Merge pull request #1352 from Lupul/fix-2020-11-08

Fix custom docroot validation and minor code cleanup

bin/v-change-web-domain-docroot

@@ -80,21 +80,28 @@ if [ "$target_domain" = "default" ]; then
     update_object_value 'web' 'DOMAIN' "$domain" '$CUSTOM_PHPROOT' "" 
 else
     # Check for existence of specified directory under target domain's public_html folder
+    target_domain_directory="$HOMEDIR/$user/web/$target_domain"
     if [ ! -z "$target_directory" ]; then
-        if [ ! -e "$HOMEDIR/$user/web/$target_domain/public_html/$target_directory" ]; then
-            echo "ERROR: Directory $target_directory does not exist under $HOMEDIR/$user/$target_domain/public_html/."
-            exit 1
+
+        # Checking destination path
+        real_target_directory="$(readlink -e "${target_domain_directory}/public_html/$target_directory/")"
+        if [ -z "$(echo $real_target_directory | egrep "^$target_domain_directory\b")" ]; then
+            check_result $E_FORBIDEN "Error: target dir outside of target domain dir"
+        fi
+
+        if [ ! -e "$real_target_directory" ]; then
+            check_result $E_NOTEXIST "ERROR: Directory $target_directory does not exist under $HOMEDIR/$user/$target_domain/public_html/."
         else
-            CUSTOM_DOCROOT="$HOMEDIR/$user/web/$target_domain/public_html/$target_directory/"
+            CUSTOM_DOCROOT="$real_target_directory"
             if [ ! -z "$php" ]; then
-                custom_phproot="$HOMEDIR/$user/web/$target_domain/public_html/"
+                custom_phproot="${target_domain_directory}/public_html/"
             else
-                custom_phproot="$HOMEDIR/$user/web/$target_domain/public_html/$target_directory/"
+                custom_phproot="$real_target_directory"
             fi
         fi
     else
-        CUSTOM_DOCROOT="$HOMEDIR/$user/web/$target_domain/public_html/"
-        custom_phproot="$HOMEDIR/$user/web/$target_domain/public_html/"
+        CUSTOM_DOCROOT="${target_domain_directory}/public_html/"
+        custom_phproot="${target_domain_directory}/public_html/"
     fi
     
     add_object_key 'web' 'DOMAIN' "$domain" 'CUSTOM_DOCROOT' 'IP6'

web/edit/web/index.php

@@ -74,13 +74,23 @@ $v_stats = $data[$v_domain]['STATS'];
 $v_stats_user = $data[$v_domain]['STATS_USER'];
 if (!empty($v_stats_user)) $v_stats_password = "";
 $v_custom_doc_root_prepath = '/home/'.$v_username.'/web/';
-$v_custom_doc_root = $data[$v_domain]['CUSTOM_DOCROOT'];
 
-$m = preg_match('/\/home\/'.$v_username.'\/web\/([[:alnum:]].*)\/public_html\/([[:alnum:]].*)/', $v_custom_doc_root, $matches);
-$v_custom_doc_domain = $matches[1];
-$v_custom_doc_folder = $matches[2];
-if(substr($v_custom_doc_folder, -1) == '/'){
-    $v_custom_doc_folder = substr($v_custom_doc_folder,0,-1);
+if(!empty($data[$v_domain]['CUSTOM_DOCROOT']))
+    $v_custom_doc_root = realpath($data[$v_domain]['CUSTOM_DOCROOT']) . DIRECTORY_SEPARATOR;
+
+if(!empty($v_custom_doc_root) &&
+    false !== preg_match('/\/home\/'.$v_username.'\/web\/([[:alnum:]].*)\/public_html\/([[:alnum:]].*)?/', $v_custom_doc_root, $matches) ) {
+
+    if(!empty($matches[1]))
+        $v_custom_doc_domain = $matches[1];
+
+    if(!empty($matches[2]))
+        $v_custom_doc_folder = rtrim($matches[2], '/');
+
+    if($v_custom_doc_domain && !in_array($v_custom_doc_domain, $user_domains)) {
+        $v_custom_doc_domain = '';
+        $v_custom_doc_folder = '';
+    }
 }
 
 
@@ -767,11 +777,7 @@ if (!empty($_POST['save'])) {
             check_return_code($return_var,$output);
             unset($output);     
         }else{
-            if(substr($_POST['v-custom-doc-folder'], -1) == '/'){
-                $v_custom_doc_folder = escapeshellarg(substr($_POST['v-custom-doc-folder'],0,-1));
-            }else{
-                $v_custom_doc_folder = escapeshellarg($_POST['v-custom-doc-folder']);  
-            }
+            $v_custom_doc_folder = escapeshellarg(rtrim($_POST['v-custom-doc-folder'],'/'));
             $v_custom_doc_domain = escapeshellarg($_POST['v-custom-doc-domain']);
             
             exec(HESTIA_CMD."v-change-web-domain-docroot ".$v_username." ".escapeshellarg($v_domain)." ".$v_custom_doc_domain." ".$v_custom_doc_folder ." yes",  $output, $return_var);
@@ -807,6 +813,8 @@ if (!empty($_POST['save'])) {
     // Set success message
     if (empty($_SESSION['error_msg'])) {
         $_SESSION['ok_msg'] = _('Changes has been saved.');
+        header("Location: /edit/web/?domain=" . $v_domain);
+        exit();
     }
 
 }

web/templates/admin/edit_web.html

@@ -258,24 +258,14 @@
                                         </tr>
                                         <tr>
                                             <td>
-                                                <input type="hidden" name="v-custom-doc-root_prepath"" value="<?php echo $v_custom_doc_root_prepath;?>">
+                                                <input type="hidden" name="v-custom-doc-root_prepath" value="<?php echo $v_custom_doc_root_prepath;?>">
                                                 <select class="vst-list" name="v-custom-doc-domain">
-                                                    <option value="<?php echo $v_domain;?>"><?php echo $v_domain;?></option>
-                                                    <?php
-                                                    foreach ($user_domains as $domain) {
-                                                        if($domain != $v_domain ){
-                                                        if($v_custom_doc_domain == $domain){
-                                                    ?>
-                                                            <option value="<?php echo $domain;?>" selected="selected"><?php echo $domain;?></option>
-                                                    <?php
-                                                        }else{
-                                                     ?>
-                                                            <option value="<?php echo $domain;?>"><?php echo $domain;?></option>
-                                                    <?php
-                                                        }
-                                                        }
-                                                    }
-                                                    ?>
+                                                <?php foreach ($user_domains as $domain): ?>
+                                                    <option value="<?php echo $domain;?>"
+                                                        <?=($v_custom_doc_domain === $domain)?' selected="selected" ':''; ?>>
+                                                        <?php echo $domain;?>
+                                                    </option>
+                                                <?php endforeach; ?>
                                                 </select>
                                             </td>
                                         </tr>