Fix: #728 Upgrade phppgadmin (#3288)

* Update config.php.inc

* Fix installers

* Fix installers

* Fix installers

* Add update script

* Lint format

* config.inc.php for RPM based setups

func/upgrade.sh

@@ -325,6 +325,9 @@ upgrade_init_backup() {
 	if [ -d "/etc/phpmyadmin/" ]; then
 		mkdir -p $HESTIA_BACKUP/conf/phpmyadmin/
 	fi
+	if [ -d "/etc/phppgadmin/" ]; then
+		mkdir -p $HESTIA_BACKUP/conf/phppgadmin/
+	fi
 }
 
 upgrade_init_logging() {
@@ -467,6 +470,12 @@ upgrade_start_backup() {
 		fi
 		cp -fr /etc/phpmyadmin/* $HESTIA_BACKUP/conf/phpmyadmin
 	fi
+	if [ -d "/etc/phppgadmin" ]; then
+		if [ "$DEBUG_MODE" = "true" ]; then
+			echo "      ---- phppgadmin"
+		fi
+		cp -fr /etc/phppgadmin/* $HESTIA_BACKUP/conf/phppgadmin
+	fi
 }
 
 upgrade_refresh_config() {
@@ -541,6 +550,29 @@ upgrade_b2_tool() {
 	fi
 }
 
+upgrade_phppgadmin() {
+	if [ -n "$(echo $DB_SYSTEM | grep -w 'pgsql')" ]; then
+		pga_release=$(cat /usr/share/phppgadmin/libraries/lib.inc.php | grep appVersion | head -n1 | cut -f2 -d\' | cut -f1 -d-)
+		if version_ge "$pga_release" "pga_v"; then
+			echo "[ * ] phppgadmin is up to date ($pga_release)..."
+		else
+			# Display upgrade information
+			echo "[ * ] Upgrading phppgadmin to version $pga_v..."
+			[ -d /usr/share/phpmyadmin ] || mkdir -p /usr/share/phpmyadmin
+			# Download latest phpMyAdmin release
+			wget --retry-connrefused --quiet https://github.com/hestiacp/phppgadmin/releases/download/v$pga_v/phppgadmin-v$pga_v.tar.gz
+			tar xzf phppgadmin-v$pga_v.tar.gz -C /usr/share/phppgadmin/
+
+			if ! version_ge "$pga_release" "7.14.0"; then
+				cp -f $HESTIA_INSTALL_DIR/pga/config.inc.php /etc/phppgadmin/
+			fi
+			if [ ! -f /usr/share/phppgadmin/conf/config.inc.php ]; then
+				ln -s /etc/phppgadmin/config.inc.php /usr/share/phppgadmin/conf
+			fi
+		fi
+	fi
+}
+
 upgrade_phpmyadmin() {
 	# Check if MariaDB/MySQL is installed on the server before attempting to install or upgrade phpMyAdmin
 	if [ -n "$(echo $DB_SYSTEM | grep -w 'mysql')" ]; then

install/deb/pga/config.inc.php

@@ -78,6 +78,15 @@ $conf["default_lang"] = "auto";
 // 'disable' disables AutoComplete.
 $conf["autocomplete"] = "default on";
 
+// If extra session security is true, then PHP's session cookies will have
+// SameSite cookie flags set to prevent CSRF attacks.  If you're using
+// auto-start sessions, autostarted sessions will be destroyed and
+// restarted with SameSite on.  If this this solution is not acceptable for
+// your situation, you will need to either turn off auot-start sessions, or
+// turn off secure sessions.  Versions of PHP below 7.3 do not have access
+// to this feature and will be vulnerable to CSRF attacks.
+$conf["extra_session_security"] = true;
+
 // If extra login security is true, then logins via phpPgAdmin with no
 // password or certain usernames (pgsql, postgres, root, administrator)
 // will be denied. Only set this false once you have read the FAQ and

install/hst-install-debian.sh

@@ -48,7 +48,7 @@ software="nginx apache2 apache2-utils apache2-suexec-custom
   awstats vsftpd proftpd-basic bind9 exim4 exim4-daemon-heavy
   clamav-daemon spamassassin dovecot-imapd dovecot-pop3d dovecot-sieve dovecot-managesieved
   net-tools mariadb-client mariadb-common mariadb-server mysql-client mysql-common mysql-server postgresql
-  postgresql-contrib phppgadmin mc flex whois git idn2 unzip zip sudo bc ftp lsof
+  postgresql-contrib mc flex whois git idn2 unzip zip sudo bc ftp lsof
   rrdtool quota e2fslibs bsdutils e2fsprogs curl imagemagick fail2ban
   dnsutils bsdmainutils cron hestia=${HESTIA_INSTALL_VER} hestia-nginx
   hestia-php expect libmail-dkim-perl unrar-free vim-common acl sysstat
@@ -1626,11 +1626,20 @@ if [ "$postgresql" = 'yes' ]; then
 	systemctl restart postgresql
 	sudo -iu postgres psql -c "ALTER USER postgres WITH PASSWORD '$ppass'"
 
