From 39e9b6397b3b63742da5e2413aa2feb4e11b747a Mon Sep 17 00:00:00 2001 From: Serghey Rodin Date: Fri, 11 Dec 2015 21:14:49 +0200 Subject: [PATCH] Revert "[SECURITY] Fix OS command injection." --- web/add/cron/autoupdate/index.php | 7 +- web/add/cron/index.php | 19 +- web/add/cron/reports/index.php | 7 +- web/add/db/index.php | 52 +++-- web/add/dns/index.php | 65 +++--- web/add/favorite/index.php | 12 +- web/add/firewall/banlist/index.php | 9 +- web/add/firewall/index.php | 20 +- web/add/ip/index.php | 32 +-- web/add/mail/index.php | 62 +++--- web/add/package/index.php | 152 +++++++------- web/add/user/index.php | 38 ++-- web/add/web/index.php | 108 ++++++---- web/api/index.php | 55 +++-- web/bulk/backup/exclusions/index.php | 3 +- web/bulk/backup/index.php | 5 +- web/bulk/cron/index.php | 23 +- web/bulk/db/index.php | 5 +- web/bulk/dns/index.php | 13 +- web/bulk/firewall/banlist/index.php | 13 +- web/bulk/firewall/index.php | 5 +- web/bulk/ip/index.php | 15 +- web/bulk/mail/index.php | 11 +- web/bulk/package/index.php | 5 +- web/bulk/restore/index.php | 31 +-- web/bulk/service/index.php | 8 +- web/bulk/user/index.php | 11 +- web/bulk/vesta/index.php | 5 +- web/bulk/web/index.php | 13 +- web/delete/backup/exclusion/index.php | 11 +- web/delete/backup/index.php | 13 +- web/delete/cron/autoupdate/index.php | 3 +- web/delete/cron/index.php | 13 +- web/delete/cron/reports/index.php | 3 +- web/delete/db/index.php | 13 +- web/delete/dns/index.php | 27 ++- web/delete/favorite/index.php | 9 +- web/delete/firewall/banlist/index.php | 12 +- web/delete/firewall/index.php | 10 +- web/delete/ip/index.php | 11 +- web/delete/mail/index.php | 26 ++- web/delete/notification/index.php | 18 +- web/delete/package/index.php | 10 +- web/delete/user/index.php | 10 +- web/delete/web/index.php | 13 +- web/download/file/index.php | 8 +- web/download/web-log/index.php | 16 +- web/edit/backup/exclusions/index.php | 15 +- web/edit/cron/index.php | 42 ++-- web/edit/db/index.php | 39 ++-- web/edit/dns/index.php | 95 ++++++--- web/edit/file/index.php | 14 +- web/edit/firewall/index.php | 39 +++- web/edit/ip/index.php | 46 ++-- web/edit/mail/index.php | 131 ++++++++---- web/edit/package/index.php | 58 +++--- web/edit/server/index.php | 237 +++++++++++++-------- web/edit/user/index.php | 128 +++++++----- web/edit/web/index.php | 288 ++++++++++++++++---------- web/file_manager/fm_api.php | 12 +- web/file_manager/fm_core.php | 199 +++++++++++------- web/generate/ssl/index.php | 31 ++- web/inc/exec.php | 85 -------- web/inc/i18n.php | 27 ++- web/inc/mail-wrapper.php | 9 +- web/inc/main.php | 48 +++-- web/list/backup/exclusions/index.php | 5 +- web/list/backup/index.php | 14 +- web/list/cron/index.php | 7 +- web/list/db/index.php | 5 +- web/list/directory/index.php | 9 +- web/list/dns/index.php | 10 +- web/list/favorites/index.php | 10 +- web/list/firewall/banlist/index.php | 5 +- web/list/firewall/index.php | 5 +- web/list/ip/index.php | 5 +- web/list/log/index.php | 5 +- web/list/mail/index.php | 10 +- web/list/notifications/index.php | 18 +- web/list/package/index.php | 5 +- web/list/rrd/index.php | 5 +- web/list/server/index.php | 80 ++++--- web/list/stats/index.php | 22 +- web/list/updates/index.php | 11 +- web/list/user/index.php | 12 +- web/list/web-log/index.php | 11 +- web/list/web/index.php | 6 +- web/login/index.php | 25 ++- web/reset/index.php | 34 +-- web/reset/mail/index.php | 18 +- web/restart/service/index.php | 11 +- web/restart/system/index.php | 4 +- web/schedule/backup/index.php | 24 ++- web/schedule/restore/index.php | 33 +-- web/search/index.php | 13 +- web/start/service/index.php | 11 +- web/stop/service/index.php | 12 +- web/suspend/cron/index.php | 16 +- web/suspend/db/index.php | 12 +- web/suspend/dns/index.php | 26 ++- web/suspend/firewall/index.php | 12 +- web/suspend/mail/index.php | 32 +-- web/suspend/user/index.php | 10 +- web/suspend/web/index.php | 14 +- web/templates/admin/edit_package.html | 2 +- web/unsuspend/cron/index.php | 16 +- web/unsuspend/db/index.php | 17 +- web/unsuspend/dns/index.php | 40 ++-- web/unsuspend/firewall/index.php | 12 +- web/unsuspend/mail/index.php | 40 ++-- web/unsuspend/user/index.php | 12 +- web/unsuspend/web/index.php | 17 +- web/update/vesta/index.php | 11 +- web/upload/UploadHandler.php | 5 +- web/view/file/index.php | 8 +- 115 files changed, 1980 insertions(+), 1340 deletions(-) delete mode 100644 web/inc/exec.php diff --git a/web/add/cron/autoupdate/index.php b/web/add/cron/autoupdate/index.php index bc7db99dd..53d50c059 100644 --- a/web/add/cron/autoupdate/index.php +++ b/web/add/cron/autoupdate/index.php @@ -3,12 +3,13 @@ error_reporting(NULL); ob_start(); session_start(); -include($_SERVER['DOCUMENT_ROOT'].'/inc/main.php'); +include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if ($_SESSION['user'] == 'admin') { - v_exec('v-add-cron-vesta-autoupdate', [], false); + exec (VESTA_CMD."v-add-cron-vesta-autoupdate", $output, $return_var); $_SESSION['error_msg'] = __('Autoupdate has been successfully enabled'); + unset($output); } -header('Location: /list/updates/'); +header("Location: /list/updates/"); exit; diff --git a/web/add/cron/index.php b/web/add/cron/index.php index c78881877..62cae8f1c 100644 --- a/web/add/cron/index.php +++ b/web/add/cron/index.php @@ -13,7 +13,7 @@ if (!empty($_POST['ok'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check empty fields @@ -35,16 +35,18 @@ if (!empty($_POST['ok'])) { } // Protect input - $v_min = $_POST['v_min']; - $v_hour = $_POST['v_hour']; - $v_day = $_POST['v_day']; - $v_month = $_POST['v_month']; - $v_wday = $_POST['v_wday']; - $v_cmd = $_POST['v_cmd']; + $v_min = escapeshellarg($_POST['v_min']); + $v_hour = escapeshellarg($_POST['v_hour']); + $v_day = escapeshellarg($_POST['v_day']); + $v_month = escapeshellarg($_POST['v_month']); + $v_wday = escapeshellarg($_POST['v_wday']); + $v_cmd = escapeshellarg($_POST['v_cmd']); // Add cron job if (empty($_SESSION['error_msg'])) { - v_exec('v-add-cron-job', [$user, $v_min, $v_hour, $v_day, $v_month, $v_wday, $v_cmd]); + exec (VESTA_CMD."v-add-cron-job ".$user." ".$v_min." ".$v_hour." ".$v_day." ".$v_month." ".$v_wday." ".$v_cmd, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Flush field values on success @@ -56,6 +58,7 @@ if (!empty($_POST['ok'])) { unset($v_month); unset($v_wday); unset($v_cmd); + unset($output); } } diff --git a/web/add/cron/reports/index.php b/web/add/cron/reports/index.php index f3f31db95..4b0424e32 100644 --- a/web/add/cron/reports/index.php +++ b/web/add/cron/reports/index.php @@ -3,10 +3,11 @@ error_reporting(NULL); ob_start(); session_start(); -include($_SERVER['DOCUMENT_ROOT'].'/inc/main.php'); +include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); -v_exec('v-add-cron-reports', [$user], false); +exec (VESTA_CMD."v-add-cron-reports ".$user, $output, $return_var); $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled'); +unset($output); -header('Location: /list/cron/'); +header("Location: /list/cron/"); exit; diff --git a/web/add/db/index.php b/web/add/db/index.php index 2a328f515..c206eb13c 100644 --- a/web/add/db/index.php +++ b/web/add/db/index.php @@ -12,7 +12,7 @@ if (!empty($_POST['ok'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check empty fields @@ -30,7 +30,7 @@ if (!empty($_POST['ok'])) { $error_msg = $error_msg.", ".$error; } } - $_SESSION['error_msg'] = __('Field "%s" can not be blank.', $error_msg); + $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg); } // Validate email @@ -43,11 +43,12 @@ if (!empty($_POST['ok'])) { // Check password length if (empty($_SESSION['error_msg'])) { $pw_len = strlen($_POST['v_password']); - if ($pw_len < 6) $_SESSION['error_msg'] = __('Password is too short.', $error_msg); + if ($pw_len < 6 ) $_SESSION['error_msg'] = __('Password is too short.',$error_msg); } - $v_database = $_POST['v_database']; - $v_dbuser = $_POST['v_dbuser']; + // Protect input + $v_database = escapeshellarg($_POST['v_database']); + $v_dbuser = escapeshellarg($_POST['v_dbuser']); $v_type = $_POST['v_type']; $v_charset = $_POST['v_charset']; $v_host = $_POST['v_host']; @@ -55,24 +56,32 @@ if (!empty($_POST['ok'])) { // Add database if (empty($_SESSION['error_msg'])) { - $v_password = tempnam('/tmp', 'vst'); - $fp = fopen($v_password, 'w'); + $v_type = escapeshellarg($_POST['v_type']); + $v_charset = escapeshellarg($_POST['v_charset']); + $v_host = escapeshellarg($_POST['v_host']); + $v_password = tempnam("/tmp","vst"); + $fp = fopen($v_password, "w"); fwrite($fp, $_POST['v_password']."\n"); fclose($fp); - v_exec('v-add-database', [$user, $v_database, $v_dbuser, $v_password, $v_type, $v_host, $v_charset]); + exec (VESTA_CMD."v-add-database ".$user." ".$v_database." ".$v_dbuser." ".$v_password." ".$v_type." ".$v_host." ".$v_charset, $output, $return_var); + check_return_code($return_var,$output); + unset($output); unlink($v_password); - $v_password = $_POST['v_password']; + $v_password = escapeshellarg($_POST['v_password']); + $v_type = $_POST['v_type']; + $v_host = $_POST['v_host']; + $v_charset = $_POST['v_charset']; } // Get database manager url if (empty($_SESSION['error_msg'])) { - list($http_host, $port) = explode(':', $_SERVER['HTTP_HOST'] . ':'); + list($http_host, $port) = explode(':', $_SERVER["HTTP_HOST"] . ":"); if ($_POST['v_host'] != 'localhost' ) $http_host = $_POST['v_host']; - if ($_POST['v_type'] == 'mysql') $db_admin = 'phpMyAdmin'; - if ($_POST['v_type'] == 'mysql') $db_admin_link = "http://$http_host/phpmyadmin/"; + if ($_POST['v_type'] == 'mysql') $db_admin = "phpMyAdmin"; + if ($_POST['v_type'] == 'mysql') $db_admin_link = "http://".$http_host."/phpmyadmin/"; if (($_POST['v_type'] == 'mysql') && (!empty($_SESSION['DB_PMA_URL']))) $db_admin_link = $_SESSION['DB_PMA_URL']; - if ($_POST['v_type'] == 'pgsql') $db_admin = 'phpPgAdmin'; - if ($_POST['v_type'] == 'pgsql') $db_admin_link = "http://$http_host/phppgadmin/"; + if ($_POST['v_type'] == 'pgsql') $db_admin = "phpPgAdmin"; + if ($_POST['v_type'] == 'pgsql') $db_admin_link = "http://".$http_host."/phppgadmin/"; if (($_POST['v_type'] == 'pgsql') && (!empty($_SESSION['DB_PGA_URL']))) $db_admin_link = $_SESSION['DB_PGA_URL']; } @@ -81,15 +90,15 @@ if (!empty($_POST['ok'])) { $to = $v_db_email; $subject = __("Database Credentials"); $hostname = exec('hostname'); - $from = __('MAIL_FROM', $hostname); - $mailtext = __('DATABASE_READY', $user.'_'.$_POST['v_database'], $user.'_'.$_POST['v_dbuser'], $_POST['v_password'], $db_admin_link); + $from = __('MAIL_FROM',$hostname); + $mailtext = __('DATABASE_READY',$user."_".$_POST['v_database'],$user."_".$_POST['v_dbuser'],$_POST['v_password'],$db_admin_link); send_email($to, $subject, $mailtext, $from); } // Flush field values on success if (empty($_SESSION['error_msg'])) { - $_SESSION['ok_msg'] = __('DATABASE_CREATED_OK', htmlentities($user.'_'.$_POST['v_database']), htmlentities($user.'_'.$_POST['v_database'])); - $_SESSION['ok_msg'] .= " / " . __('open %s', $db_admin) . ''; + $_SESSION['ok_msg'] = __('DATABASE_CREATED_OK',htmlentities($user)."_".htmlentities($_POST['v_database']),htmlentities($user)."_".htmlentities($_POST['v_database'])); + $_SESSION['ok_msg'] .= " / " . __('open %s',$db_admin) . ""; unset($v_database); unset($v_dbuser); unset($v_password); @@ -108,15 +117,16 @@ top_panel($user,$TAB); $v_db_email = $panel[$user]['CONTACT']; // List avaiable database types -$db_types = explode(',', $_SESSION['DB_SYSTEM']); +$db_types = split(",",$_SESSION['DB_SYSTEM']); // List available database servers $db_hosts = array(); foreach ($db_types as $db_type ) { - v_exec('v-list-database-hosts', [$db_type, 'json'], false, $output); - $db_hosts_tmp = json_decode($output, true); + exec (VESTA_CMD."v-list-database-hosts ".$db_type." 'json'", $output, $return_var); + $db_hosts_tmp = json_decode(implode('', $output), true); $db_hosts = array_merge($db_hosts, $db_hosts_tmp); unset($db_hosts_tmp); + unset($output); } // Display body diff --git a/web/add/dns/index.php b/web/add/dns/index.php index 086ca5d7e..629e2ec57 100644 --- a/web/add/dns/index.php +++ b/web/add/dns/index.php @@ -13,7 +13,7 @@ if (!empty($_POST['ok'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check empty fields @@ -32,47 +32,56 @@ if (!empty($_POST['ok'])) { // Protect input $v_domain = preg_replace("/^www./i", "", $_POST['v_domain']); + $v_domain = escapeshellarg($v_domain); $v_domain = strtolower($v_domain); - $v_ip = $_POST['v_ip']; - if (!empty($_POST['v_ns1'])) $v_ns1 = $_POST['v_ns1']; - if (!empty($_POST['v_ns2'])) $v_ns2 = $_POST['v_ns2']; - if (!empty($_POST['v_ns3'])) $v_ns3 = $_POST['v_ns3']; - if (!empty($_POST['v_ns4'])) $v_ns4 = $_POST['v_ns4']; - if (!empty($_POST['v_ns5'])) $v_ns5 = $_POST['v_ns5']; - if (!empty($_POST['v_ns6'])) $v_ns6 = $_POST['v_ns6']; - if (!empty($_POST['v_ns7'])) $v_ns7 = $_POST['v_ns7']; - if (!empty($_POST['v_ns8'])) $v_ns8 = $_POST['v_ns8']; + $v_ip = escapeshellarg($_POST['v_ip']); + if (!empty($_POST['v_ns1'])) $v_ns1 = escapeshellarg($_POST['v_ns1']); + if (!empty($_POST['v_ns2'])) $v_ns2 = escapeshellarg($_POST['v_ns2']); + if (!empty($_POST['v_ns3'])) $v_ns3 = escapeshellarg($_POST['v_ns3']); + if (!empty($_POST['v_ns4'])) $v_ns4 = escapeshellarg($_POST['v_ns4']); + if (!empty($_POST['v_ns5'])) $v_ns5 = escapeshellarg($_POST['v_ns5']); + if (!empty($_POST['v_ns6'])) $v_ns6 = escapeshellarg($_POST['v_ns6']); + if (!empty($_POST['v_ns7'])) $v_ns7 = escapeshellarg($_POST['v_ns7']); + if (!empty($_POST['v_ns8'])) $v_ns8 = escapeshellarg($_POST['v_ns8']); // Add dns domain if (empty($_SESSION['error_msg'])) { - v_exec('v-add-dns-domain', [$user, $v_domain, $v_ip, $v_ns1, $v_ns2, $v_ns3, $v_ns4, $v_ns5, $v_ns6, $v_ns7, $v_ns8, 'no']); + exec (VESTA_CMD."v-add-dns-domain ".$user." ".$v_domain." ".$v_ip." ".$v_ns1." ".$v_ns2." ".$v_ns3." ".$v_ns4." ".$v_ns5." ".$v_ns6." ".$v_ns7." ".$v_ns8." no", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Set expiriation date if (empty($_SESSION['error_msg'])) { if ((!empty($_POST['v_exp'])) && ($_POST['v_exp'] != date('Y-m-d', strtotime('+1 year')))) { - $v_exp = $_POST['v_exp']; - v_exec('v-change-dns-domain-exp', [$user, $v_domain, $v_exp, 'no']); + $v_exp = escapeshellarg($_POST['v_exp']); + exec (VESTA_CMD."v-change-dns-domain-exp ".$user." ".$v_domain." ".$v_exp." no", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } } // Set ttl if (empty($_SESSION['error_msg'])) { if ((!empty($_POST['v_ttl'])) && ($_POST['v_ttl'] != '14400') && (empty($_SESSION['error_msg']))) { - $v_ttl = $_POST['v_ttl']; - v_exec('v-change-dns-domain-ttl', [$user, $v_domain, $v_ttl, 'no']); + $v_ttl = escapeshellarg($_POST['v_ttl']); + exec (VESTA_CMD."v-change-dns-domain-ttl ".$user." ".$v_domain." ".$v_ttl." no", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } } // Restart dns server if (empty($_SESSION['error_msg'])) { - v_exec('v-restart-dns'); + exec (VESTA_CMD."v-restart-dns", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Flush field values on success if (empty($_SESSION['error_msg'])) { - $_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK', htmlentities($_POST[v_domain]), htmlentities($_POST[v_domain])); + $_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK',htmlentities($_POST[v_domain]),htmlentities($_POST[v_domain])); unset($v_domain); } } @@ -84,7 +93,7 @@ if (!empty($_POST['ok_rec'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check empty fields @@ -104,15 +113,18 @@ if (!empty($_POST['ok_rec'])) { } // Protect input - $v_domain = $_POST['v_domain']; - $v_rec = $_POST['v_rec']; - $v_type = $_POST['v_type']; - $v_val = $_POST['v_val']; - $v_priority = $_POST['v_priority']; + $v_domain = escapeshellarg($_POST['v_domain']); + $v_rec = escapeshellarg($_POST['v_rec']); + $v_type = escapeshellarg($_POST['v_type']); + $v_val = escapeshellarg($_POST['v_val']); + $v_priority = escapeshellarg($_POST['v_priority']); // Add dns record if (empty($_SESSION['error_msg'])) { - v_exec('v-add-dns-record', [$user, $v_domain, $v_rec, $v_type, $v_val, $v_priority]); + exec (VESTA_CMD."v-add-dns-record ".$user." ".$v_domain." ".$v_rec." ".$v_type." ".$v_val." ".