Flatta's security fixes from PullRequest #516

2025-08-14 10:37:42 -07:00 · 2015-12-11 21:32:07 +02:00 · 2015-12-11 21:32:07 +02:00 · 95850df8d1
commit 95850df8d1
parent f8b39ecae7
6 changed files with 9 additions and 8 deletions
--- a/web/add/web/index.php
+++ b/web/add/web/index.php
@ -272,7 +272,7 @@ if (!empty($_POST['ok'])) {
                    $fp = fopen($v_ftp_password, "w");
                    fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
                    fclose($fp);
-                    exec (VESTA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
+                    exec (VESTA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_user." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var); 
                    check_return_code($return_var,$output);
                    unset($output);
                    unlink($v_ftp_password);
--- a/web/edit/cron/index.php
+++ b/web/edit/cron/index.php
@ -53,6 +53,7 @@ if (!empty($_POST['save'])) {
    }

    $v_username = $user;
+    $v_job = escapeshellarg($_GET['job']); 
    $v_min = escapeshellarg($_POST['v_min']);
    $v_hour = escapeshellarg($_POST['v_hour']);
    $v_day = escapeshellarg($_POST['v_day']);
--- a/web/edit/mail/index.php
+++ b/web/edit/mail/index.php
@ -233,7 +233,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
        $result = array_diff($aliases, $valiases);
        foreach ($result as $alias) {
            if ((empty($_SESSION['error_msg'])) && (!empty($alias))) {
-                exec (VESTA_CMD."v-add-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var);
+                exec (VESTA_CMD."v-add-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." ".escapeshellarg($alias), $output, $return_var);
                check_return_code($return_var,$output);
                unset($output);
            }
@ -259,7 +259,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
        $result = array_diff($fwd, $vfwd);
        foreach ($result as $forward) {
            if ((empty($_SESSION['error_msg'])) && (!empty($forward))) {
-                exec (VESTA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var);
+                exec (VESTA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." ".escapeshellarg($forward), $output, $return_var);
                check_return_code($return_var,$output);
                unset($output);
            }
--- a/web/edit/web/index.php
+++ b/web/edit/web/index.php
@ -188,14 +188,14 @@ if (!empty($_POST['save'])) {
                $restart_web = 'yes';
                $restart_proxy = 'yes';
                $v_template = escapeshellarg($_POST['v_template']);
-                exec (VESTA_CMD."v-add-web-domain-alias ".$v_username." ".$v_domain." '".$alias."' 'no'", $output, $return_var);
+                exec (VESTA_CMD."v-add-web-domain-alias ".$v_username." ".$v_domain." ".escapeshellarg($alias)." 'no'", $output, $return_var);
                check_return_code($return_var,$output);
                unset($output);
                if (empty($_SESSION['error_msg'])) {
                    exec (VESTA_CMD."v-list-dns-domain ".$v_username." ".$v_domain, $output, $return_var);
                    unset($output);
                    if ($return_var == 0) {
-                        exec (VESTA_CMD."v-add-dns-on-web-alias ".$v_username." ".$alias." ".$v_ip." no", $output, $return_var);
+                        exec (VESTA_CMD."v-add-dns-on-web-alias ".$v_username." ".escapeshellarg($alias)." ".$v_ip." no", $output, $return_var);
                        check_return_code($return_var,$output);
                    unset($output);
                        $restart_dns = 'yes';
@ -520,7 +520,7 @@ if (!empty($_POST['save'])) {
                    $fp = fopen($v_ftp_password, "w");
                    fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
                    fclose($fp);
-                    exec (VESTA_CMD."v-add-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
+                    exec (VESTA_CMD."v-add-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_user." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
                    check_return_code($return_var,$output);
                    if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) {
                        $to = $v_ftp_user_data['v_ftp_email'];
--- a/web/login/index.php
+++ b/web/login/index.php
@ -44,7 +44,7 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
    fclose($fp);

    // Check user & password
-    exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'",  $output, $return_var);
+    exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." ".escapeshellarg($_SERVER['REMOTE_ADDR']),  $output, $return_var);
    unset($output);

    // Remove tmp file
--- a/web/search/index.php
+++ b/web/search/index.php
@ -28,8 +28,8 @@ $lang = 'ru_RU.utf8';
 //setlocale(LC_ALL, $lang);

 // Data
+$q = escapeshellarg($q);
 if ($_SESSION['user'] == 'admin') {
-    $q = escapeshellarg($q);
    exec (VESTA_CMD."v-search-object ".$q." json", $output, $return_var);
    $data = json_decode(implode('', $output), true);
    include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_search.html');