+	mkdir -p /etc/phppgadmin/
+	mkdir -p /usr/share/phppgadmin/
+
+	cp -f $HESTIA_INSTALL_DIR/pga/config.inc.php /etc/phppgadmin/
+
+	wget --retry-connrefused --quiet https://github.com/hestiacp/phppgadmin/releases/download/v$pga_v/phppgadmin-v$pga_v.tar.gz
+	tar xzf phppgadmin-v$pga_v.tar.gz -C /usr/share/phppgadmin/
+
+	ln -s /etc/phppgadmin/config.inc.php /usr/share/phppgadmin/conf/
+
 	# Configuring phpPgAdmin
 	if [ "$apache" = 'yes' ]; then
 		cp -f $HESTIA_INSTALL_DIR/pga/phppgadmin.conf /etc/apache2/conf.d/phppgadmin.inc
 	fi
-	cp -f $HESTIA_INSTALL_DIR/pga/config.inc.php /etc/phppgadmin/
 
 	write_config_value "DB_PGA_ALIAS" "phppgadmin"
 	$HESTIA/bin/v-change-sys-db-alias 'pga' "phppgadmin"

install/hst-install-ubuntu.sh

@@ -46,7 +46,7 @@ software="apache2 apache2.2-common apache2-suexec-custom apache2-utils
     imagemagick libapache2-mod-fcgid libapache2-mod-php$fpm_v libapache2-mod-rpaf
     lsof mc mariadb-client mariadb-common mariadb-server mysql-client mysql-common mysql-server nginx
     php$fpm_v php$fpm_v-cgi php$fpm_v-common php$fpm_v-curl
-    php$fpm_v-mysql php$fpm_v-imap php$fpm_v-ldap php$fpm_v-apcu phppgadmin
+    php$fpm_v-mysql php$fpm_v-imap php$fpm_v-ldap php$fpm_v-apcu
     php$fpm_v-pgsql php$fpm_v-zip php$fpm_v-bz2 php$fpm_v-cli php$fpm_v-gd
     php$fpm_v-imagick php$fpm_v-intl php$fpm_v-mbstring
     php$fpm_v-opcache php$fpm_v-pspell php$fpm_v-readline php$fpm_v-xml
@@ -1672,11 +1672,20 @@ if [ "$postgresql" = 'yes' ]; then
 	systemctl restart postgresql
 	sudo -iu postgres psql -c "ALTER USER postgres WITH PASSWORD '$ppass'" > /dev/null 2>&1
 
+	mkdir -p /etc/phppgadmin/
+	mkdir -p /usr/share/phppgadmin/
+
+	wget --retry-connrefused --quiet https://github.com/hestiacp/phppgadmin/releases/download/v$pga_v/phppgadmin-v$pga_v.tar.gz
+	tar xzf phppgadmin-v$pga_v.tar.gz -C /usr/share/phppgadmin/
+
+	cp -f $HESTIA_INSTALL_DIR/pga/config.inc.php /etc/phppgadmin/
+
+	ln -s /etc/phppgadmin/config.inc.php /usr/share/phppgadmin/conf/
+
 	# Configuring phpPgAdmin
 	if [ "$apache" = 'yes' ]; then
 		cp -f $HESTIA_INSTALL_DIR/pga/phppgadmin.conf /etc/apache2/conf.d/phppgadmin.inc
 	fi
-	cp -f $HESTIA_INSTALL_DIR/pga/config.inc.php /etc/phppgadmin/
 
 	write_config_value "DB_PGA_ALIAS" "phppgadmin"
 	$HESTIA/bin/v-change-sys-db-alias 'pga' "phppgadmin"

install/rpm/pga/config.inc.php

@@ -148,6 +148,15 @@ $conf["help_base"] = "http://www.postgresql.org/docs/%s/interactive/";
 // Time in seconds. If set to 0, refreshing data using ajax will be disabled (locks and activity pages)
 $conf["ajax_refresh"] = 3;
 
+// If extra session security is true, then PHP's session cookies will have
+// SameSite cookie flags set to prevent CSRF attacks.  If you're using
+// auto-start sessions, autostarted sessions will be destroyed and
+// restarted with SameSite on.  If this this solution is not acceptable for
+// your situation, you will need to either turn off auot-start sessions, or
+// turn off secure sessions.  Versions of PHP below 7.3 do not have access
+// to this feature and will be vulnerable to CSRF attacks.
+$conf["extra_session_security"] = true;
+
 /*****************************************
  * Don't modify anything below this line *
  *****************************************/

install/upgrade/upgrade.conf

@@ -45,6 +45,9 @@ multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1" "8.2")
 # Set version of phpMyAdmin to install during upgrade if not already installed
 pma_v='5.2.1'
 
+# Set version of phppgadmin to install during upgrade if not already installed
+pga_v='7.14.4'
+
 # Set version of RoundCube (Webmail) to update during upgrade if not already installed
 # Note: only applies to "non-apt installs >= 1.4.0 or manually phased out"
 rc_v='1.6.1'

src/deb/hestia/postinst

@@ -89,6 +89,9 @@ upgrade_dependencies | tee -a $LOG
 # Upgrade phpMyAdmin if applicable
 upgrade_phpmyadmin | tee -a $LOG
 
+# Upgrade phpMyAdmin if applicable
+upgrade_phppgadmin | tee -a $LOG
+
 # Upgrade blackblaze-cli-took if applicable
 upgrade_b2_tool | tee -a $LOG
 

src/rpm/hestia/hestia.spec

@@ -111,6 +111,9 @@ if [ -e "/usr/local/hestia/data/users/admin" ]; then
     # Upgrade phpMyAdmin if applicable
     upgrade_phpmyadmin | tee -a $LOG
 
+	# Upgrade phpMyAdmin if applicable
+	upgrade_phppgadmin | tee -a $LOG
+
     # Upgrade blackblaze-cli-took if applicable
     upgrade_b2_tool | tee -a $LOG