$v_priority, $output, $return_var); + check_return_code($return_var,$output); + unset($output); + $v_type = $_POST['v_type']; } // Flush field values on success @@ -147,8 +159,8 @@ if (empty($_GET['domain'])) { if (empty($v_ttl)) $v_ttl = 14400; if (empty($v_exp)) $v_exp = date('Y-m-d', strtotime('+1 year')); if (empty($v_ns1)) { - v_exec('v-list-user-ns', [$user, 'json'], false, $output); - $nameservers = json_decode($output, true); + exec (VESTA_CMD."v-list-user-ns ".$user." json", $output, $return_var); + $nameservers = json_decode(implode('', $output), true); $v_ns1 = str_replace("'", "", $nameservers[0]); $v_ns2 = str_replace("'", "", $nameservers[1]); $v_ns3 = str_replace("'", "", $nameservers[2]); @@ -157,6 +169,7 @@ if (empty($_GET['domain'])) { $v_ns6 = str_replace("'", "", $nameservers[5]); $v_ns7 = str_replace("'", "", $nameservers[6]); $v_ns8 = str_replace("'", "", $nameservers[7]); + unset($output); } include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/add_dns.html'); } diff --git a/web/add/favorite/index.php b/web/add/favorite/index.php index 9987ecc9c..e9f2e828d 100644 --- a/web/add/favorite/index.php +++ b/web/add/favorite/index.php @@ -9,13 +9,15 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token // if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { // header('location: /login/'); -// exit; +// exit(); // } - $v_section = $_REQUEST['v_section']; - $v_unit_id = $_REQUEST['v_unit_id']; + // Protect input + $v_section = escapeshellarg($_REQUEST['v_section']); + $v_unit_id = escapeshellarg($_REQUEST['v_unit_id']); - $_SESSION['favourites'][strtoupper((string)$v_section)][(string)$v_unit_id] = 1; + $_SESSION['favourites'][strtoupper($_REQUEST['v_section'])][$_REQUEST['v_unit_id']] = 1; - v_exec('v-add-user-favourites', [$_SESSION['user'], $v_section, $v_unit_id], false/*true*/); + exec (VESTA_CMD."v-add-user-favourites ".$_SESSION['user']." ".$v_section." ".$v_unit_id, $output, $return_var); +// check_return_code($return_var,$output); ?> \ No newline at end of file diff --git a/web/add/firewall/banlist/index.php b/web/add/firewall/banlist/index.php index e95324bf3..f0e97042a 100644 --- a/web/add/firewall/banlist/index.php +++ b/web/add/firewall/banlist/index.php @@ -31,12 +31,15 @@ if (!empty($_POST['ok'])) { $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg); } - $v_chain = $_POST['v_chain']; - $v_ip = $_POST['v_ip']; + // Protect input + $v_chain = escapeshellarg($_POST['v_chain']); + $v_ip = escapeshellarg($_POST['v_ip']); // Add firewall ban if (empty($_SESSION['error_msg'])) { - v_exec('v-add-firewall-ban', [$v_ip, $v_chain]); + exec (VESTA_CMD."v-add-firewall-ban ".$v_ip." ".$v_chain, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Flush field values on success diff --git a/web/add/firewall/index.php b/web/add/firewall/index.php index e6ead5a16..caae650ce 100644 --- a/web/add/firewall/index.php +++ b/web/add/firewall/index.php @@ -20,7 +20,7 @@ if (!empty($_POST['ok'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check empty fields @@ -39,17 +39,21 @@ if (!empty($_POST['ok'])) { $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg); } - $v_action = $_POST['v_action']; - $v_protocol = $_POST['v_protocol']; - $v_port = str_replace(' ', ',', $_POST['v_port']); + // Protect input + $v_action = escapeshellarg($_POST['v_action']); + $v_protocol = escapeshellarg($_POST['v_protocol']); + $v_port = str_replace(" ",",", $_POST['v_port']); $v_port = preg_replace('/\,+/', ',', $v_port); - $v_port = trim($v_port, ','); - $v_ip = $_POST['v_ip']; - $v_comment = $_POST['v_comment']; + $v_port = trim($v_port, ","); + $v_port = escapeshellarg($v_port); + $v_ip = escapeshellarg($_POST['v_ip']); + $v_comment = escapeshellarg($_POST['v_comment']); // Add firewall rule if (empty($_SESSION['error_msg'])) { - v_exec('v-add-firewall-rule', [$v_action, $v_ip, $v_port, $v_protocol, $v_comment]); + exec (VESTA_CMD."v-add-firewall-rule ".$v_action." ".$v_ip." ".$v_port." ".$v_protocol." ".$v_comment, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Flush field values on success diff --git a/web/add/ip/index.php b/web/add/ip/index.php index 5ac006801..5f48a081d 100644 --- a/web/add/ip/index.php +++ b/web/add/ip/index.php @@ -19,7 +19,7 @@ if (!empty($_POST['ok'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check empty fields @@ -38,12 +38,13 @@ if (!empty($_POST['ok'])) { $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg); } - $v_ip = $_POST['v_ip']; - $v_netmask = $_POST['v_netmask']; - $v_name = $_POST['v_name']; - $v_nat = $_POST['v_nat']; - $v_interface = $_POST['v_interface']; - $v_owner = $_POST['v_owner']; + // Protect input + $v_ip = escapeshellarg($_POST['v_ip']); + $v_netmask = escapeshellarg($_POST['v_netmask']); + $v_name = escapeshellarg($_POST['v_name']); + $v_nat = escapeshellarg($_POST['v_nat']); + $v_interface = escapeshellarg($_POST['v_interface']); + $v_owner = escapeshellarg($_POST['v_owner']); $v_shared = $_POST['v_shared']; // Check shared checkmark @@ -52,11 +53,16 @@ if (!empty($_POST['ok'])) { } else { $ip_status = 'dedicated'; $v_dedicated = 'yes'; + } // Add IP if (empty($_SESSION['error_msg'])) { - v_exec('v-add-sys-ip', [$v_ip, $v_netmask, $v_interface, $v_owner, $ip_status, $v_name, $v_nat]); + exec (VESTA_CMD."v-add-sys-ip ".$v_ip." ".$v_netmask." ".$v_interface." ".$v_owner." '".$ip_status."' ".$v_name." ".$v_nat, $output, $return_var); + check_return_code($return_var,$output); + unset($output); + $v_owner = $_POST['v_owner']; + $v_interface = $_POST['v_interface']; } // Flush field values on success @@ -76,12 +82,14 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // List network interfaces -v_exec('v-list-sys-interfaces', ['json'], false, $output); -$interfaces = json_decode($output, true); +exec (VESTA_CMD."v-list-sys-interfaces 'json'", $output, $return_var); +$interfaces = json_decode(implode('', $output), true); +unset($output); // List users -v_exec('v-list-sys-users', ['json'], false, $output); -$users = json_decode($output, true); +exec (VESTA_CMD."v-list-sys-users 'json'", $output, $return_var); +$users = json_decode(implode('', $output), true); +unset($output); // Display body include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/add_ip.html'); diff --git a/web/add/mail/index.php b/web/add/mail/index.php index 5ae28a38c..12adde125 100644 --- a/web/add/mail/index.php +++ b/web/add/mail/index.php @@ -14,7 +14,7 @@ if (!empty($_POST['ok'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check empty fields @@ -53,16 +53,19 @@ if (!empty($_POST['ok'])) { // Set domain name to lowercase and remove www prefix $v_domain = preg_replace("/^www./i", "", $_POST['v_domain']); + $v_domain = escapeshellarg($v_domain); $v_domain = strtolower($v_domain); // Add mail domain if (empty($_SESSION['error_msg'])) { - v_exec('v-add-mail-domain', [$user, $v_domain, $v_antispam, $v_antivirus, $v_dkim]); + exec (VESTA_CMD."v-add-mail-domain ".$user." ".$v_domain." ".$v_antispam." ".$v_antivirus." ".$v_dkim, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Flush field values on success if (empty($_SESSION['error_msg'])) { - $_SESSION['ok_msg'] = __('MAIL_DOMAIN_CREATED_OK', htmlentities($_POST['v_domain']), htmlentities($_POST['v_domain'])); + $_SESSION['ok_msg'] = __('MAIL_DOMAIN_CREATED_OK',htmlentities($_POST['v_domain']),htmlentities($_POST['v_domain'])); unset($v_domain); } } @@ -74,7 +77,7 @@ if (!empty($_POST['ok_acc'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check empty fields @@ -89,16 +92,17 @@ if (!empty($_POST['ok_acc'])) { $error_msg = $error_msg.", ".$error; } } - $_SESSION['error_msg'] = __('Field "%s" can not be blank.', $error_msg); + $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg); } // Protect input - $v_domain = strtolower($_POST['v_domain']); - $v_account = $_POST['v_account']; - $v_quota = $_POST['v_quota']; + $v_domain = escapeshellarg($_POST['v_domain']); + $v_domain = strtolower($v_domain); + $v_account = escapeshellarg($_POST['v_account']); + $v_quota = escapeshellarg($_POST['v_quota']); $v_aliases = $_POST['v_aliases']; $v_fwd = $_POST['v_fwd']; - if (empty($_POST['v_quota'])) $v_quota = '0'; + if (empty($_POST['v_quota'])) $v_quota = 0; if ((!empty($_POST['v_quota'])) || (!empty($_POST['v_aliases'])) || (!empty($_POST['v_fwd'])) ) $v_adv = 'yes'; // Add Mail Account @@ -107,55 +111,65 @@ if (!empty($_POST['ok_acc'])) { $fp = fopen($v_password, "w"); fwrite($fp, $_POST['v_password']."\n"); fclose($fp); - v_exec('v-add-mail-account', [$user, $v_domain, $v_account, $v_password, $v_quota]); + exec (VESTA_CMD."v-add-mail-account ".$user." ".$v_domain." ".$v_account." ".$v_password." ".$v_quota, $output, $return_var); + check_return_code($return_var,$output); + unset($output); unlink($v_password); - $v_password = $_POST['v_password']; + $v_password = escapeshellarg($_POST['v_password']); } // Add Aliases if ((!empty($_POST['v_aliases'])) && (empty($_SESSION['error_msg']))) { - $valiases = preg_replace('/\n/', ' ', $_POST['v_aliases']); - $valiases = preg_replace('/,/', ' ', $valiases); + $valiases = preg_replace("/\n/", " ", $_POST['v_aliases']); + $valiases = preg_replace("/,/", " ", $valiases); $valiases = preg_replace('/\s+/', ' ',$valiases); $valiases = trim($valiases); - $aliases = explode(' ', $valiases); + $aliases = explode(" ", $valiases); foreach ($aliases as $alias) { + $alias = escapeshellarg($alias); if (empty($_SESSION['error_msg'])) { - v_exec('v-add-mail-account-alias', [$user, $v_domain, $v_account, $alias]); + exec (VESTA_CMD."v-add-mail-account-alias ".$user." ".$v_domain." ".$v_account." ".$alias, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } } } // Add Forwarders if ((!empty($_POST['v_fwd'])) && (empty($_SESSION['error_msg']))) { - $vfwd = preg_replace('/\n/', ' ', $_POST['v_fwd']); - $vfwd = preg_replace('/,/', ' ', $vfwd); + $vfwd = preg_replace("/\n/", " ", $_POST['v_fwd']); + $vfwd = preg_replace("/,/", " ", $vfwd); $vfwd = preg_replace('/\s+/', ' ',$vfwd); $vfwd = trim($vfwd); - $fwd = explode(' ', $vfwd); + $fwd = explode(" ", $vfwd); foreach ($fwd as $forward) { + $forward = escapeshellarg($forward); if (empty($_SESSION['error_msg'])) { - v_exec('v-add-mail-account-forward', [$user, $v_domain, $v_account, $forward]); + exec (VESTA_CMD."v-add-mail-account-forward ".$user." ".$v_domain." ".$v_account." ".$forward, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } } } // Add fwd_only flag if ((!empty($_POST['v_fwd_only'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-add-mail-account-fwd-only', [$user, $v_domain, $v_account]); + exec (VESTA_CMD."v-add-mail-account-fwd-only ".$user." ".$v_domain." ".$v_account, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Get webmail url if (empty($_SESSION['error_msg'])) { - list($http_host, $port) = explode(':', $_SERVER['HTTP_HOST'].':'); - $webmail = "http://$http_host/webmail/"; + list($http_host, $port) = explode(':', $_SERVER["HTTP_HOST"].":"); + $webmail = "http://".$http_host."/webmail/"; if (!empty($_SESSION['MAIL_URL'])) $webmail = $_SESSION['MAIL_URL']; } // Flush field values on success if (empty($_SESSION['error_msg'])) { - $_SESSION['ok_msg'] = __('MAIL_ACCOUNT_CREATED_OK', htmlentities(strtolower($_POST['v_account'])), htmlentities($_POST['v_domain']), htmlentities(strtolower($_POST['v_account'])), htmlentities($_POST['v_domain'])); - $_SESSION['ok_msg'] .= " / " . __('open webmail') . ''; + $_SESSION['ok_msg'] = __('MAIL_ACCOUNT_CREATED_OK',htmlentities(strtolower($_POST['v_account'])),htmlentities($_POST[v_domain]),htmlentities(strtolower($_POST['v_account'])),htmlentities($_POST[v_domain])); + $_SESSION['ok_msg'] .= " / " . __('open webmail') . ""; unset($v_account); unset($v_password); unset($v_password); diff --git a/web/add/package/index.php b/web/add/package/index.php index f93e1b03e..f620b4711 100644 --- a/web/add/package/index.php +++ b/web/add/package/index.php @@ -19,7 +19,7 @@ if (!empty($_POST['ok'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check empty fields @@ -57,23 +57,24 @@ if (!empty($_POST['ok'])) { $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg); } - $v_package = $_POST['v_package']; - $v_web_template = $_POST['v_web_template']; - $v_backend_template = $_POST['v_backend_template']; - $v_proxy_template = $_POST['v_proxy_template']; - $v_dns_template = $_POST['v_dns_template']; - $v_shell = $_POST['v_shell']; - $v_web_domains = $_POST['v_web_domains']; - $v_web_aliases = $_POST['v_web_aliases']; - $v_dns_domains = $_POST['v_dns_domains']; - $v_dns_records = $_POST['v_dns_records']; - $v_mail_domains = $_POST['v_mail_domains']; - $v_mail_accounts = $_POST['v_mail_accounts']; - $v_databases = $_POST['v_databases']; - $v_cron_jobs = $_POST['v_cron_jobs']; - $v_backups = $_POST['v_backups']; - $v_disk_quota = $_POST['v_disk_quota']; - $v_bandwidth = $_POST['v_bandwidth']; + // Protect input + $v_package = escapeshellarg($_POST['v_package']); + $v_web_template = escapeshellarg($_POST['v_web_template']); + $v_backend_template = escapeshellarg($_POST['v_backend_template']); + $v_proxy_template = escapeshellarg($_POST['v_proxy_template']); + $v_dns_template = escapeshellarg($_POST['v_dns_template']); + $v_shell = escapeshellarg($_POST['v_shell']); + $v_web_domains = escapeshellarg($_POST['v_web_domains']); + $v_web_aliases = escapeshellarg($_POST['v_web_aliases']); + $v_dns_domains = escapeshellarg($_POST['v_dns_domains']); + $v_dns_records = escapeshellarg($_POST['v_dns_records']); + $v_mail_domains = escapeshellarg($_POST['v_mail_domains']); + $v_mail_accounts = escapeshellarg($_POST['v_mail_accounts']); + $v_databases = escapeshellarg($_POST['v_databases']); + $v_cron_jobs = escapeshellarg($_POST['v_cron_jobs']); + $v_backups = escapeshellarg($_POST['v_backups']); + $v_disk_quota = escapeshellarg($_POST['v_disk_quota']); + $v_bandwidth = escapeshellarg($_POST['v_bandwidth']); $v_ns1 = trim($_POST['v_ns1'], '.'); $v_ns2 = trim($_POST['v_ns2'], '.'); $v_ns3 = trim($_POST['v_ns3'], '.'); @@ -89,46 +90,43 @@ if (!empty($_POST['ok'])) { if (!empty($v_ns6)) $v_ns .= ",".$v_ns6; if (!empty($v_ns7)) $v_ns .= ",".$v_ns7; if (!empty($v_ns8)) $v_ns .= ",".$v_ns8; - $v_time = date('H:i:s'); - $v_date = date('Y-m-d'); + $v_ns = escapeshellarg($v_ns); + $v_time = escapeshellarg(date('H:i:s')); + $v_date = escapeshellarg(date('Y-m-d')); // Create temporary dir if (empty($_SESSION['error_msg'])) { - exec('mktemp -d', $output, $return_var); + exec ('mktemp -d', $output, $return_var); $tmpdir = $output[0]; - check_return_code($return_var, $output); + check_return_code($return_var,$output); unset($output); } // Create package file if (empty($_SESSION['error_msg'])) { - $a_pkg = [ - 'WEB_TEMPLATE' => $v_web_template, - 'BACKEND_TEMPLATE' => !empty($_SESSION['WEB_BACKEND']) ? $v_backend_template : null, - 'PROXY_TEMPLATE' => !empty($_SESSION['PROXY_SYSTEM']) ? $v_proxy_template : null, - 'DNS_TEMPLATE' => $v_dns_template, - 'WEB_DOMAINS' => $v_web_domains, - 'WEB_ALIASES' => $v_web_aliases, - 'DNS_DOMAINS' => $v_dns_domains, - 'DNS_RECORDS' => $v_dns_records, - 'MAIL_DOMAINS' => $v_mail_domains, - 'MAIL_ACCOUNTS' => $v_mail_accounts, - 'DATABASES' => $v_databases, - 'CRON_JOBS' => $v_cron_jobs, - 'DISK_QUOTA' => $v_disk_quota, - 'BANDWIDTH' => $v_bandwidth, - 'NS' => $v_ns, - 'SHELL' => $v_shell, - 'BACKUPS' => $v_backups, - 'TIME' => $v_time, - 'DATE' => $v_date, - ]; - - $pkg = ''; - foreach ($a_pkg as $key => $value) { - if (is_null($value)) continue; - $pkg .= $key . '=' . escapeshellarg($value) . "\n"; + $pkg = "WEB_TEMPLATE=".$v_web_template."\n"; + if (!empty($_SESSION['WEB_BACKEND'])) { + $pkg .= "BACKEND_TEMPLATE=".$v_backend_template."\n"; } + if (!empty($_SESSION['PROXY_SYSTEM'])) { + $pkg .= "PROXY_TEMPLATE=".$v_proxy_template."\n"; + } + $pkg .= "DNS_TEMPLATE=".$v_dns_template."\n"; + $pkg .= "WEB_DOMAINS=".$v_web_domains."\n"; + $pkg .= "WEB_ALIASES=".$v_web_aliases."\n"; + $pkg .= "DNS_DOMAINS=".$v_dns_domains."\n"; + $pkg .= "DNS_RECORDS=".$v_dns_records."\n"; + $pkg .= "MAIL_DOMAINS=".$v_mail_domains."\n"; + $pkg .= "MAIL_ACCOUNTS=".$v_mail_accounts."\n"; + $pkg .= "DATABASES=".$v_databases."\n"; + $pkg .= "CRON_JOBS=".$v_cron_jobs."\n"; + $pkg .= "DISK_QUOTA=".$v_disk_quota."\n"; + $pkg .= "BANDWIDTH=".$v_bandwidth."\n"; + $pkg .= "NS=".$v_ns."\n"; + $pkg .= "SHELL=".$v_shell."\n"; + $pkg .= "BACKUPS=".$v_backups."\n"; + $pkg .= "TIME=".$v_time."\n"; + $pkg .= "DATE=".$v_date."\n"; $fp = fopen($tmpdir."/".$_POST['v_package'].".pkg", 'w'); fwrite($fp, $pkg); @@ -137,15 +135,18 @@ if (!empty($_POST['ok'])) { // Add new package if (empty($_SESSION['error_msg'])) { - v_exec('v-add-user-package', [$tmpdir, $v_package]); + exec (VESTA_CMD."v-add-user-package ".