🔒 ♻️ Implement secure exec wrapper functions.

This commit is contained in:
Flat 2015-12-02 21:24:34 +09:00
commit 8e951ac72e
115 changed files with 1345 additions and 1986 deletions

View file

@ -19,7 +19,7 @@ if (!empty($_POST['ok'])) {
// Check token
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
header('location: /login/');
exit();
exit;
}
// Check empty fields
@ -48,16 +48,15 @@ if (!empty($_POST['ok'])) {
// Check password length
if (empty($_SESSION['error_msg'])) {
$pw_len = strlen($_POST['v_password']);
if ($pw_len < 6 ) $_SESSION['error_msg'] = __('Password is too short.',$error_msg);
if ($pw_len < 6) $_SESSION['error_msg'] = __('Password is too short.', $error_msg);
}
// Protect input
$v_username = escapeshellarg($_POST['v_username']);
$v_email = escapeshellarg($_POST['v_email']);
$v_package = escapeshellarg($_POST['v_package']);
$v_language = escapeshellarg($_POST['v_language']);
$v_fname = escapeshellarg($_POST['v_fname']);
$v_lname = escapeshellarg($_POST['v_lname']);
$v_username = $_POST['v_username'];
$v_email = $_POST['v_email'];
$v_package = $_POST['v_package'];
$v_language = $_POST['v_language'];
$v_fname = $_POST['v_fname'];
$v_lname = $_POST['v_lname'];
$v_notify = $_POST['v_notify'];
@ -67,18 +66,14 @@ if (!empty($_POST['ok'])) {
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['v_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-add-user ".$v_username." ".$v_password." ".$v_email." ".$v_package." ".$v_fname." ".$v_lname, $output, $return_var);
check_return_code($return_var,$output);
unset($output);
v_exec('v-add-user', [$v_username, $v_password, $v_email, $v_package, $v_fname, $v_lname]);
unlink($v_password);
$v_password = escapeshellarg($_POST['v_password']);
$v_password = $_POST['v_password'];
}
// Set language
if (empty($_SESSION['error_msg'])) {
exec (VESTA_CMD."v-change-user-language ".$v_username." ".$v_language, $output, $return_var);
check_return_code($return_var,$output);
unset($output);
v_exec('v-change-user-language', [$v_username, $v_language]);
}
// Send email to the new user
@ -86,7 +81,6 @@ if (!empty($_POST['ok'])) {
$to = $_POST['v_notify'];
$subject = _translate($_POST['v_language'],"Welcome to Vesta Control Panel");
$hostname = exec('hostname');
unset($output);
$from = _translate($_POST['v_language'],'MAIL_FROM',$hostname);
if (!empty($_POST['v_fname'])) {
$mailtext = _translate($_POST['v_language'],'GREETINGS_GORDON_FREEMAN',$_POST['v_fname'],$_POST['v_lname']);
@ -118,15 +112,13 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html');
top_panel($user,$TAB);
// List hosting packages
exec (VESTA_CMD."v-list-user-packages json", $output, $return_var);
$return_var = v_exec('v-list-user-packages', ['json'], false, $output);
check_error($return_var);
$data = json_decode(implode('', $output), true);
unset($output);
$data = json_decode($output, true);
// List languages
exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var);
$languages = json_decode(implode('', $output), true);
unset($output);
v_exec('v-list-sys-languages', ['json'], false, $output);
$languages = json_decode($output, true);
// Display body
include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/add_user.html');