please run v-add-sys-phpmailer in command line. Error: ' . $ex->getMessage();
+    trigger_error($errstr);
+    echo $errstr;
     exit(1);
 }
 
-require 'vendor/autoload.php';
-
 define('HESTIA_DIR_BIN', '/usr/local/hestia/bin/');
 define('HESTIA_CMD', '/usr/bin/sudo /usr/local/hestia/bin/');
 define('DEFAULT_PHP_VERSION', 'php-' . exec('php -r "echo substr(phpversion(),0,3);"'));
@@ -92,7 +94,7 @@ if ((!isset($_SESSION['user'])) && (!defined('NO_AUTH_REQUIRED'))) {
 // Generate CSRF Token
 if (isset($_SESSION['user'])) {
     if (!isset($_SESSION['token'])) {
-        $token = bin2hex(file_get_contents('/dev/urandom', false, null, 0, 16));
+        $token = bin2hex(random_bytes(16));
         $_SESSION['token'] = $token;
     }
 }

web/inc/prevent_csrf.php

@@ -35,13 +35,16 @@
                 $hostname = explode(':', $_SERVER['HTTP_HOST']);
                 $port=$hostname[1];
                 $hostname=$hostname[0];
-                if (strpos($_SERVER['HTTP_ORIGIN'], gethostname()) !== false  && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
-                    return checkStrictness(2);
-                } else {
-                    if (strpos($_SERVER['HTTP_ORIGIN'], $hostname) !== false && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
-                        return checkStrictness(1);
+                if (isset($_SERVER['HTTP_ORIGIN'])) {
+                    $origin_host = parse_url($_SERVER['HTTP_ORIGIN'], PHP_URL_HOST);
+                    if (strcmp($origin_host, gethostname()) === 0 && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
+                        return checkStrictness(2);
                     } else {
-                        return checkStrictness(0);
+                        if (strcmp($origin_host, $hostname) === 0 && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
+                            return checkStrictness(1);
+                        } else {
+                            return checkStrictness(0);
+                        }
                     }
                 }
             }
@@ -60,10 +63,11 @@
                     return true;
                 }
                 if (isset($_SERVER['HTTP_REFERER'])) {
-                    if (strpos($_SERVER['HTTP_REFERER'], gethostname()) !== false  && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
+                    $referrer_host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
+                    if (strcmp($referrer_host, gethostname()) === 0 && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
                         return checkStrictness(2);
                     } else {
-                        if (strpos($_SERVER['HTTP_REFERER'], $hostname) !== false && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
+                        if (strcmp($referrer_host, $hostname) === 0 && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
                             return checkStrictness(1);
                         } else {
                             return checkStrictness(0);

web/locale/hst_scan_i18n.sh

@@ -14,6 +14,13 @@ echo "" > hestiacp.pot
 find ../.. \( -name '*.php' -o -name '*.html' -o -name '*.sh' \) | xgettext --output=hestiacp.pot --language=PHP --join-existing -f -
 OLDIFS=$IFS
 IFS=$'\n'
+# Scan the description string for list updates page
+for string in $(awk -F'DESCR=' '/data=".+ DESCR=[^"]/ {print $2}' $HESTIA/bin/v-list-sys-hestia-updates | cut -d\' -f2); do
+    if [ -z "$(grep "\"$string\"" hestiacp.pot)" ]; then
+        echo -e "\n#: ../../bin/v-list-sys-hestia-updates:"$(grep -n "$string" $HESTIA/bin/v-list-sys-hestia-updates | cut -d: -f1)"\nmsgid \"$string\"\nmsgstr \"\"" >> hestiacp.pot
+    fi
+done
+# Scan the description string for list server page
 for string in $(awk -F'SYSTEM=' '/data=".+ SYSTEM=[^"]/ {print $2}' $HESTIA/bin/v-list-sys-services | cut -d\' -f2); do
     if [ -z "$(grep "\"$string\"" hestiacp.pot)" ]; then
         echo -e "\n#: ../../bin/v-list-sys-services:"$(grep -n "$string" $HESTIA/bin/v-list-sys-services | cut -d: -f1)"\nmsgid \"$string\"\nmsgstr \"\"" >> hestiacp.pot

web/login/index.php

@@ -323,7 +323,7 @@ if (empty($_SESSION['language'])) {
 }
 
 // Generate CSRF token
-$token = bin2hex(file_get_contents('/dev/urandom', false, null, 0, 16));
+$token = bin2hex(random_bytes(16));
 $_SESSION['token'] = $token;
 
 require_once('../templates/header.html');

web/src/app/WebApp/Installers/DokuWiki/DokuWikiSetup.php

@@ -80,21 +80,28 @@ class DokuWikiSetup extends BaseSetup {
 
 		$installUrl = $webDomain . "install.php";
 
-		$cmd = "curl --request POST "
-		  . ($sslEnabled ? "" : "--insecure " )
-		  . "--url $installUrl "
-		  . "--header 'Content-Type: application/x-www-form-urlencoded' "
-		  . "--data l=en "
-		  . "--data 'd[title]=" . $options['wiki_name'] . "' "
-		  . "--data 'd[acl]=on' "
-		  . "--data 'd[superuser]=" . $options['superuser'] . "' "
-		  . "--data 'd[fullname]=" . $options['real_name'] . "' "
-		  . "--data 'd[email]=" . $options['email'] . "' "
-		  . "--data 'd[password]=" . $options['password'] . "' "
-		  . "--data 'd[confirm]=" . $options['password'] . "' "
-		  . "--data 'd[policy]=" . substr($options['initial_ACL_policy'], 0, 1) . "' "
-		  . "--data 'd[license]=" . explode(":", $options['content_license'])[0] . "' "
-		  . "--data submit=";
+		$cmd = implode(" ", array(
+			"/usr/bin/curl",
+			"--request POST",
+			($sslEnabled ? "" : "--insecure "),
+			"--url " . escapeshellarg($installUrl),
+			"--header 'Content-Type: application/x-www-form-urlencoded'",
+			'--data-binary ' . escapeshellarg(http_build_query(array(
+				"l" => "en",
+				"d" => array(
+					"title" => $options['wiki_name'],
+					'acl' => 'on',
+					'superuser' => $options['superuser'],
+					'fullname' => $options['real_name'],
+					'email' => $options['email'],
+					'password' => $options['password'],
+					'confirm' => $options['password'],
+					'policy' => substr($options['initial_ACL_policy'], 0, 1),
+					'license' => explode(":", $options['content_license'])[0]
+				),
+				'submit' => ''
+			)))
+		));
 
 		exec($cmd, $output, $return_var);
 		if($return_var > 0){