$tmpdir." ".$v_package, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } - // Remove tmpdir - safe_exec('rm', ['-rf', $tmpdir]); + // Remove tmpdir + exec ('rm -rf '.$tmpdir, $output, $return_var); + unset($output); // Flush field values on success if (empty($_SESSION['error_msg'])) { - $_SESSION['ok_msg'] = __('PACKAGE_CREATED_OK', htmlentities($_POST['v_package']), htmlentities($_POST['v_package'])); + $_SESSION['ok_msg'] = __('PACKAGE_CREATED_OK',htmlentities($_POST['v_package']),htmlentities($_POST['v_package'])); unset($v_package); } @@ -159,28 +160,33 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // List web temmplates -v_exec('v-list-web-templates', ['json'], false, $output); -$web_templates = json_decode($output, true); +exec (VESTA_CMD."v-list-web-templates json", $output, $return_var); +$web_templates = json_decode(implode('', $output), true); +unset($output); // List web templates for backend if (!empty($_SESSION['WEB_BACKEND'])) { - v_exec('v-list-web-templates-backend', ['json'], false, $output); - $backend_templates = json_decode($output, true); + exec (VESTA_CMD."v-list-web-templates-backend json", $output, $return_var); + $backend_templates = json_decode(implode('', $output), true); + unset($output); } // List web templates for proxy if (!empty($_SESSION['PROXY_SYSTEM'])) { - v_exec('v-list-web-templates-proxy', ['json'], false, $output); - $proxy_templates = json_decode($output, true); + exec (VESTA_CMD."v-list-web-templates-proxy json", $output, $return_var); + $proxy_templates = json_decode(implode('', $output), true); + unset($output); } // List DNS templates -v_exec('v-list-dns-templates', ['json'], false, $output); -$dns_templates = json_decode($output, true); +exec (VESTA_CMD."v-list-dns-templates json", $output, $return_var); +$dns_templates = json_decode(implode('', $output), true); +unset($output); // List system shells -v_exec('v-list-sys-shells', ['json'], false, $output); -$shells = json_decode($output, true); +exec (VESTA_CMD."v-list-sys-shells json", $output, $return_var); +$shells = json_decode(implode('', $output), true); +unset($output); // Set default values if (empty($v_web_template)) $v_web_template = 'default'; @@ -188,17 +194,17 @@ if (empty($v_backend_template)) $v_backend_template = 'default'; if (empty($v_proxy_template)) $v_proxy_template = 'default'; if (empty($v_dns_template)) $v_dns_template = 'default'; if (empty($v_shell)) $v_shell = 'nologin'; -if (empty($v_web_domains)) $v_web_domains = '1'; -if (empty($v_web_aliases)) $v_web_aliases = '1'; -if (empty($v_dns_domains)) $v_dns_domains = '1'; -if (empty($v_dns_records)) $v_dns_records = '1'; -if (empty($v_mail_domains)) $v_mail_domains = '1'; -if (empty($v_mail_accounts)) $v_mail_accounts = '1'; -if (empty($v_databases)) $v_databases = '1'; -if (empty($v_cron_jobs)) $v_cron_jobs = '1'; -if (empty($v_backups)) $v_backups = '1'; -if (empty($v_disk_quota)) $v_disk_quota = '1000'; -if (empty($v_bandwidth)) $v_bandwidth = '1000'; +if (empty($v_web_domains)) $v_web_domains = "'1'"; +if (empty($v_web_aliases)) $v_web_aliases = "'1'"; +if (empty($v_dns_domains)) $v_dns_domains = "'1'"; +if (empty($v_dns_records)) $v_dns_records = "'1'"; +if (empty($v_mail_domains)) $v_mail_domains = "'1'"; +if (empty($v_mail_accounts)) $v_mail_accounts = "'1'"; +if (empty($v_databases)) $v_databases = "'1'"; +if (empty($v_cron_jobs)) $v_cron_jobs = "'1'"; +if (empty($v_backups)) $v_backups = "'1'"; +if (empty($v_disk_quota)) $v_disk_quota = "'1000'"; +if (empty($v_bandwidth)) $v_bandwidth = "'1000'"; if (empty($v_ns1)) $v_ns1 = 'ns1.example.ltd'; if (empty($v_ns2)) $v_ns2 = 'ns2.example.ltd'; diff --git a/web/add/user/index.php b/web/add/user/index.php index 434dd6746..26de10209 100644 --- a/web/add/user/index.php +++ b/web/add/user/index.php @@ -19,7 +19,7 @@ if (!empty($_POST['ok'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check empty fields @@ -48,15 +48,16 @@ if (!empty($_POST['ok'])) { // Check password length if (empty($_SESSION['error_msg'])) { $pw_len = strlen($_POST['v_password']); - if ($pw_len < 6) $_SESSION['error_msg'] = __('Password is too short.', $error_msg); + if ($pw_len < 6 ) $_SESSION['error_msg'] = __('Password is too short.',$error_msg); } - $v_username = $_POST['v_username']; - $v_email = $_POST['v_email']; - $v_package = $_POST['v_package']; - $v_language = $_POST['v_language']; - $v_fname = $_POST['v_fname']; - $v_lname = $_POST['v_lname']; + // Protect input + $v_username = escapeshellarg($_POST['v_username']); + $v_email = escapeshellarg($_POST['v_email']); + $v_package = escapeshellarg($_POST['v_package']); + $v_language = escapeshellarg($_POST['v_language']); + $v_fname = escapeshellarg($_POST['v_fname']); + $v_lname = escapeshellarg($_POST['v_lname']); $v_notify = $_POST['v_notify']; @@ -66,14 +67,18 @@ if (!empty($_POST['ok'])) { $fp = fopen($v_password, "w"); fwrite($fp, $_POST['v_password']."\n"); fclose($fp); - v_exec('v-add-user', [$v_username, $v_password, $v_email, $v_package, $v_fname, $v_lname]); + exec (VESTA_CMD."v-add-user ".$v_username." ".$v_password." ".$v_email." ".$v_package." ".$v_fname." ".$v_lname, $output, $return_var); + check_return_code($return_var,$output); + unset($output); unlink($v_password); - $v_password = $_POST['v_password']; + $v_password = escapeshellarg($_POST['v_password']); } // Set language if (empty($_SESSION['error_msg'])) { - v_exec('v-change-user-language', [$v_username, $v_language]); + exec (VESTA_CMD."v-change-user-language ".$v_username." ".$v_language, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Send email to the new user @@ -81,6 +86,7 @@ if (!empty($_POST['ok'])) { $to = $_POST['v_notify']; $subject = _translate($_POST['v_language'],"Welcome to Vesta Control Panel"); $hostname = exec('hostname'); + unset($output); $from = _translate($_POST['v_language'],'MAIL_FROM',$hostname); if (!empty($_POST['v_fname'])) { $mailtext = _translate($_POST['v_language'],'GREETINGS_GORDON_FREEMAN',$_POST['v_fname'],$_POST['v_lname']); @@ -112,13 +118,15 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // List hosting packages -$return_var = v_exec('v-list-user-packages', ['json'], false, $output); +exec (VESTA_CMD."v-list-user-packages json", $output, $return_var); check_error($return_var); -$data = json_decode($output, true); +$data = json_decode(implode('', $output), true); +unset($output); // List languages -v_exec('v-list-sys-languages', ['json'], false, $output); -$languages = json_decode($output, true); +exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var); +$languages = json_decode(implode('', $output), true); +unset($output); // Display body include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/add_user.html'); diff --git a/web/add/web/index.php b/web/add/web/index.php index faa88d182..612ae547b 100644 --- a/web/add/web/index.php +++ b/web/add/web/index.php @@ -13,7 +13,7 @@ if (!empty($_POST['ok'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check for empty fields @@ -42,10 +42,11 @@ if (!empty($_POST['ok'])) { // Set domain to lowercase and remove www prefix $v_domain = preg_replace("/^www\./i", "", $_POST['v_domain']); + $v_domain = escapeshellarg($v_domain); $v_domain = strtolower($v_domain); // Define domain ip address - $v_ip = $_POST['v_ip']; + $v_ip = escapeshellarg($_POST['v_ip']); // Define domain aliases $v_aliases = $_POST['v_aliases']; @@ -53,10 +54,11 @@ if (!empty($_POST['ok'])) { $aliases = preg_replace("/\r/", ",", $aliases); $aliases = preg_replace("/\t/", ",", $aliases); $aliases = preg_replace("/ /", ",", $aliases); - $aliases_arr = explode(',', $aliases); + $aliases_arr = explode(",", $aliases); $aliases_arr = array_unique($aliases_arr); $aliases_arr = array_filter($aliases_arr); - $aliases = implode(',', $aliases_arr); + $aliases = implode(",",$aliases_arr); + $aliases = escapeshellarg($aliases); // Define proxy extentions $v_proxy_ext = $_POST['v_proxy_ext']; @@ -64,10 +66,11 @@ if (!empty($_POST['ok'])) { $proxy_ext = preg_replace("/\r/", ",", $proxy_ext); $proxy_ext = preg_replace("/\t/", ",", $proxy_ext); $proxy_ext = preg_replace("/ /", ",", $proxy_ext); - $proxy_ext_arr = explode(',', $proxy_ext); + $proxy_ext_arr = explode(",", $proxy_ext); $proxy_ext_arr = array_unique($proxy_ext_arr); $proxy_ext_arr = array_filter($proxy_ext_arr); - $proxy_ext = implode(',', $proxy_ext_arr); + $proxy_ext = implode(",",$proxy_ext_arr); + $proxy_ext = escapeshellarg($proxy_ext); // Define other options $v_elog = $_POST['v_elog']; @@ -76,7 +79,7 @@ if (!empty($_POST['ok'])) { $v_ssl_key = $_POST['v_ssl_key']; $v_ssl_ca = $_POST['v_ssl_ca']; $v_ssl_home = $data[$v_domain]['SSL_HOME']; - $v_stats = $_POST['v_stats']; + $v_stats = escapeshellarg($_POST['v_stats']); $v_stats_user = $data[$v_domain]['STATS_USER']; $v_stats_password = $data[$v_domain]['STATS_PASSWORD']; $v_ftp = $_POST['v_ftp']; @@ -101,32 +104,44 @@ if (!empty($_POST['ok'])) { // Add web domain if (empty($_SESSION['error_msg'])) { - v_exec('v-add-web-domain', [$user, $v_domain, $v_ip, 'no', $aliases, $proxy_ext]); + exec (VESTA_CMD."v-add-web-domain ".$user." ".$v_domain." ".$v_ip." 'no' ".$aliases." ".$proxy_ext, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $domain_added = empty($_SESSION['error_msg']); } // Add DNS domain if (($_POST['v_dns'] == 'on') && (empty($_SESSION['error_msg']))) { - v_exec('v-add-dns-domain', [$user, $v_domain, $v_ip]); + exec (VESTA_CMD."v-add-dns-domain ".$user." ".$v_domain." ".$v_ip, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Add DNS for domain aliases if (($_POST['v_dns'] == 'on') && (empty($_SESSION['error_msg']))) { foreach ($aliases_arr as $alias) { - if ($alias != 'www.' . $_POST['v_domain']) { - v_exec('v-add-dns-on-web-alias', [$user, $alias, $v_ip, 'no']); + if ($alias != "www.".$_POST['v_domain']) { + $alias = escapeshellarg($alias); + exec (VESTA_CMD."v-add-dns-on-web-alias ".$user." ".$alias." ".$v_ip." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } } } // Add mail domain if (($_POST['v_mail'] == 'on') && (empty($_SESSION['error_msg']))) { - v_exec('v-add-mail-domain', [$user, $v_domain]); + exec (VESTA_CMD."v-add-mail-domain ".$user." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Delete proxy support if ((!empty($_SESSION['PROXY_SYSTEM'])) && ($_POST['v_proxy'] == 'off') && (empty($_SESSION['error_msg']))) { - v_exec('v-delete-web-domain-proxy', [$user, $v_domain, 'no']); + $ext = escapeshellarg($ext); + exec (VESTA_CMD."v-delete-web-domain-proxy ".$user." ".$v_domain." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Add SSL certificates @@ -159,46 +174,60 @@ if (!empty($_POST['ok'])) { fclose($fp); } - $v_ssl_home = $_POST['v_ssl_home']; - v_exec('v-add-web-domain-ssl', [$user, $v_domain, $tmpdir, $v_ssl_home, 'no']); + $v_ssl_home = escapeshellarg($_POST['v_ssl_home']); + exec (VESTA_CMD."v-add-web-domain-ssl ".$user." ".$v_domain." ".$tmpdir." ".$v_ssl_home." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Add web stats if ((!empty($_POST['v_stats'])) && ($_POST['v_stats'] != 'none' ) && (empty($_SESSION['error_msg']))) { - $v_stats = $_POST['v_stats']; - v_exec('v-add-web-domain-stats', [$user, $v_domain, $v_stats]); + $v_stats = escapeshellarg($_POST['v_stats']); + exec (VESTA_CMD."v-add-web-domain-stats ".$user." ".$v_domain." ".$v_stats, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Add web stats password if ((!empty($_POST['v_stats_user'])) && (empty($_SESSION['error_msg']))) { - $v_stats_user = $_POST['v_stats_user']; + $v_stats_user = escapeshellarg($_POST['v_stats_user']); $v_stats_password = tempnam("/tmp","vst"); $fp = fopen($v_stats_password, "w"); fwrite($fp, $_POST['v_stats_password']."\n"); fclose($fp); - v_exec('v-add-web-domain-stats-user', [$user, $v_domain, $v_stats_user, $v_stats_password]); + exec (VESTA_CMD."v-add-web-domain-stats-user ".$user." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var); + check_return_code($return_var,$output); + unset($output); unlink($v_stats_password); - $v_stats_password = $_POST['v_stats_password']; + $v_stats_password = escapeshellarg($_POST['v_stats_password']); } // Restart DNS server if (($_POST['v_dns'] == 'on') && (empty($_SESSION['error_msg']))) { - v_exec('v-restart-dns'); + exec (VESTA_CMD."v-restart-dns", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Restart web server if (empty($_SESSION['error_msg'])) { - v_exec('v-restart-web'); + exec (VESTA_CMD."v-restart-web", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Restart backend server //if ((!empty($_SESSION['WEB_BACKEND'])) && (empty($_SESSION['error_msg']))) { - // v_exec('v-restart-backend'); + // exec (VESTA_CMD."v-restart-web-backend", $output, $return_var); + // check_return_code($return_var,$output); + // unset($output); //} // Restart proxy server if ((!empty($_SESSION['PROXY_SYSTEM'])) && ($_POST['v_proxy'] == 'on') && (empty($_SESSION['error_msg']))) { - v_exec('v-restart-proxy'); + exec (VESTA_CMD."v-restart-proxy", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Add FTP @@ -236,19 +265,22 @@ if (!empty($_POST['ok'])) { $v_ftp_user_data['v_ftp_user'] = preg_replace("/^".$user."_/i", "", $v_ftp_user_data['v_ftp_user']); $v_ftp_username = $v_ftp_user_data['v_ftp_user']; $v_ftp_username_full = $user . '_' . $v_ftp_user_data['v_ftp_user']; + $v_ftp_user = escapeshellarg($v_ftp_user_data['v_ftp_user']); if ($domain_added) { - $v_ftp_path = trim($v_ftp_user_data['v_ftp_path']); + $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path'])); $v_ftp_password = tempnam("/tmp","vst"); $fp = fopen($v_ftp_password, "w"); fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n"); fclose($fp); - v_exec('v-add-web-domain-ftp', [$user, $v_domain, $v_ftp_username, $v_ftp_password, $v_ftp_path]); + exec (VESTA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var); + check_return_code($return_var,$output); + unset($output); unlink($v_ftp_password); if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) { $to = $v_ftp_user_data['v_ftp_email']; - $subject = __('FTP login credentials'); - $from = __('MAIL_FROM', $_POST['v_domain']); - $mailtext = __('FTP_ACCOUNT_READY', $_POST['v_domain'], $user, $v_ftp_username, $v_ftp_user_data['v_ftp_password']); + $subject = __("FTP login credentials"); + $from = __('MAIL_FROM',$_POST['v_domain']); + $mailtext = __('FTP_ACCOUNT_READY',$_POST['v_domain'],$user,$v_ftp_user_data['v_ftp_user'],$v_ftp_user_data['v_ftp_password']); send_email($to, $subject, $mailtext, $from); unset($v_ftp_email); } @@ -257,13 +289,13 @@ if (!empty($_POST['ok'])) { } if ($return_var == 0) { - $v_ftp_password = '••••••••'; + $v_ftp_password = "••••••••"; $v_ftp_user_data['is_new'] = 0; } else { $v_ftp_user_data['is_new'] = 1; } - $v_ftp_username = preg_replace("/^{$user}_/", '', $v_ftp_user_data['v_ftp_user']); + $v_ftp_username = preg_replace("/^".$user."_/", "", $v_ftp_user_data['v_ftp_user']); $v_ftp_users_updated[] = array( 'is_new' => $v_ftp_user_data['is_new'], 'v_ftp_user' => $return_var == 0 ? $v_ftp_username_full : $v_ftp_username, @@ -279,8 +311,8 @@ if (!empty($_POST['ok'])) { if (!empty($_SESSION['error_msg']) && $domain_added) { $_SESSION['ok_msg'] = __('WEB_DOMAIN_CREATED_OK',htmlentities($_POST[v_domain]),htmlentities($_POST[v_domain])); $_SESSION['flash_error_msg'] = $_SESSION['error_msg']; - $url = '/edit/web/?domain=' . strtolower(preg_replace('/^www\./i', '', $_POST['v_domain'])); - header("Location: $url"); + $url = '/edit/web/?domain='.strtolower(preg_replace("/^www\./i", "", $_POST['v_domain'])); + header('Location: ' . $url); exit; } } @@ -312,12 +344,14 @@ $v_ftp_user_prepath = $panel[$user]['HOME'] . "/web"; $v_ftp_email = $panel[$user]['CONTACT']; // List IP addresses -v_exec('v-list-user-ips', [$user, 'json'], false, $output); -$ips = json_decode($output, true); +exec (VESTA_CMD."v-list-user-ips ".$user." json", $output, $return_var); +$ips = json_decode(implode('', $output), true); +unset($output); // List web stat engines -v_exec('v-list-web-stats', ['json'], false, $output); -$stats = json_decode($output, true); +exec (VESTA_CMD."v-list-web-stats json", $output, $return_var); +$stats = json_decode(implode('', $output), true); +unset($output); // Display body include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/add_web.html'); diff --git a/web/api/index.php b/web/api/index.php index 928f950df..97f082594 100644 --- a/web/api/index.php +++ b/web/api/index.php @@ -2,6 +2,7 @@ define('VESTA_CMD', '/usr/bin/sudo /usr/local/vesta/bin/'); if (isset($_POST['user']) || isset($_POST['hash'])) { + // Authentication $auth_code = 1; if (empty($_POST['hash'])) { @@ -11,18 +12,18 @@ if (isset($_POST['user']) || isset($_POST['hash'])) { exit; } - $v_user = $_POST['user']; + $v_user = escapeshellarg($_POST['user']); $v_password = tempnam("/tmp","vst"); $fp = fopen($v_password, "w"); fwrite($fp, $_POST['password']."\n"); fclose($fp); - $v_ip_addr = $_SERVER['REMOTE_ADDR']; - $auth_code = v_exec('v-check-user-password', [$v_user, $v_password, $v_ip_addr], false); + $v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]); + exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code); unlink($v_password); } else { $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']); if (file_exists($key) && is_file($key)) { - $auth_code = 0; + $auth_code = '0'; } } @@ -32,17 +33,37 @@ if (isset($_POST['user']) || isset($_POST['hash'])) { } // Prepare arguments - $args = []; - if (isset($_POST['cmd'])) $cmd = $_POST['cmd']; - if (isset($_POST['arg1'])) $args[] = $_POST['arg1']; - if (isset($_POST['arg2'])) $args[] = $_POST['arg2']; - if (isset($_POST['arg3'])) $args[] = $_POST['arg3']; - if (isset($_POST['arg4'])) $args[] = $_POST['arg4']; - if (isset($_POST['arg5'])) $args[] = $_POST['arg5']; - if (isset($_POST['arg6'])) $args[] = $_POST['arg6']; - if (isset($_POST['arg7'])) $args[] = $_POST['arg7']; - if (isset($_POST['arg8'])) $args[] = $_POST['arg8']; - if (isset($_POST['arg9'])) $args[] = $_POST['arg9']; + if (isset($_POST['cmd'])) $cmd = escapeshellarg($_POST['cmd']); + if (isset($_POST['arg1'])) $arg1 = escapeshellarg($_POST['arg1']); + if (isset($_POST['arg2'])) $arg2 = escapeshellarg($_POST['arg2']); + if (isset($_POST['arg3'])) $arg3 = escapeshellarg($_POST['arg3']); + if (isset($_POST['arg4'])) $arg4 = escapeshellarg($_POST['arg4']); + if (isset($_POST['arg5'])) $arg5 = escapeshellarg($_POST['arg5']); + if (isset($_POST['arg6'])) $arg6 = escapeshellarg($_POST['arg6']); + if (isset($_POST['arg7'])) $arg7 = escapeshellarg($_POST['arg7']); + if (isset($_POST['arg8'])) $arg8 = escapeshellarg($_POST['arg8']); + if (isset($_POST['arg9'])) $arg9 = escapeshellarg($_POST['arg9']); + + // Build query + $cmdquery = VESTA_CMD.$cmd." "; + if(!empty($arg1)){ + $cmdquery = $cmdquery.$arg1." "; } + if(!empty($arg2)){ + $cmdquery = $cmdquery.$arg2." "; } + if(!empty($arg3)){ + $cmdquery = $cmdquery.$arg3." "; } + if(!empty($arg4)){ + $cmdquery = $cmdquery.$arg4." "; } + if(!empty($arg5)){ + $cmdquery = $cmdquery.$arg5." "; } + if(!empty($arg6)){ + $cmdquery = $cmdquery.$arg6." "; } + if(!empty($arg7)){ + $cmdquery = $cmdquery.$arg7." "; } + if(!empty($arg8)){ + $cmdquery = $cmdquery.$arg8." "; } + if(!empty($arg9)){ + $cmdquery = $cmdquery.$arg9; } // Check command if ($cmd == "'v-make-tmp-file'") { @@ -53,7 +74,7 @@ if (isset($_POST['user']) || isset($_POST['hash'])) { $return_var = 0; } else { // Run normal cmd query - $return_var = v_exec($cmd, $args, false, $output); + exec ($cmdquery, $output, $return_var); } if ((!empty($_POST['returncode'])) && ($_POST['returncode'] == 'yes')) { @@ -62,7 +83,7 @@ if (isset($_POST['user']) || isset($_POST['hash'])) { if (($return_var == 0) && (empty($output))) { echo "OK"; } else { - echo $output . "\n"; + echo implode("\n",$output)."\n"; } } } diff --git a/web/bulk/backup/exclusions/index.php b/web/bulk/backup/exclusions/index.php index 56e412617..4d0e43933 100644 --- a/web/bulk/backup/exclusions/index.php +++ b/web/bulk/backup/exclusions/index.php @@ -16,7 +16,8 @@ switch ($action) { } foreach ($backup as $value) { - v_exec($cmd, [$user, $value], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$user." ".$value, $output, $return_var); } header("Location: /list/backup/exclusions"); diff --git a/web/bulk/backup/index.php b/web/bulk/backup/index.php index 6c0095520..f191dfe2a 100644 --- a/web/bulk/backup/index.php +++ b/web/bulk/backup/index.php @@ -12,7 +12,7 @@ $action = $_POST['action']; // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } switch ($action) { @@ -22,7 +22,8 @@ switch ($action) { } foreach ($backup as $value) { - v_exec($cmd, [$user, $value], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$user." ".$value, $output, $return_var); } header("Location: /list/backup/"); diff --git a/web/bulk/cron/index.php b/web/bulk/cron/index.php index 191ad3c83..0beb49083 100644 --- a/web/bulk/cron/index.php +++ b/web/bulk/cron/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } $job = $_POST['job']; @@ -24,15 +24,19 @@ if ($_SESSION['user'] == 'admin') { case 'unsuspend': $cmd='v-unsuspend-cron-job'; break; case 'delete-cron-reports': $cmd='v-delete-cron-reports'; - v_exec($cmd, [$user], false); + exec (VESTA_CMD.$cmd." ".$user, $output, $return_var); $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully diabled'); + unset($output); header("Location: /list/cron/"); exit; + break; case 'add-cron-reports': $cmd='v-add-cron-reports'; - v_exec($cmd, [$user], false); + exec (VESTA_CMD.$cmd." ".$user, $output, $return_var); $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled'); + unset($output); header("Location: /list/cron/"); exit; + break; default: header("Location: /list/cron/"); exit; } } else { @@ -40,26 +44,31 @@ if ($_SESSION['user'] == 'admin') { case 'delete': $cmd='v-delete-cron-job'; break; case 'delete-cron-reports': $cmd='v-delete-cron-reports'; - v_exec($cmd, [$user], false); + exec (VESTA_CMD.$cmd." ".$user, $output, $return_var); $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully diabled'); + unset($output); header("Location: /list/cron/"); exit; + break; case 'add-cron-reports': $cmd='v-add-cron-reports'; - v_exec($cmd, [$user], false); + exec (VESTA_CMD.$cmd." ".$user, $output, $return_var); $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled'); + unset($output); header("Location: /list/cron/"); exit; + break; default: header("Location: /list/cron/"); exit; } } foreach ($job as $value) { - v_exec($cmd, [$user, $value, 'no'], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$user." ".$value." no", $output, $return_var); $restart = 'yes'; } if (!empty($restart)) { - v_exec('v-restart-cron', [], false); + exec (VESTA_CMD."v-restart-cron", $output, $return_var); } header("Location: /list/cron/"); diff --git a/web/bulk/db/index.php b/web/bulk/db/index.php index c9e1f55a0..15361be4b 100644 --- a/web/bulk/db/index.php +++ b/web/bulk/db/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } $database = $_POST['database']; @@ -34,7 +34,8 @@ if ($_SESSION['user'] == 'admin') { } foreach ($database as $value) { - v_exec($cmd, [$user, $value], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$user." ".$value, $output, $return_var); } header("Location: /list/db/"); diff --git a/web/bulk/dns/index.php b/web/bulk/dns/index.php index 81ba40bb4..d7fe0a292 100644 --- a/web/bulk/dns/index.php +++ b/web/bulk/dns/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } $domain = $_POST['domain']; @@ -58,22 +58,25 @@ if ($_SESSION['user'] == 'admin') { if (empty($record)) { foreach ($domain as $value) { // DNS - v_exec($cmd, [$user, $value, 'no'], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$user." ".$value." no", $output, $return_var); $restart = 'yes'; } } else { foreach ($record as $value) { // DNS Record - v_exec($cmd, [$user, $domain, $value, 'no'], false); + $value = escapeshellarg($value); + $dom = escapeshellarg($domain); + exec (VESTA_CMD.$cmd." ".$user." ".$dom." ".$value." no", $output, $return_var); $restart = 'yes'; } } if (!empty($restart)) { - v_exec('v-restart-dns', [], false); + exec (VESTA_CMD."v-restart-dns", $output, $return_var); } -if (empty($record)) { +if (empty($record)) { header("Location: /list/dns/"); exit; } else { diff --git a/web/bulk/firewall/banlist/index.php b/web/bulk/firewall/banlist/index.php index b61652ee4..fe7308a53 100644 --- a/web/bulk/firewall/banlist/index.php +++ b/web/bulk/firewall/banlist/index.php @@ -10,7 +10,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -22,7 +22,10 @@ if ($_SESSION['user'] != 'admin') { $ipchain = $_POST['ipchain']; /*if (!empty($_POST['ipchain'])) { $ipchain = $_POST['ipchain']; - list($ip, $chain) = explode(':', $ipchain); + list($ip,$chain) = split(":",$ipchain); + $v_ip = escapeshellarg($ip); + $v_chain = escapeshellarg($chain); + }*/ $action = $_POST['action']; @@ -34,8 +37,10 @@ switch ($action) { } foreach ($ipchain as $value) { - list($ip, $chain) = explode(':', $value); - v_exec($cmd, [$ip, $chain], false); + list($ip,$chain) = split(":",$value); + $v_ip = escapeshellarg($ip); + $v_chain = escapeshellarg($chain); + exec (VESTA_CMD.$cmd." ".$v_ip." ".$v_chain, $output, $return_var); } header("Location: /list/firewall/banlist"); diff --git a/web/bulk/firewall/index.php b/web/bulk/firewall/index.php index 32c6b5e30..6f076cb81 100644 --- a/web/bulk/firewall/index.php +++ b/web/bulk/firewall/index.php @@ -10,7 +10,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -34,7 +34,8 @@ switch ($action) { } foreach ($rule as $value) { - v_exec($cmd, [$value], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$value, $output, $return_var); $restart = 'yes'; } diff --git a/web/bulk/ip/index.php b/web/bulk/ip/index.php index 5fd779ff1..4f1705403 100644 --- a/web/bulk/ip/index.php +++ b/web/bulk/ip/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } $ip = $_POST['ip']; @@ -17,11 +17,11 @@ $action = $_POST['action']; if ($_SESSION['user'] == 'admin') { switch ($action) { - case 'reread IP': $cmd = 'v-update-sys-ip'; - v_exec($cmd, [], false); - header('Location: /list/ip/'); - exit; - case 'delete': $cmd = 'v-delete-sys-ip'; + case 'reread IP': exec(VESTA_CMD."v-update-sys-ip", $output, $return_var); + header("Location: /list/ip/"); + exit; + break; + case 'delete': $cmd='v-delete-sys-ip'; break; default: header("Location: /list/ip/"); exit; } @@ -31,7 +31,8 @@ if ($_SESSION['user'] == 'admin') { } foreach ($ip as $value) { - v_exec($cmd, [$value], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$value, $output, $return_var); } header("Location: /list/ip/"); diff --git a/web/bulk/mail/index.php b/web/bulk/mail/index.php index 21cb0a6b5..c526c9e0e 100644 --- a/web/bulk/mail/index.php +++ b/web/bulk/mail/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } $domain = $_POST['domain']; @@ -58,18 +58,21 @@ if ($_SESSION['user'] == 'admin') { if (empty($account)) { foreach ($domain as $value) { // Mail - v_exec($cmd, [$user, $value], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$user." ".$value, $output, $return_var); $restart = 'yes'; } } else { foreach ($account as $value) { // Mail Account - v_exec($cmd, [$user, $domain, $value], false); + $value = escapeshellarg($value); + $dom = escapeshellarg($domain); + exec (VESTA_CMD.$cmd." ".$user." ".$dom." ".$value, $output, $return_var); $restart = 'yes'; } } -if (empty($account)) { +if (empty($account)) { header("Location: /list/mail/"); exit; } else { diff --git a/web/bulk/package/index.php b/web/bulk/package/index.php index 95eef7bb2..32e36e936 100644 --- a/web/bulk/package/index.php +++ b/web/bulk/package/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } $package = $_POST['package']; @@ -27,7 +27,8 @@ if ($_SESSION['user'] == 'admin') { } foreach ($package as $value) { - v_exec($cmd, [$value], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$value, $output, $return_var); $restart = 'yes'; } diff --git a/web/bulk/restore/index.php b/web/bulk/restore/index.php index c3dd7b360..3bc048414 100644 --- a/web/bulk/restore/index.php +++ b/web/bulk/restore/index.php @@ -9,11 +9,11 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } $action = $_POST['action']; -$backup = $_POST['backup']; +$backup = escapeshellarg($_POST['backup']); $web = 'no'; $dns = 'no'; @@ -22,22 +22,25 @@ $db = 'no'; $cron = 'no'; $udir = 'no'; -if (!empty($_POST['web'])) $web = implode(',', $_POST['web']); -if (!empty($_POST['dns'])) $dns = implode(',', $_POST['dns']); -if (!empty($_POST['mail'])) $mail = implode(',', $_POST['mail']); -if (!empty($_POST['db'])) $db = implode(',', $_POST['db']); +if (!empty($_POST['web'])) $web = escapeshellarg(implode(",",$_POST['web'])); +if (!empty($_POST['dns'])) $dns = escapeshellarg(implode(",",$_POST['dns'])); +if (!empty($_POST['mail'])) $mail = escapeshellarg(implode(",",$_POST['mail'])); +if (!empty($_POST['db'])) $db = escapeshellarg(implode(",",$_POST['db'])); if (!empty($_POST['cron'])) $cron = 'yes'; -if (!empty($_POST['udir'])) $udir = implode(',', $_POST['udir']); +if (!empty($_POST['udir'])) $udir = escapeshellarg(implode(",",$_POST['udir'])); if ($action == 'restore') { - $return_var = v_exec('v-schedule-user-restore', [$user, $backup, $web, $dns, $mail, $db, $cron, $udir]); - switch ($return_var) { - case 0: - $_SESSION['error_msg'] = __('RESTORE_SCHEDULED'); - break; - case 4: + exec (VESTA_CMD."v-schedule-user-restore ".$user." ".$backup." ".$web." ".$dns." ".$mail." ".$db." ".$cron." ".$udir, $output, $return_var); + if ($return_var == 0) { + $_SESSION['error_msg'] = __('RESTORE_SCHEDULED'); + } else { + $_SESSION['error_msg'] = implode('
', $output); + if (empty($_SESSION['error_msg'])) { + $_SESSION['error_msg'] = __('Error: vesta did not return any output.'); + } + if ($return_var == 4) { $_SESSION['error_msg'] = __('RESTORE_EXISTS'); - break; + } } } diff --git a/web/bulk/service/index.php b/web/bulk/service/index.php index 8ed4fca23..70ce660c7 100644 --- a/web/bulk/service/index.php +++ b/web/bulk/service/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } $service = $_POST['service']; @@ -27,14 +27,16 @@ if ($_SESSION['user'] == 'admin') { } if ((!empty($_POST['system'])) && ($action == 'restart')) { - v_exec('v-restart-system', ['yes'], false); + exec (VESTA_CMD."v-restart-system yes", $output, $return_var); $_SESSION['error_srv'] = 'The system is going down for reboot NOW!'; + unset($output); header("Location: /list/server/"); exit; } foreach ($service as $value) { - v_exec($cmd, [$value], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$value, $output, $return_var); } } diff --git a/web/bulk/user/index.php b/web/bulk/user/index.php index 28c9459e1..5d42fbfd9 100644 --- a/web/bulk/user/index.php +++ b/web/bulk/user/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } $user = $_POST['user']; @@ -48,14 +48,15 @@ if ($_SESSION['user'] == 'admin') { } foreach ($user as $value) { - v_exec($cmd, [$value, $restart], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$value." ".$restart, $output, $return_var); $changes = 'yes'; } if ((!empty($restart)) && (!empty($changes))) { - v_exec('v-restart-web', [], false); - v_exec('v-restart-dns', [], false); - v_exec('v-restart-cron', [], false); + exec (VESTA_CMD."v-restart-web", $output, $return_var); + exec (VESTA_CMD."v-restart-dns", $output, $return_var); + exec (VESTA_CMD."v-restart-cron", $output, $return_var); } header("Location: /list/user/"); diff --git a/web/bulk/vesta/index.php b/web/bulk/vesta/index.php index 3ab537485..c909f83e3 100644 --- a/web/bulk/vesta/index.php +++ b/web/bulk/vesta/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } @@ -23,7 +23,8 @@ if ($_SESSION['user'] == 'admin') { default: header("Location: /list/updates/"); exit; } foreach ($pkg as $value) { - v_exec($cmd, [$value], false); + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$value, $output, $return_var); } } diff --git a/web/bulk/web/index.php b/web/bulk/web/index.php index 1b7673b41..4a661a1ff 100644 --- a/web/bulk/web/index.php +++ b/web/bulk/web/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } $domain = $_POST['domain']; @@ -34,14 +34,15 @@ if ($_SESSION['user'] == 'admin') { } foreach ($domain as $value) { - v_exec($cmd, [$user, $value, 'no'], false); - $restart = 'yes'; + $value = escapeshellarg($value); + exec (VESTA_CMD.$cmd." ".$user." ".$value." no", $output, $return_var); + $restart='yes'; } if (isset($restart)) { - v_exec('v-restart-web', [], false); - v_exec('v-restart-proxy', [], false); - v_exec('v-restart-dns', [], false); + exec (VESTA_CMD."v-restart-web", $output, $return_var); + exec (VESTA_CMD."v-restart-proxy", $output, $return_var); + exec (VESTA_CMD."v-restart-dns", $output, $return_var); } header("Location: /list/web/"); diff --git a/web/delete/backup/exclusion/index.php b/web/delete/backup/exclusion/index.php index 5e3d9cf30..29ad3bd58 100644 --- a/web/delete/backup/exclusion/index.php +++ b/web/delete/backup/exclusion/index.php @@ -6,17 +6,20 @@ session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=$_GET['user']; } if (!empty($_GET['system'])) { - $v_system = $_GET['system']; - v_exec('v-delete-user-backup-exclusions', [$user, $v_system]); + $v_username = escapeshellarg($user); + $v_system = escapeshellarg($_GET['system']); + exec (VESTA_CMD."v-delete-user-backup-exclusions ".$v_username." ".$v_system, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/delete/backup/index.php b/web/delete/backup/index.php index 9546a3361..33f492268 100644 --- a/web/delete/backup/index.php +++ b/web/delete/backup/index.php @@ -6,23 +6,26 @@ session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=$_GET['user']; } // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } if (!empty($_GET['backup'])) { - $v_backup = $_GET['backup']; - v_exec('v-delete-user-backup', [$user, $v_backup]); + $v_username = escapeshellarg($user); + $v_backup = escapeshellarg($_GET['backup']); + exec (VESTA_CMD."v-delete-user-backup ".$v_username." ".$v_backup, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/delete/cron/autoupdate/index.php b/web/delete/cron/autoupdate/index.php index 11ea356cb..ad670ef03 100644 --- a/web/delete/cron/autoupdate/index.php +++ b/web/delete/cron/autoupdate/index.php @@ -6,8 +6,9 @@ session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if ($_SESSION['user'] == 'admin') { - v_exec('v-delete-cron-vesta-autoupdate', [], false); + exec (VESTA_CMD."v-delete-cron-vesta-autoupdate", $output, $return_var); $_SESSION['error_msg'] = __('Autoupdate has been successfully disabled'); + unset($output); } header("Location: /list/updates/"); diff --git a/web/delete/cron/index.php b/web/delete/cron/index.php index eff4ca06c..d4ca20263 100644 --- a/web/delete/cron/index.php +++ b/web/delete/cron/index.php @@ -6,23 +6,26 @@ session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=$_GET['user']; } // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } if (!empty($_GET['job'])) { - $v_job = $_GET['job']; - v_exec('v-delete-cron-job', [$user, $v_job]); + $v_username = escapeshellarg($user); + $v_job = escapeshellarg($_GET['job']); + exec (VESTA_CMD."v-delete-cron-job ".$v_username." ".$v_job, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/delete/cron/reports/index.php b/web/delete/cron/reports/index.php index 1025f70e6..af7df20f2 100644 --- a/web/delete/cron/reports/index.php +++ b/web/delete/cron/reports/index.php @@ -5,8 +5,9 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); -v_exec('v-delete-cron-reports', [$user], false); +exec (VESTA_CMD."v-delete-cron-reports ".$user, $output, $return_var); $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully disabled'); +unset($output); header("Location: /list/cron/"); exit; diff --git a/web/delete/db/index.php b/web/delete/db/index.php index fa3f50460..f2088ad2b 100644 --- a/web/delete/db/index.php +++ b/web/delete/db/index.php @@ -6,23 +6,26 @@ session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=$_GET['user']; } // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } if (!empty($_GET['database'])) { - $v_database = $_GET['database']; - v_exec('v-delete-database', [$user, $v_database]); + $v_username = escapeshellarg($user); + $v_database = escapeshellarg($_GET['database']); + exec (VESTA_CMD."v-delete-database ".$v_username." ".$v_database, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/delete/dns/index.php b/web/delete/dns/index.php index b89f52735..7069d0c89 100644 --- a/web/delete/dns/index.php +++ b/web/delete/dns/index.php @@ -7,23 +7,26 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Delete as someone else? if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=$_GET['user']; } // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // DNS domain if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) { - $v_domain = $_GET['domain']; - v_exec('v-delete-dns-domain', [$user, $v_domain]); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + exec (VESTA_CMD."v-delete-dns-domain ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /list/dns/"); @@ -32,13 +35,15 @@ if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) { // DNS record if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) { - $v_domain = $_GET['domain']; - $v_record_id = $_GET['record_id']; - v_exec('v-delete-dns-record', [$user, $v_domain, $v_record_id]); - + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + $v_record_id = escapeshellarg($_GET['record_id']); + exec (VESTA_CMD."v-delete-dns-record ".$v_username." ".$v_domain." ".$v_record_id, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /list/dns/?domain=".$_GET['domain']); @@ -47,7 +52,7 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) { $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/delete/favorite/index.php b/web/delete/favorite/index.php index 059e8a1e6..9f471b9bd 100644 --- a/web/delete/favorite/index.php +++ b/web/delete/favorite/index.php @@ -5,10 +5,11 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); - $v_section = $_REQUEST['v_section']; - $v_unit_id = $_REQUEST['v_unit_id']; + unset($_SESSION['favourites'][strtoupper($_REQUEST['v_section'])][$_REQUEST['v_unit_id']]); - unset($_SESSION['favourites'][strtoupper((string)$v_section)][(string)$v_unit_id]); + $v_section = escapeshellarg($_REQUEST['v_section']); + $v_unit_id = escapeshellarg($_REQUEST['v_unit_id']); - v_exec('v-delete-user-favourites', [$_SESSION['user'], $v_section, $v_unit_id], false/*true*/); + exec (VESTA_CMD."v-delete-user-favourites ".$_SESSION['user']." ".$v_section." ".$v_unit_id, $output, $return_var); +// check_return_code($return_var,$output); ?> \ No newline at end of file diff --git a/web/delete/firewall/banlist/index.php b/web/delete/firewall/banlist/index.php index c45c81d1b..7b30edd59 100644 --- a/web/delete/firewall/banlist/index.php +++ b/web/delete/firewall/banlist/index.php @@ -16,18 +16,20 @@ if ($_SESSION['user'] != 'admin') { // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } if ((!empty($_GET['ip'])) && (!empty($_GET['chain']))) { - $v_ip = $_GET['ip']; - $v_chain = $_GET['chain']; - v_exec('v-delete-firewall-ban', [$v_ip, $v_chain]); + $v_ip = escapeshellarg($_GET['ip']); + $v_chain = escapeshellarg($_GET['chain']); + exec (VESTA_CMD."v-delete-firewall-ban ".$v_ip." ".$v_chain, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/delete/firewall/index.php b/web/delete/firewall/index.php index ef0211554..b6b38f0c6 100644 --- a/web/delete/firewall/index.php +++ b/web/delete/firewall/index.php @@ -16,17 +16,19 @@ if ($_SESSION['user'] != 'admin') { // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } if (!empty($_GET['rule'])) { - $v_rule = $_GET['rule']; - v_exec('v-delete-firewall-rule', [$v_rule]); + $v_rule = escapeshellarg($_GET['rule']); + exec (VESTA_CMD."v-delete-firewall-rule ".$v_rule, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/delete/ip/index.php b/web/delete/ip/index.php index b45ef15a8..f8bcd994d 100644 --- a/web/delete/ip/index.php +++ b/web/delete/ip/index.php @@ -8,19 +8,22 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } if ($_SESSION['user'] == 'admin') { if (!empty($_GET['ip'])) { - $v_ip = $_GET['ip']; - v_exec('v-delete-sys-ip', [$v_ip]); + $v_ip = escapeshellarg($_GET['ip']); + exec (VESTA_CMD."v-delete-sys-ip ".$v_ip, $output, $return_var); } + check_return_code($return_var,$output); + unset($output); + } $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/delete/mail/index.php b/web/delete/mail/index.php index 1446ac349..8a3d87f82 100644 --- a/web/delete/mail/index.php +++ b/web/delete/mail/index.php @@ -7,22 +7,25 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Delete as someone else? if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=$_GET['user']; } // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Mail domain if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { - $v_domain = $_GET['domain']; - v_exec('v-delete-mail-domain', [$user, $v_domain]); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + exec (VESTA_CMD."v-delete-mail-domain ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /list/mail/"); @@ -31,12 +34,15 @@ if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { // Mail account if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { - $v_domain = $_GET['domain']; - $v_account = $_GET['account']; - v_exec('v-delete-mail-account', [$user, $v_domain, $v_account]); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + $v_account = escapeshellarg($_GET['account']); + exec (VESTA_CMD."v-delete-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /list/mail/?domain=".$_GET['domain']); @@ -45,7 +51,7 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/delete/notification/index.php b/web/delete/notification/index.php index 982a37132..fa3a14f10 100644 --- a/web/delete/notification/index.php +++ b/web/delete/notification/index.php @@ -8,17 +8,23 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } if($_GET['delete'] == 1){ - $v_id = (string)((int)$_GET['notification_id']); - v_exec('v-delete-user-notification', [$user, $v_id]); + $v_username = escapeshellarg($user); + $v_id = escapeshellarg((int)$_GET['notification_id']); + exec (VESTA_CMD."v-delete-user-notification ".$v_username." ".$v_id, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } else { - $v_id = (string)((int)$_GET['notification_id']); - //echo VESTA_CMD."v-acknowledge-user-notification ".$v_username." ".$v_id; - v_exec('v-acknowledge-user-notification', [$user, $v_id]); + $v_username = escapeshellarg($user); + $v_id = escapeshellarg((int)$_GET['notification_id']); + echo VESTA_CMD."v-acknowledge-user-notification ".$v_username." ".$v_id; + exec (VESTA_CMD."v-acknowledge-user-notification ".$v_username." ".$v_id, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } exit; diff --git a/web/delete/package/index.php b/web/delete/package/index.php index 78f45000a..1058f495d 100644 --- a/web/delete/package/index.php +++ b/web/delete/package/index.php @@ -8,19 +8,21 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } if ($_SESSION['user'] == 'admin') { if (!empty($_GET['package'])) { - $v_package = $_GET['package']; - v_exec('v-delete-user-package', [$v_package]); + $v_package = escapeshellarg($_GET['package']); + exec (VESTA_CMD."v-delete-user-package ".$v_package, $output, $return_var); } + check_return_code($return_var,$output); + unset($output); } $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/delete/user/index.php b/web/delete/user/index.php index cdd19a669..8e20b4c63 100644 --- a/web/delete/user/index.php +++ b/web/delete/user/index.php @@ -8,20 +8,22 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } if ($_SESSION['user'] == 'admin') { if (!empty($_GET['user'])) { - $v_username = $_GET['user']; - v_exec('v-delete-user', [$v_username]); + $v_username = escapeshellarg($_GET['user']); + exec (VESTA_CMD."v-delete-user ".$v_username, $output, $return_var); } + check_return_code($return_var,$output); unset($_SESSION['look']); + unset($output); } $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/delete/web/index.php b/web/delete/web/index.php index 199a89523..ecf6f415c 100644 --- a/web/delete/web/index.php +++ b/web/delete/web/index.php @@ -8,22 +8,25 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Delete as someone else? if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=$_GET['user']; } if (!empty($_GET['domain'])) { - $v_domain = $_GET['domain']; - v_exec('v-delete-domain', [$user, $v_domain]); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + exec (VESTA_CMD."v-delete-domain ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/download/file/index.php b/web/download/file/index.php index 662387e14..5322185b1 100644 --- a/web/download/file/index.php +++ b/web/download/file/index.php @@ -8,7 +8,7 @@ if ((!isset($_SESSION['FILEMANAGER_KEY'])) || (empty($_SESSION['FILEMANAGER_KEY' $user = $_SESSION['user']; if (($_SESSION['user'] == 'admin') && (!empty($_SESSION['look']))) { - $user = $_SESSION['look']; + $user=$_SESSION['look']; } if (!empty($_REQUEST['path'])) { @@ -16,10 +16,10 @@ if (!empty($_REQUEST['path'])) { header("Content-type: application/octet-stream"); header("Content-Transfer-Encoding: binary"); header("Content-disposition: attachment;filename=".basename($path)); - // TODO: Implement `v_passthru`? - passthru(VESTA_CMD.'v-open-fs-file '.build_shell_args([$user, $path])); + passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg($path)); exit; -} else { +} +else { die('File not found'); } diff --git a/web/download/web-log/index.php b/web/download/web-log/index.php index 8ebbc9dbb..79b5601cd 100644 --- a/web/download/web-log/index.php +++ b/web/download/web-log/index.php @@ -3,20 +3,26 @@ error_reporting(NULL); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); - $v_domain = $_GET['domain']; +$v_domain = escapeshellarg($_GET['domain']); if ($_GET['type'] == 'access') $type = 'access'; if ($_GET['type'] == 'error') $type = 'error'; header("Cache-Control: public"); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=".$_GET['domain'].".".$type."-log.txt"); -header("Content-Type: application/octet-stream"); +header("Content-Type: application/octet-stream; "); header("Content-Transfer-Encoding: binary"); -$return_var = v_exec("v-list-web-domain-{$type}log", [$user, $v_domain, '5000'], false, $output); -if ($return_var == 0) { - echo $output . "\n"; +$v_domain = escapeshellarg($_GET['domain']); +if ($_GET['type'] == 'access') $type = 'access'; +if ($_GET['type'] == 'error') $type = 'error'; + +exec (VESTA_CMD."v-list-web-domain-".$type."log $user ".$v_domain." 5000", $output, $return_var); +if ($return_var == 0 ) { + foreach($output as $file) { + echo $file . "\n"; + } } ?> diff --git a/web/edit/backup/exclusions/index.php b/web/edit/backup/exclusions/index.php index 75a2bf78a..8bac32c16 100644 --- a/web/edit/backup/exclusions/index.php +++ b/web/edit/backup/exclusions/index.php @@ -9,12 +9,14 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Edit as someone else? if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=escapeshellarg($_GET['user']); } // List backup exclustions -v_exec('v-list-user-backup-exclusions', [$user, 'json'], true, $output); -$data = json_decode($output, true); +exec (VESTA_CMD."v-list-user-backup-exclusions ".$user." 'json'", $output, $return_var); +check_return_code($return_var,$output); +$data = json_decode(implode('', $output), true); +unset($output); // Parse web $v_username = $user; @@ -68,10 +70,9 @@ if (!empty($_POST['save'])) { // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } - // TODO: Use array? $v_web = $_POST['v_web']; $v_web_tmp = str_replace("\r\n", ",", $_POST['v_web']); $v_web_tmp = rtrim($v_web_tmp, ","); @@ -111,7 +112,9 @@ if (!empty($_POST['save'])) { unset($mktemp_output); // Save changes - v_exec('v-update-user-backup-exclusions', [$user, $tmp]); + exec (VESTA_CMD."v-update-user-backup-exclusions ".$user." ".$tmp, $output, $return_var); + check_return_code($return_var,$output); + unset($output); // Set success message if (empty($_SESSION['error_msg'])) { diff --git a/web/edit/cron/index.php b/web/edit/cron/index.php index 557ea8b03..d78b4eb6e 100644 --- a/web/edit/cron/index.php +++ b/web/edit/cron/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Edit as someone else? if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=escapeshellarg($_GET['user']); } // Check job id @@ -18,14 +18,16 @@ if (empty($_GET['job'])) { exit; } -$v_username = $user; -$v_job = $_GET['job']; - // List cron job -v_exec('v-list-cron-job', [$user, $v_job, 'json'], true, $output); -$data = json_decode($output, true); +$v_job = escapeshellarg($_GET['job']); +exec (VESTA_CMD."v-list-cron-job ".$user." ".$v_job." 'json'", $output, $return_var); +check_return_code($return_var,$output); +$data = json_decode(implode('', $output), true); +unset($output); // Parse cron job +$v_username = $user; +$v_job = $_GET['job']; $v_min = $data[$v_job]['MIN']; $v_hour = $data[$v_job]['HOUR']; $v_day = $data[$v_job]['DAY']; @@ -35,25 +37,35 @@ $v_cmd = $data[$v_job]['CMD']; $v_date = $data[$v_job]['DATE']; $v_time = $data[$v_job]['TIME']; $v_suspended = $data[$v_job]['SUSPENDED']; -$v_status = $v_suspended == 'yes' ? 'suspended' : 'active'; +if ( $v_suspended == 'yes' ) { + $v_status = 'suspended'; +} else { + $v_status = 'active'; +} // Check POST request if (!empty($_POST['save'])) { + // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } - $v_min = $_POST['v_min']; - $v_hour = $_POST['v_hour']; - $v_day = $_POST['v_day']; - $v_month = $_POST['v_month']; - $v_wday = $_POST['v_wday']; - $v_cmd = $_POST['v_cmd']; + $v_username = $user; + $v_min = escapeshellarg($_POST['v_min']); + $v_hour = escapeshellarg($_POST['v_hour']); + $v_day = escapeshellarg($_POST['v_day']); + $v_month = escapeshellarg($_POST['v_month']); + $v_wday = escapeshellarg($_POST['v_wday']); + $v_cmd = escapeshellarg($_POST['v_cmd']); // Save changes - v_exec('v-change-cron-job', [$v_username, $v_job, $v_min, $v_hour, $v_day, $v_month, $v_wday, $v_cmd]); + exec (VESTA_CMD."v-change-cron-job ".$v_username." ".$v_job." ".$v_min." ".$v_hour." ".$v_day." ".$v_month." ".$v_wday." ".$v_cmd, $output, $return_var); + check_return_code($return_var,$output); + unset($output); + + $v_cmd = $_POST['v_cmd']; // Set success message if (empty($_SESSION['error_msg'])) { diff --git a/web/edit/db/index.php b/web/edit/db/index.php index 4a2377d10..29d358f80 100644 --- a/web/edit/db/index.php +++ b/web/edit/db/index.php @@ -21,40 +21,51 @@ if (empty($_GET['database'])) { // Edit as someone else? if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=escapeshellarg($_GET['user']); } -$v_username = $user; -$v_database = $_GET['database']; - // List datbase -v_exec('v-list-database', [$user, $v_database, 'json'], true, $output); -$data = json_decode($output, true); +$v_database = escapeshellarg($_GET['database']); +exec (VESTA_CMD."v-list-database ".$user." ".$v_database." 'json'", $output, $return_var); +check_return_code($return_var,$output); +$data = json_decode(implode('', $output), true); +unset($output); // Parse database +$v_username = $user; +$v_database = $_GET['database']; $v_dbuser = $data[$v_database]['DBUSER']; -$v_password = ''; +$v_password = ""; $v_host = $data[$v_database]['HOST']; $v_type = $data[$v_database]['TYPE']; $v_charset = $data[$v_database]['CHARSET']; $v_date = $data[$v_database]['DATE']; $v_time = $data[$v_database]['TIME']; $v_suspended = $data[$v_database]['SUSPENDED']; -$v_status = $v_suspended == 'yes' ? 'suspended' : 'active'; +if ( $v_suspended == 'yes' ) { + $v_status = 'suspended'; +} else { + $v_status = 'active'; +} // Check POST request if (!empty($_POST['save'])) { + $v_username = $user; + // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Change database user if (($v_dbuser != $_POST['v_dbuser']) && (empty($_SESSION['error_msg']))) { $v_dbuser = preg_replace("/^".$user."_/", "", $_POST['v_dbuser']); - v_exec('v-change-database-user', [$v_username, $v_database, $v_dbuser]); - $v_dbuser = $user . '_' . $v_dbuser; + $v_dbuser = escapeshellarg($v_dbuser); + exec (VESTA_CMD."v-change-database-user ".$v_username." ".$v_database." ".$v_dbuser, $output, $return_var); + check_return_code($return_var,$output); + unset($output); + $v_dbuser = $user."_".preg_replace("/^".$user."_/", "", $_POST['v_dbuser']); } // Change database password @@ -63,9 +74,11 @@ if (!empty($_POST['save'])) { $fp = fopen($v_password, "w"); fwrite($fp, $_POST['v_password']."\n"); fclose($fp); - v_exec('v-change-database-password', [$v_username, $v_database, $v_password]); + exec (VESTA_CMD."v-change-database-password ".$v_username." ".$v_database." ".$v_password, $output, $return_var); + check_return_code($return_var,$output); + unset($output); unlink($v_password); - $v_password = $_POST['v_password']; + $v_password = escapeshellarg($_POST['v_password']); } // Set success message diff --git a/web/edit/dns/index.php b/web/edit/dns/index.php index f9c2a6111..6ceac64a5 100644 --- a/web/edit/dns/index.php +++ b/web/edit/dns/index.php @@ -15,18 +15,20 @@ if (empty($_GET['domain'])) { // Edit as someone else? if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=escapeshellarg($_GET['user']); } -$v_username = $user; // List dns domain if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) { - $v_domain = $_GET['domain']; - - v_exec('v-list-dns-domain', [$user, $v_domain, 'json'], true, $output); - $data = json_decode($output, true); + $v_domain = escapeshellarg($_GET['domain']); + exec (VESTA_CMD."v-list-dns-domain ".$user." ".$v_domain." json", $output, $return_var); + check_return_code($return_var,$output); + $data = json_decode(implode('', $output), true); + unset($output); // Parse dns domain + $v_username = $user; + $v_domain = $_GET['domain']; $v_ip = $data[$v_domain]['IP']; $v_template = $data[$v_domain]['TPL']; $v_ttl = $data[$v_domain]['TTL']; @@ -42,19 +44,24 @@ if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) { } // List dns templates - v_exec('v-list-dns-templates', ['json'], false, $output); - $templates = json_decode($output, true); + exec (VESTA_CMD."v-list-dns-templates json", $output, $return_var); + $templates = json_decode(implode('', $output), true); + unset($output); } // List dns record if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) { - $v_domain = $_GET['domain']; - $v_record_id = $_GET['record_id']; - - v_exec('v-list-dns-records', [$user, $v_domain, 'json'], true, $output); - $data = json_decode($output, true); + $v_domain = escapeshellarg($_GET['domain']); + $v_record_id = escapeshellarg($_GET['record_id']); + exec (VESTA_CMD."v-list-dns-records ".$user." ".$v_domain." 'json'", $output, $return_var); + check_return_code($return_var,$output); + $data = json_decode(implode('', $output), true); + unset($output); // Parse dns record + $v_username = $user; + $v_domain = $_GET['domain']; + $v_record_id = $_GET['record_id']; $v_rec = $data[$v_record_id]['RECORD']; $v_type = $data[$v_record_id]['TYPE']; $v_val = $data[$v_record_id]['VALUE']; @@ -71,51 +78,63 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) { // Check POST request for dns domain if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['record_id']))) { - $v_domain = $_POST['v_domain']; + $v_domain = escapeshellarg($_POST['v_domain']); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Change domain IP if (($v_ip != $_POST['v_ip']) && (empty($_SESSION['error_msg']))) { - $v_ip = $_POST['v_ip']; - v_exec('v-change-dns-domain-ip', [$v_username, $v_domain, $v_ip, 'no']); + $v_ip = escapeshellarg($_POST['v_ip']); + exec (VESTA_CMD."v-change-dns-domain-ip ".$v_username." ".$v_domain." ".$v_ip." 'no'", $output, $return_var); + check_return_code($return_var,$output); $restart_dns = 'yes'; + unset($output); } // Change domain template if (($v_template != $_POST['v_template']) && (empty($_SESSION['error_msg']))) { - $v_template = $_POST['v_template']; - v_exec('v-change-dns-domain-tpl', [$v_username, $v_domain, $v_template, 'no']); + $v_template = escapeshellarg($_POST['v_template']); + exec (VESTA_CMD."v-change-dns-domain-tpl ".$v_username." ".$v_domain." ".$v_template." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $restart_dns = 'yes'; } // Change SOA record if (($v_soa != $_POST['v_soa']) && (empty($_SESSION['error_msg']))) { - $v_soa = $_POST['v_soa']; - v_exec('v-change-dns-domain-soa', [$v_username, $v_domain, $v_soa, 'no']); + $v_soa = escapeshellarg($_POST['v_soa']); + exec (VESTA_CMD."v-change-dns-domain-soa ".$v_username." ".$v_domain." ".$v_soa." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $restart_dns = 'yes'; } // Change expiriation date if (($v_exp != $_POST['v_exp']) && (empty($_SESSION['error_msg']))) { - $v_exp = $_POST['v_exp']; - v_exec('v-change-dns-domain-exp', [$v_username, $v_domain, $v_exp, 'no']); + $v_exp = escapeshellarg($_POST['v_exp']); + exec (VESTA_CMD."v-change-dns-domain-exp ".$v_username." ".$v_domain." ".$v_exp." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Change domain ttl if (($v_ttl != $_POST['v_ttl']) && (empty($_SESSION['error_msg']))) { - $v_ttl = $_POST['v_ttl']; - v_exec('v-change-dns-domain-ttl', [$v_username, $v_domain, $v_ttl, 'no']); + $v_ttl = escapeshellarg($_POST['v_ttl']); + exec (VESTA_CMD."v-change-dns-domain-ttl ".$v_username." ".$v_domain." ".$v_ttl." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $restart_dns = 'yes'; } // Restart dns server if (!empty($restart_dns) && (empty($_SESSION['error_msg']))) { - v_exec('v-restart-dns'); + exec (VESTA_CMD."v-restart-dns", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Set success message @@ -130,30 +149,38 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['reco // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } - $v_domain = $_POST['v_domain']; - $v_record_id = $_POST['v_record_id']; + // Protect input + $v_domain = escapeshellarg($_POST['v_domain']); + $v_record_id = escapeshellarg($_POST['v_record_id']); // Change dns record if (($v_val != $_POST['v_val']) || ($v_priority != $_POST['v_priority']) && (empty($_SESSION['error_msg']))) { + $v_val = escapeshellarg($_POST['v_val']); + $v_priority = escapeshellarg($_POST['v_priority']); + exec (VESTA_CMD."v-change-dns-record ".$v_username." ".$v_domain." ".$v_record_id." ".$v_val." ".$v_priority, $output, $return_var); + check_return_code($return_var,$output); $v_val = $_POST['v_val']; - $v_priority = $_POST['v_priority']; - v_exec('v-change-dns-record', [$v_username, $v_domain, $v_record_id, $v_val, $v_priority]); + unset($output); $restart_dns = 'yes'; } // Change dns record id if (($_GET['record_id'] != $_POST['v_record_id']) && (empty($_SESSION['error_msg']))) { - $v_old_record_id = $_GET['record_id']; - v_exec('v-change-dns-record-id', [$v_username, $v_domain, $v_old_record_id, $v_record_id]); + $v_old_record_id = escapeshellarg($_GET['record_id']); + exec (VESTA_CMD."v-change-dns-record-id ".$v_username." ".$v_domain." ".$v_old_record_id." ".$v_record_id, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $restart_dns = 'yes'; } // Restart dns server if (!empty($restart_dns) && (empty($_SESSION['error_msg']))) { - v_exec('v-restart-dns'); + exec (VESTA_CMD."v-restart-dns", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Set success message diff --git a/web/edit/file/index.php b/web/edit/file/index.php index f26c2d3c8..6f7474c94 100644 --- a/web/edit/file/index.php +++ b/web/edit/file/index.php @@ -31,22 +31,24 @@ if (($_SESSION['user'] == 'admin') && (!empty($_SESSION['look']))) { -Error while saving file

'); exit; @@ -56,12 +58,12 @@ if (($_SESSION['user'] == 'admin') && (!empty($_SESSION['look']))) { } } - $return_var = v_exec('v-open-fs-file', [$user, $path], false, $content); + exec (VESTA_CMD . "v-open-fs-file {$user} ".escapeshellarg($path), $content, $return_var); if ($return_var != 0) { print 'Error while opening file'; // todo: handle this more styled exit; } - $content = $content . "\n"; + $content = implode("\n", $content)."\n"; } else { $content = ''; } diff --git a/web/edit/firewall/index.php b/web/edit/firewall/index.php index 79de0e3e2..44346d09a 100644 --- a/web/edit/firewall/index.php +++ b/web/edit/firewall/index.php @@ -20,13 +20,15 @@ if (empty($_GET['rule'])) { exit; } -$v_rule = $_GET['rule']; - // List rule -v_exec('v-list-firewall-rule', [$v_rule, 'json'], true, $output); -$data = json_decode($output, true); +$v_rule = escapeshellarg($_GET['rule']); +exec (VESTA_CMD."v-list-firewall-rule ".$v_rule." 'json'", $output, $return_var); +check_return_code($return_var,$output); +$data = json_decode(implode('', $output), true); +unset($output); // Parse rule +$v_rule = $_GET['rule']; $v_action = $data[$v_rule]['ACTION']; $v_protocol = $data[$v_rule]['PROTOCOL']; $v_port = $data[$v_rule]['PORT']; @@ -35,17 +37,37 @@ $v_comment = $data[$v_rule]['COMMENT']; $v_date = $data[$v_rule]['DATE']; $v_time = $data[$v_rule]['TIME']; $v_suspended = $data[$v_rule]['SUSPENDED']; -$v_status = $v_suspended == 'yes' ? 'suspended' : 'active'; +if ( $v_suspended == 'yes' ) { + $v_status = 'suspended'; +} else { + $v_status = 'active'; +} // Check POST request if (!empty($_POST['save'])) { + // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } - $v_rule = $_GET['rule']; + $v_rule = escapeshellarg($_GET['rule']); + $v_action = escapeshellarg($_POST['v_action']); + $v_protocol = escapeshellarg($_POST['v_protocol']); + $v_port = str_replace(" ",",", $_POST['v_port']); + $v_port = preg_replace('/\,+/', ',', $v_port); + $v_port = trim($v_port, ","); + $v_port = escapeshellarg($v_port); + $v_ip = escapeshellarg($_POST['v_ip']); + $v_comment = escapeshellarg($_POST['v_comment']); + + // Change Status + exec (VESTA_CMD."v-change-firewall-rule ".$v_rule." ".$v_action." ".$v_ip." ".$v_port." ".$v_protocol." ".$v_comment, $output, $return_var); + check_return_code($return_var,$output); + unset($output); + + $v_rule = $_GET['v_rule']; $v_action = $_POST['v_action']; $v_protocol = $_POST['v_protocol']; $v_port = str_replace(" ",",", $_POST['v_port']); @@ -54,9 +76,6 @@ if (!empty($_POST['save'])) { $v_ip = $_POST['v_ip']; $v_comment = $_POST['v_comment']; - // Change Status - v_exec('v-change-firewall-rule', [$v_rule, $v_action, $v_ip, $v_port, $v_protocol, $v_comment]); - // Set success message if (empty($_SESSION['error_msg'])) { $_SESSION['ok_msg'] = __('Changes has been saved.'); diff --git a/web/edit/ip/index.php b/web/edit/ip/index.php index 8427c3e12..bec1ae58f 100644 --- a/web/edit/ip/index.php +++ b/web/edit/ip/index.php @@ -19,14 +19,16 @@ if (empty($_GET['ip'])) { exit; } -$v_username = $user; -$v_ip = $_GET['ip']; - // List ip -v_exec('v-list-sys-ip', [$v_ip, 'json'], true, $output); -$data = json_decode($output, true); +$v_ip = escapeshellarg($_GET['ip']); +exec (VESTA_CMD."v-list-sys-ip ".$v_ip." 'json'", $output, $return_var); +check_return_code($return_var,$output); +$data = json_decode(implode('', $output), true); +unset($output); // Parse ip +$v_username = $user; +$v_ip = $_GET['ip']; $v_netmask = $data[$v_ip]['NETMASK']; $v_interace = $data[$v_ip]['INTERFACE']; $v_name = $data[$v_ip]['NAME']; @@ -44,39 +46,51 @@ if ( $v_suspended == 'yes' ) { } // List users -v_exec('v-list-sys-users', ['json'], false, $output); -$users = json_decode($output, true); +exec (VESTA_CMD."v-list-sys-users 'json'", $output, $return_var); +$users = json_decode(implode('', $output), true); +unset($output); // Check POST request if (!empty($_POST['save'])) { - $v_ip = $_POST['v_ip']; + $v_ip = escapeshellarg($_POST['v_ip']); // Change Status if (($v_ipstatus == 'shared') && (empty($_POST['v_shared'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-change-sys-ip-status', [$v_ip, 'dedicated']); - $v_dedicated = 'yes'; + exec (VESTA_CMD."v-change-sys-ip-status ".$v_ip." 'dedicated'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); + $v_dedicated = 'yes'; } if (($v_ipstatus == 'dedicated') && (!empty($_POST['v_shared'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-change-sys-ip-status', [$v_ip, 'shared']); + exec (VESTA_CMD."v-change-sys-ip-status ".$v_ip." 'shared'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); unset($v_dedicated); } // Change owner if (($v_owner != $_POST['v_owner']) && (empty($_SESSION['error_msg']))) { + $v_owner = escapeshellarg($_POST['v_owner']); + exec (VESTA_CMD."v-change-sys-ip-owner ".$v_ip." ".$v_owner, $output, $return_var); + check_return_code($return_var,$output); $v_owner = $_POST['v_owner']; - v_exec('v-change-sys-ip-owner', [$v_ip, $v_owner]); + unset($output); } // Change associated domain if (($v_name != $_POST['v_name']) && (empty($_SESSION['error_msg']))) { - $v_name = $_POST['v_name']; - v_exec('v-change-sys-ip-name', [$v_ip, $v_name]); + $v_name = escapeshellarg($_POST['v_name']); + exec (VESTA_CMD."v-change-sys-ip-name ".$v_ip." ".$v_name, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Change NAT address if (($v_nat != $_POST['v_nat']) && (empty($_SESSION['error_msg']))) { - $v_nat = $_POST['v_nat']; - v_exec('v-change-sys-ip-nat', [$v_ip, $v_nat]); + $v_nat = escapeshellarg($_POST['v_nat']); + exec (VESTA_CMD."v-change-sys-ip-nat ".$v_ip." ".$v_nat, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Set success message diff --git a/web/edit/mail/index.php b/web/edit/mail/index.php index 6598db903..1010b07f8 100644 --- a/web/edit/mail/index.php +++ b/web/edit/mail/index.php @@ -21,18 +21,19 @@ if (empty($_GET['domain'])) { // Edit as someone else? if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=escapeshellarg($_GET['user']); } $v_username = $user; // List mail domain if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { - $v_domain = $_GET['domain']; - - v_exec('v-list-mail-domain', [$user, $v_domain, 'json'], false, $output); - $data = json_decode($output, true); + $v_domain = escapeshellarg($_GET['domain']); + exec (VESTA_CMD."v-list-mail-domain ".$user." ".$v_domain." json", $output, $return_var); + $data = json_decode(implode('', $output), true); + unset($output); // Parse domain + $v_domain = $_GET['domain']; $v_antispam = $data[$v_domain]['ANTISPAM']; $v_antivirus = $data[$v_domain]['ANTIVIRUS']; $v_dkim = $data[$v_domain]['DKIM']; @@ -49,14 +50,17 @@ if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { // List mail account if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { - $v_domain = $_GET['domain']; - $v_account = $_GET['account']; - - v_exec('v-list-mail-account', [$user, $v_domain, $v_account, 'json'], false, $output); - $data = json_decode($output, true); + $v_domain = escapeshellarg($_GET['domain']); + $v_account = escapeshellarg($_GET['account']); + exec (VESTA_CMD."v-list-mail-account ".$user." ".$v_domain." ".$v_account." 'json'", $output, $return_var); + $data = json_decode(implode('', $output), true); + unset($output); // Parse mail account - $v_password = ''; + $v_username = $user; + $v_domain = $_GET['domain']; + $v_account = $_GET['account']; + $v_password = ""; $v_aliases = str_replace(',', "\n", $data[$v_account]['ALIAS']); $valiases = explode(",", $data[$v_account]['ALIAS']); $v_fwd = str_replace(',', "\n", $data[$v_account]['FWD']); @@ -75,8 +79,9 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { // Parse autoreply if ( $v_autoreply == 'yes' ) { - v_exec('v-list-mail-account-autoreply', [$user, $v_domain, $v_account, 'json'], false, $output); - $autoreply_str = json_decode($output, true); + exec (VESTA_CMD."v-list-mail-account-autoreply ".$user." '".$v_domain."' '".$v_account."' json", $output, $return_var); + $autoreply_str = json_decode(implode('', $output), true); + unset($output); $v_autoreply_message = $autoreply_str[$v_account]['MSG']; } } @@ -84,68 +89,86 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { // Check POST request for mail domain if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['account']))) { - $v_domain = $_POST['v_domain']; + $v_domain = escapeshellarg($_POST['v_domain']); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Delete antispam if (($v_antispam == 'yes') && (empty($_POST['v_antispam'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-delete-mail-domain-antispam', [$v_username, $v_domain]); + exec (VESTA_CMD."v-delete-mail-domain-antispam ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); $v_antispam = 'no'; + unset($output); } // Add antispam if (($v_antispam == 'no') && (!empty($_POST['v_antispam'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-add-mail-domain-antispam', [$v_username, $v_domain]); + exec (VESTA_CMD."v-add-mail-domain-antispam ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); $v_antispam = 'yes'; + unset($output); } // Delete antivirus if (($v_antivirus == 'yes') && (empty($_POST['v_antivirus'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-delete-mail-domain-antivirus', [$v_username, $v_domain]); + exec (VESTA_CMD."v-delete-mail-domain-antivirus ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); $v_antivirus = 'no'; + unset($output); } // Add antivirs if (($v_antivirus == 'no') && (!empty($_POST['v_antivirus'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-add-mail-domain-antivirus', [$v_username, $v_domain]); + exec (VESTA_CMD."v-add-mail-domain-antivirus ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); $v_antivirus = 'yes'; + unset($output); } // Delete DKIM if (($v_dkim == 'yes') && (empty($_POST['v_dkim'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-delete-mail-domain-dkim', [$v_username, $v_domain]); + exec (VESTA_CMD."v-delete-mail-domain-dkim ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); $v_dkim = 'no'; + unset($output); } // Add DKIM if (($v_dkim == 'no') && (!empty($_POST['v_dkim'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-add-mail-domain-dkim', [$v_username, $v_domain]); + exec (VESTA_CMD."v-add-mail-domain-dkim ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); $v_dkim = 'yes'; + unset($output); } // Delete catchall if ((!empty($v_catchall)) && (empty($_POST['v_catchall'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-delete-mail-domain-catchall', [$v_username, $v_domain]); + exec (VESTA_CMD."v-delete-mail-domain-catchall ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); $v_catchall = ''; + unset($output); } // Change catchall address if ((!empty($v_catchall)) && (!empty($_POST['v_catchall'])) && (empty($_SESSION['error_msg']))) { if ($v_catchall != $_POST['v_catchall']) { - $v_catchall = $_POST['v_catchall']; - v_exec('v-change-mail-domain-catchall', [$v_username, $v_domain, $v_catchall]); + $v_catchall = escapeshellarg($_POST['v_catchall']); + exec (VESTA_CMD."v-change-mail-domain-catchall ".$v_username." ".$v_domain." ".$v_catchall, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } } // Add catchall if ((empty($v_catchall)) && (!empty($_POST['v_catchall'])) && (empty($_SESSION['error_msg']))) { - $v_catchall = $_POST['v_catchall']; - v_exec('v-add-mail-domain-catchall', [$v_username, $v_domain, $v_catchall]); + $v_catchall = escapeshellarg($_POST['v_catchall']); + exec (VESTA_CMD."v-add-mail-domain-catchall ".$v_username." ".$v_domain." ".$v_catchall, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Set success message @@ -160,11 +183,11 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } - $v_domain = $_POST['v_domain']; - $v_account = $_POST['v_account']; + $v_domain = escapeshellarg($_POST['v_domain']); + $v_account = escapeshellarg($_POST['v_account']); // Change password if ((!empty($_POST['v_password'])) && (empty($_SESSION['error_msg']))) { @@ -172,19 +195,23 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco $fp = fopen($v_password, "w"); fwrite($fp, $_POST['v_password']."\n"); fclose($fp); - v_exec('v-change-mail-account-password', [$v_username, $v_domain, $v_account, $v_password]); + exec (VESTA_CMD."v-change-mail-account-password ".$v_username." ".$v_domain." ".$v_account." ".$v_password, $output, $return_var); + check_return_code($return_var,$output); + unset($output); unlink($v_password); - $v_password = $_POST['v_password']; + $v_password = escapeshellarg($_POST['v_password']);; } // Change quota if (($v_quota != $_POST['v_quota']) && (empty($_SESSION['error_msg']))) { if (empty($_POST['v_quota'])) { - $v_quota = '0'; + $v_quota = 0; } else { - $v_quota = $_POST['v_quota']; + $v_quota = escapeshellarg($_POST['v_quota']); } - v_exec('v-change-mail-account-quota', [$v_username, $v_domain, $v_account, $v_quota]); + exec (VESTA_CMD."v-change-mail-account-quota ".$v_username." ".$v_domain." ".$v_account." ".$v_quota, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Change account aliases @@ -198,13 +225,17 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco $result = array_diff($valiases, $aliases); foreach ($result as $alias) { if ((empty($_SESSION['error_msg'])) && (!empty($alias))) { - v_exec('v-delete-mail-account-alias', [$v_username, $v_domain, $v_account, $alias]); + exec (VESTA_CMD."v-delete-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } } $result = array_diff($aliases, $valiases); foreach ($result as $alias) { if ((empty($_SESSION['error_msg'])) && (!empty($alias))) { - v_exec('v-add-mail-account-alias', [$v_username, $v_domain, $v_account, $alias]); + exec (VESTA_CMD."v-add-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } } } @@ -220,42 +251,56 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco $result = array_diff($vfwd, $fwd); foreach ($result as $forward) { if ((empty($_SESSION['error_msg'])) && (!empty($forward))) { - v_exec('v-delete-mail-account-forward', [$v_username, $v_domain, $v_account, $forward]); + exec (VESTA_CMD."v-delete-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } } $result = array_diff($fwd, $vfwd); foreach ($result as $forward) { if ((empty($_SESSION['error_msg'])) && (!empty($forward))) { - v_exec('v-add-mail-account-forward', [$v_username, $v_domain, $v_account, $forward]); + exec (VESTA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } } } // Delete FWD_ONLY flag if (($v_fwd_only == 'yes') && (empty($_POST['v_fwd_only'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-delete-mail-account-fwd-only', [$v_username, $v_domain, $v_account]); + exec (VESTA_CMD."v-delete-mail-account-fwd-only ".$v_username." ".$v_domain." ".$v_account, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_fwd_only = ''; } // Add FWD_ONLY flag if (($v_fwd_only != 'yes') && (!empty($_POST['v_fwd_only'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-add-mail-account-fwd-only', [$v_username, $v_domain, $v_account]); + exec (VESTA_CMD."v-add-mail-account-fwd-only ".$v_username." ".$v_domain." ".$v_account, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_fwd_only = 'yes'; } // Delete autoreply if (($v_autoreply == 'yes') && (empty($_POST['v_autoreply'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-delete-mail-account-autoreply', [$v_username, $v_domain, $v_account]); + exec (VESTA_CMD."v-delete-mail-account-autoreply ".$v_username." ".$v_domain." ".$v_account, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_autoreply = 'no'; $v_autoreply_message = ''; } // Add autoreply if ((!empty($_POST['v_autoreply'])) && (empty($_SESSION['error_msg']))) { - if ($v_autoreply_message != str_replace("\r\n", "\n", $_POST['v_autoreply_message'])) { + if ( $v_autoreply_message != str_replace("\r\n", "\n", $_POST['v_autoreply_message'])) { $v_autoreply_message = str_replace("\r\n", "\n", $_POST['v_autoreply_message']); - v_exec('v-add-mail-account-autoreply', [$v_username, $v_domain, $v_account, $v_autoreply_message]); + $v_autoreply_message = escapeshellarg($v_autoreply_message); + exec (VESTA_CMD."v-add-mail-account-autoreply ".$v_username." ".$v_domain." ".$v_account." ".$v_autoreply_message, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_autoreply = 'yes'; + $v_autoreply_message = $_POST['v_autoreply_message']; } } diff --git a/web/edit/package/index.php b/web/edit/package/index.php index 2e60abf16..e8ecaf686 100644 --- a/web/edit/package/index.php +++ b/web/edit/package/index.php @@ -21,13 +21,14 @@ if (empty($_GET['package'])) { } -$v_package = $_GET['package']; - // List package -v_exec('v-list-user-package', [$v_package, 'json'], false, $output); -$data = json_decode($output, true); +$v_package = escapeshellarg($_GET['package']); +exec (VESTA_CMD."v-list-user-package ".$v_package." 'json'", $output, $return_var); +$data = json_decode(implode('', $output), true); +unset($output); // Parse package +$v_package = $_GET['package']; $v_web_template = $data[$v_package]['WEB_TEMPLATE']; $v_backend_template = $data[$v_package]['BACKEND_TEMPLATE']; $v_proxy_template = $data[$v_package]['PROXY_TEMPLATE']; @@ -44,7 +45,7 @@ $v_disk_quota = $data[$v_package]['DISK_QUOTA']; $v_bandwidth = $data[$v_package]['BANDWIDTH']; $v_shell = $data[$v_package]['SHELL']; $v_ns = $data[$v_package]['NS']; -$nameservers = explode(', ', $v_ns); +$nameservers = explode(", ", $v_ns); $v_ns1 = $nameservers[0]; $v_ns2 = $nameservers[1]; $v_ns3 = $nameservers[2]; @@ -56,39 +57,45 @@ $v_ns8 = $nameservers[7]; $v_backups = $data[$v_package]['BACKUPS']; $v_date = $data[$v_package]['DATE']; $v_time = $data[$v_package]['TIME']; -$v_status = 'active'; +$v_status = 'active'; // List web templates -v_exec('v-list-web-templates', ['json'], false, $output); -$web_templates = json_decode($output, true); +exec (VESTA_CMD."v-list-web-templates json", $output, $return_var); +$web_templates = json_decode(implode('', $output), true); +unset($output); // List backend templates if (!empty($_SESSION['WEB_BACKEND'])) { - v_exec('v-list-web-templates-backend', ['json'], false, $output); - $backend_templates = json_decode($output, true); + exec (VESTA_CMD."v-list-web-templates-backend json", $output, $return_var); + $backend_templates = json_decode(implode('', $output), true); + unset($output); } // List proxy templates if (!empty($_SESSION['PROXY_SYSTEM'])) { - v_exec('v-list-web-templates-proxy', ['json'], false, $output); - $proxy_templates = json_decode($output, true); + exec (VESTA_CMD."v-list-web-templates-proxy json", $output, $return_var); + $proxy_templates = json_decode(implode('', $output), true); + unset($output); } // List dns templates -v_exec('v-list-dns-templates', ['json'], false, $output); -$dns_templates = json_decode($output, true); +exec (VESTA_CMD."v-list-dns-templates json", $output, $return_var); +$dns_templates = json_decode(implode('', $output), true); +unset($output); // List shels -v_exec('v-list-sys-shells', ['json'], false, $output); -$shells = json_decode($output, true); +exec (VESTA_CMD."v-list-sys-shells json", $output, $return_var); +$shells = json_decode(implode('', $output), true); +unset($output); // Check POST request if (!empty($_POST['save'])) { + // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Check empty fields @@ -126,10 +133,8 @@ if (!empty($_POST['save'])) { $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg); } - $v_package = $_POST['v_package']; - // Protect input - // TODO: Use array? + $v_package = escapeshellarg($_POST['v_package']); $v_web_template = escapeshellarg($_POST['v_web_template']); if (!empty($_SESSION['WEB_BACKEND'])) { $v_backend_template = escapeshellarg($_POST['v_backend_template']); @@ -194,18 +199,23 @@ if (!empty($_POST['save'])) { $pkg .= "BACKUPS=".$v_backups."\n"; $pkg .= "TIME=".$v_time."\n"; $pkg .= "DATE=".$v_date."\n"; - $fp = fopen("$tmpdir/$v_package.pkg", 'w'); + $fp = fopen($tmpdir."/".$_POST['v_package'].".pkg", 'w'); fwrite($fp, $pkg); fclose($fp); // Save changes - v_exec('v-add-user-package', [$tmpdir, $v_package, 'yes']); + exec (VESTA_CMD."v-add-user-package ".$tmpdir." ".$v_package." 'yes'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); // Remove temporary dir - safe_exec('rm', ['-rf', $tmpdir]); + exec ('rm -rf '.$tmpdir, $output, $return_var); + unset($output); // Propogate new package - v_exec('v-update-user-package', [$v_package, 'json']); + exec (VESTA_CMD."v-update-user-package ".$v_package." 'json'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); // Set success message if (empty($_SESSION['error_msg'])) { diff --git a/web/edit/server/index.php b/web/edit/server/index.php index 1e26b4a97..a47056991 100644 --- a/web/edit/server/index.php +++ b/web/edit/server/index.php @@ -16,8 +16,9 @@ $v_hostname = exec('hostname'); // List available timezones and get current one $v_timezones = list_timezones(); -v_exec('v-get-sys-timezone', [], false, $output); -$v_timezone = strtok($output, "\n"); +exec (VESTA_CMD."v-get-sys-timezone", $output, $return_var); +$v_timezone = $output[0]; +unset($output); if ($v_timezone == 'Etc/UTC' ) $v_timezone = 'UTC'; if ($v_timezone == 'Pacific/Honolulu' ) $v_timezone = 'HAST'; if ($v_timezone == 'US/Aleutian' ) $v_timezone = 'HADT'; @@ -33,40 +34,51 @@ if ($v_timezone == 'America/Puerto_Rico' ) $v_timezone = 'AST'; if ($v_timezone == 'America/Halifax' ) $v_timezone = 'ADT'; // List supported languages -v_exec('v-list-sys-languages', ['json'], false, $output); -$languages = json_decode($output, true); +exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var); +$languages = json_decode(implode('', $output), true); +unset($output); // List dns cluster hosts -v_exec('v-list-remote-dns-hosts', ['json'], false, $output); -$dns_cluster = json_decode($output, true); -if (count($dns_cluster) >= 1) $v_dns_cluster = 'yes'; +exec (VESTA_CMD."v-list-remote-dns-hosts json", $output, $return_var); +$dns_cluster = json_decode(implode('', $output), true); +unset($output); +foreach ($dns_cluster as $key => $value) { + $v_dns_cluster = 'yes'; +} // List MySQL hosts -v_exec('v-list-database-hosts', ['mysql', 'json'], false, $output); -$v_mysql_hosts = json_decode($output, true); -if (count($v_mysql_hosts) >= 1) $v_mysql = 'yes'; +exec (VESTA_CMD."v-list-database-hosts mysql json", $output, $return_var); +$v_mysql_hosts = json_decode(implode('', $output), true); +unset($output); +foreach ($v_mysql_hosts as $key => $value) { + $v_mysql = 'yes'; +} // List PostgreSQL hosts -v_exec('v-list-database-hosts', ['pgsql', 'json'], false, $output); -$v_pgsql_hosts = json_decode($output, true); -if (count($v_pgsql_hosts) >= 1) $v_psql = 'yes'; +exec (VESTA_CMD."v-list-database-hosts pgsql json", $output, $return_var); +$v_pgsql_hosts = json_decode(implode('', $output), true); +unset($output); +foreach ($v_pgsql_hosts as $key => $value) { + $v_psql = 'yes'; +} // List backup settings -$v_backup_dir = '/backup'; +$v_backup_dir = "/backup"; if (!empty($_SESSION['BACKUP'])) $v_backup_dir = $_SESSION['BACKUP']; $v_backup_gzip = '5'; if (!empty($_SESSION['BACKUP_GZIP'])) $v_backup_gzip = $_SESSION['BACKUP_GZIP']; -$backup_types = explode(',', $_SESSION['BACKUP_SYSTEM']); +$backup_types = split(",",$_SESSION['BACKUP_SYSTEM']); foreach ($backup_types as $backup_type) { if ($backup_type == 'local') { $v_backup = 'yes'; } else { - v_exec('v-list-backup-host', [$backup_type, 'json'], false, $output); - $v_remote_backup = json_decode($output, true); + exec (VESTA_CMD."v-list-backup-host ".$backup_type. " json", $output, $return_var); + $v_remote_backup = json_decode(implode('', $output), true); + unset($output); $v_backup_host = $v_remote_backup[$backup_type]['HOST']; $v_backup_type = $v_remote_backup[$backup_type]['TYPE']; $v_backup_username = $v_remote_backup[$backup_type]['USERNAME']; - $v_backup_password = ''; + $v_backup_password = ""; $v_backup_port = $v_remote_backup[$backup_type]['PORT']; $v_backup_bpath = $v_remote_backup[$backup_type]['BPATH']; } @@ -74,16 +86,19 @@ foreach ($backup_types as $backup_type) { // Check POST request if (!empty($_POST['save'])) { + // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Change hostname if ((!empty($_POST['v_hostname'])) && ($v_hostname != $_POST['v_hostname'])) { + exec (VESTA_CMD."v-change-sys-hostname ".escapeshellarg($_POST['v_hostname']), $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_hostname = $_POST['v_hostname']; - v_exec('v-change-sys-hostname', [$v_hostname]); } // Change timezone @@ -105,8 +120,10 @@ if (!empty($_POST['save'])) { if ($v_tz == 'ADT' ) $v_tz = 'America/Halifax'; if ($v_timezone != $v_tz) { + exec (VESTA_CMD."v-change-sys-timezone ".escapeshellarg($v_tz), $output, $return_var); + check_return_code($return_var,$output); $v_timezone = $v_tz; - v_exec('v-change-sys-timezone', [$v_timezone]); + unset($output); } } } @@ -114,7 +131,9 @@ if (!empty($_POST['save'])) { // Change default language if (empty($_SESSION['error_msg'])) { if ((!empty($_POST['v_language'])) && ($_SESSION['LANGUAGE'] != $_POST['v_language'])) { - v_exec('v-change-sys-language', [$_POST['v_language']]); + exec (VESTA_CMD."v-change-sys-language ".escapeshellarg($_POST['v_language']), $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) $_SESSION['LANGUAGE'] = $_POST['v_language']; } } @@ -123,10 +142,14 @@ if (!empty($_POST['save'])) { if (empty($_SESSION['error_msg'])) { if ((!empty($_POST['v_quota'])) && ($_SESSION['DISK_QUOTA'] != $_POST['v_quota'])) { if($_POST['v_quota'] == 'yes') { - v_exec('v-add-sys-quota'); + exec (VESTA_CMD."v-add-sys-quota", $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) $_SESSION['DISK_QUOTA'] = 'yes'; } else { - v_exec('v-delete-sys-quota'); + exec (VESTA_CMD."v-delete-sys-quota", $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) $_SESSION['DISK_QUOTA'] = 'no'; } } @@ -138,10 +161,14 @@ if (!empty($_POST['save'])) { if ($_SESSION['FIREWALL_SYSTEM'] != 'iptables') $v_firewall = 'no'; if ((!empty($_POST['v_firewall'])) && ($v_firewall != $_POST['v_firewall'])) { if($_POST['v_firewall'] == 'yes') { - v_exec('v-add-sys-firewall'); + exec (VESTA_CMD."v-add-sys-firewall", $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) $_SESSION['FIREWALL_SYSTEM'] = 'iptables'; } else { - v_exec('v-delete-sys-firewall'); + exec (VESTA_CMD."v-delete-sys-firewall", $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) $_SESSION['FIREWALL_SYSTEM'] = ''; } } @@ -150,7 +177,9 @@ if (!empty($_POST['save'])) { // Update mysql pasword if (empty($_SESSION['error_msg'])) { if (!empty($_POST['v_mysql_password'])) { - v_exec('v-change-database-host-password', ['mysql', 'localhost', 'root', $_POST['v_mysql_password']]); + exec (VESTA_CMD."v-change-database-host-password mysql localhost root '".escapeshellarg($_POST['v_mysql_password'])."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_db_adv = 'yes'; } } @@ -159,7 +188,9 @@ if (!empty($_POST['save'])) { // Update webmail url if (empty($_SESSION['error_msg'])) { if ($_POST['v_mail_url'] != $_SESSION['MAIL_URL']) { - v_exec('v-change-sys-config-value', ['MAIL_URL', $_POST['v_mail_url']]); + exec (VESTA_CMD."v-change-sys-config-value MAIL_URL '".escapeshellarg($_POST['v_mail_url'])."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_mail_adv = 'yes'; } } @@ -167,7 +198,9 @@ if (!empty($_POST['save'])) { // Update phpMyAdmin url if (empty($_SESSION['error_msg'])) { if ($_POST['v_mysql_url'] != $_SESSION['DB_PMA_URL']) { - v_exec('v-change-sys-config-value', ['DB_PMA_URL', $_POST['v_mysql_url']]); + exec (VESTA_CMD."v-change-sys-config-value DB_PMA_URL '".escapeshellarg($_POST['v_mysql_url'])."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_db_adv = 'yes'; } } @@ -175,15 +208,19 @@ if (!empty($_POST['save'])) { // Update phpPgAdmin url if (empty($_SESSION['error_msg'])) { if ($_POST['v_psql_url'] != $_SESSION['DB_PGA_URL']) { - v_exec('v-change-sys-config-value', ['DB_PGA_URL', $_POST['v_pgsql_url']]); + exec (VESTA_CMD."v-change-sys-config-value DB_PGA_URL '".escapeshellarg($_POST['v_pgsql_url'])."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_db_adv = 'yes'; } } // Disable local backup if (empty($_SESSION['error_msg'])) { - if (($_POST['v_backup'] == 'no') && ($v_backup == 'yes')) { - v_exec('v-delete-backup-host', ['local']); + if (($_POST['v_backup'] == 'no') && ($v_backup == 'yes' )) { + exec (VESTA_CMD."v-delete-backup-host local", $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) $v_backup = 'no'; $v_backup_adv = 'yes'; } @@ -192,7 +229,9 @@ if (!empty($_POST['save'])) { // Enable local backups if (empty($_SESSION['error_msg'])) { if (($_POST['v_backup'] == 'yes') && ($v_backup != 'yes' )) { - v_exec('v-add-backup-host', ['local']); + exec (VESTA_CMD."v-add-backup-host local", $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) $v_backup = 'yes'; $v_backup_adv = 'yes'; } @@ -202,7 +241,9 @@ if (!empty($_POST['save'])) { // Change backup gzip level if (empty($_SESSION['error_msg'])) { if ($_POST['v_backup_gzip'] != $v_backup_gzip ) { - v_exec('v-change-sys-config-value', ['BACKUP_GZIP', $_POST['v_backup_gzip']]); + exec (VESTA_CMD."v-change-sys-config-value BACKUP_GZIP ".escapeshellarg($_POST['v_backup_gzip']), $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) $v_backup_gzip = $_POST['v_backup_gzip']; $v_backup_adv = 'yes'; } @@ -211,7 +252,9 @@ if (!empty($_POST['save'])) { // Change backup path if (empty($_SESSION['error_msg'])) { if ($_POST['v_backup_dir'] != $v_backup_dir ) { - v_exec('v-change-sys-config-value', ['BACKUP', $_POST['v_backup_dir']]); + exec (VESTA_CMD."v-change-sys-config-value BACKUP ".escapeshellarg($_POST['v_backup_dir']), $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) $v_backup_dir = $_POST['v_backup_dir']; $v_backup_adv = 'yes'; } @@ -220,12 +263,19 @@ if (!empty($_POST['save'])) { // Add remote backup host if (empty($_SESSION['error_msg'])) { if ((!empty($_POST['v_backup_host'])) && (empty($v_backup_host))) { - $v_backup_host = $_POST['v_backup_host']; - $v_backup_type = $_POST['v_backup_type']; - $v_backup_username = $_POST['v_backup_username']; - $v_backup_password = $_POST['v_backup_password']; - $v_backup_bpath = $_POST['v_backup_bpath']; - v_exec('v-add-backup-host', [$v_backup_type, $v_backup_host, $v_backup_username, $v_backup_password, $v_backup_bpath]); + $v_backup_host = escapeshellarg($_POST['v_backup_host']); + $v_backup_type = escapeshellarg($_POST['v_backup_type']); + $v_backup_username = escapeshellarg($_POST['v_backup_username']); + $v_backup_password = escapeshellarg($_POST['v_backup_password']); + $v_backup_bpath = escapeshellarg($_POST['v_backup_bpath']); + exec (VESTA_CMD."v-add-backup-host '". $v_backup_type ."' '". $v_backup_host ."' '". $v_backup_username ."' '". $v_backup_password ."' '". $v_backup_bpath ."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); + if (empty($_SESSION['error_msg'])) $v_backup_host = $_POST['v_backup_host']; + if (empty($_SESSION['error_msg'])) $v_backup_type = $_POST['v_backup_type']; + if (empty($_SESSION['error_msg'])) $v_backup_username = $_POST['v_backup_username']; + if (empty($_SESSION['error_msg'])) $v_backup_password = $_POST['v_backup_password']; + if (empty($_SESSION['error_msg'])) $v_backup_bpath = $_POST['v_backup_bpath']; $v_backup_new = 'yes'; $v_backup_adv = 'yes'; $v_backup_remote_adv = 'yes'; @@ -235,14 +285,22 @@ if (!empty($_POST['save'])) { // Change remote backup host type if (empty($_SESSION['error_msg'])) { if ((!empty($_POST['v_backup_host'])) && ($_POST['v_backup_type'] != $v_backup_type)) { - v_exec('v-delete-backup-host', [$v_backup_type], false); + exec (VESTA_CMD."v-delete-backup-host '". $v_backup_type ."'", $output, $return_var); + unset($output); - $v_backup_host = $_POST['v_backup_host']; - $v_backup_type = $_POST['v_backup_type']; - $v_backup_username = $_POST['v_backup_username']; - $v_backup_password = $_POST['v_backup_password']; - $v_backup_bpath = $_POST['v_backup_bpath']; - v_exec('v-add-backup-host', [$v_backup_type, $v_backup_host, $v_backup_username, $v_backup_password, $v_backup_bpath]); + $v_backup_host = escapeshellarg($_POST['v_backup_host']); + $v_backup_type = escapeshellarg($_POST['v_backup_type']); + $v_backup_username = escapeshellarg($_POST['v_backup_username']); + $v_backup_password = escapeshellarg($_POST['v_backup_password']); + $v_backup_bpath = escapeshellarg($_POST['v_backup_bpath']); + exec (VESTA_CMD."v-add-backup-host '". $v_backup_type ."' '". $v_backup_host ."' '". $v_backup_username ."' '". $v_backup_password ."' '". $v_backup_bpath ."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); + if (empty($_SESSION['error_msg'])) $v_backup_host = $_POST['v_backup_host']; + if (empty($_SESSION['error_msg'])) $v_backup_type = $_POST['v_backup_type']; + if (empty($_SESSION['error_msg'])) $v_backup_username = $_POST['v_backup_username']; + if (empty($_SESSION['error_msg'])) $v_backup_password = $_POST['v_backup_password']; + if (empty($_SESSION['error_msg'])) $v_backup_bpath = $_POST['v_backup_bpath']; $v_backup_adv = 'yes'; $v_backup_remote_adv = 'yes'; } @@ -252,12 +310,19 @@ if (!empty($_POST['save'])) { if (empty($_SESSION['error_msg'])) { if ((!empty($_POST['v_backup_host'])) && ($_POST['v_backup_type'] == $v_backup_type) && (!isset($v_backup_new))) { if (($_POST['v_backup_host'] != $v_backup_host) || ($_POST['v_backup_username'] != $v_backup_username) || ($_POST['v_backup_password'] || $v_backup_password) || ($_POST['v_backup_bpath'] == $v_backup_bpath)){ - $v_backup_host = $_POST['v_backup_host']; - $v_backup_type = $_POST['v_backup_type']; - $v_backup_username = $_POST['v_backup_username']; - $v_backup_password = $_POST['v_backup_password']; - $v_backup_bpath = $_POST['v_backup_bpath']; - v_exec('v-add-backup-host', [$v_backup_type, $v_backup_host, $v_backup_username, $v_backup_password, $v_backup_bpath]); + $v_backup_host = escapeshellarg($_POST['v_backup_host']); + $v_backup_type = escapeshellarg($_POST['v_backup_type']); + $v_backup_username = escapeshellarg($_POST['v_backup_username']); + $v_backup_password = escapeshellarg($_POST['v_backup_password']); + $v_backup_bpath = escapeshellarg($_POST['v_backup_bpath']); + exec (VESTA_CMD."v-add-backup-host '". $v_backup_type ."' '". $v_backup_host ."' '". $v_backup_username ."' '". $v_backup_password ."' '". $v_backup_bpath ."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); + if (empty($_SESSION['error_msg'])) $v_backup_host = $_POST['v_backup_host']; + if (empty($_SESSION['error_msg'])) $v_backup_type = $_POST['v_backup_type']; + if (empty($_SESSION['error_msg'])) $v_backup_username = $_POST['v_backup_username']; + if (empty($_SESSION['error_msg'])) $v_backup_password = $_POST['v_backup_password']; + if (empty($_SESSION['error_msg'])) $v_backup_bpath = $_POST['v_backup_bpath']; $v_backup_adv = 'yes'; $v_backup_remote_adv = 'yes'; } @@ -268,14 +333,14 @@ if (!empty($_POST['save'])) { // Delete remote backup host if (empty($_SESSION['error_msg'])) { if ((empty($_POST['v_backup_host'])) && (!empty($v_backup_host))) { - v_exec('v-delete-backup-host', [$v_backup_type]); - if (empty($_SESSION['error_msg'])) { - $v_backup_host = ''; - $v_backup_type = ''; - $v_backup_username = ''; - $v_backup_password = ''; - $v_backup_bpath = ''; - } + exec (VESTA_CMD."v-delete-backup-host '". $v_backup_type ."'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); + if (empty($_SESSION['error_msg'])) $v_backup_host = ''; + if (empty($_SESSION['error_msg'])) $v_backup_type = ''; + if (empty($_SESSION['error_msg'])) $v_backup_username = ''; + if (empty($_SESSION['error_msg'])) $v_backup_password = ''; + if (empty($_SESSION['error_msg'])) $v_backup_bpath = ''; $v_backup_adv = ''; $v_backup_remote_adv = ''; } @@ -286,25 +351,29 @@ if (!empty($_POST['save'])) { $_SESSION['ok_msg'] = __('Changes has been saved.'); } - // Activate sftp licence + // activating sftp licence if (empty($_SESSION['error_msg'])) { - if ($_SESSION['SFTPJAIL_KEY'] != $_POST['v_sftp_licence'] && $_POST['v_sftp'] == 'yes') { + if($_SESSION['SFTPJAIL_KEY'] != $_POST['v_sftp_licence'] && $_POST['v_sftp'] == 'yes'){ $module = 'sftpjail'; - $licence_key = $_POST['v_sftp_licence']; - v_exec('v-activate-vesta-license', [$module, $licence_key]); + $licence_key = escapeshellarg($_POST['v_sftp_licence']); + exec (VESTA_CMD."v-activate-vesta-license ".$module." ".$licence_key, $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) { $_SESSION['ok_msg'] = __('Licence Activated'); - $_SESSION['SFTPJAIL_KEY'] = $licence_key; + $_SESSION['SFTPJAIL_KEY'] = $_POST['v_sftp_licence']; } } } - // Cancel sftp licence + // cancel sftp licence if (empty($_SESSION['error_msg'])) { - if ($_POST['v_sftp'] == 'cancel' && $_SESSION['SFTPJAIL_KEY']) { + if($_POST['v_sftp'] == 'cancel' && $_SESSION['SFTPJAIL_KEY']){ $module = 'sftpjail'; - $licence_key = $_SESSION['SFTPJAIL_KEY']; - v_exec('v-deactivate-vesta-license', [$module, $licence_key]); + $licence_key = escapeshellarg($_SESSION['SFTPJAIL_KEY']); + exec (VESTA_CMD."v-deactivate-vesta-license ".$module." ".$licence_key, $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) { $_SESSION['ok_msg'] = __('Licence Deactivated'); unset($_SESSION['SFTPJAIL_KEY']); @@ -313,25 +382,29 @@ if (!empty($_POST['save'])) { } - // Activate filemanager licence + // activating filemanager licence if (empty($_SESSION['error_msg'])) { - if ($_SESSION['FILEMANAGER_KEY'] != $_POST['v_filemanager_licence'] && $_POST['v_filemanager'] == 'yes') { + if($_SESSION['FILEMANAGER_KEY'] != $_POST['v_filemanager_licence'] && $_POST['v_filemanager'] == 'yes'){ $module = 'filemanager'; - $licence_key = $_POST['v_filemanager_licence']; - v_exec('v-activate-vesta-license', [$module, $licence_key]); + $licence_key = escapeshellarg($_POST['v_filemanager_licence']); + exec (VESTA_CMD."v-activate-vesta-license ".$module." ".$licence_key, $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) { $_SESSION['ok_msg'] = __('Licence Activated'); - $_SESSION['FILEMANAGER_KEY'] = $licence_key; + $_SESSION['FILEMANAGER_KEY'] = $_POST['v_filemanager_licence']; } } } - // Cancel filemanager licence + // cancel filemanager licence if (empty($_SESSION['error_msg'])) { - if ($_POST['v_filemanager'] == 'cancel' && $_SESSION['FILEMANAGER_KEY']) { + if($_POST['v_filemanager'] == 'cancel' && $_SESSION['FILEMANAGER_KEY']){ $module = 'filemanager'; - $licence_key = $_SESSION['FILEMANAGER_KEY']; - v_exec('v-deactivate-vesta-license', [$module, $licence_key]); + $licence_key = escapeshellarg($_SESSION['FILEMANAGER_KEY']); + exec (VESTA_CMD."v-deactivate-vesta-license ".$module." ".$licence_key, $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) { $_SESSION['ok_msg'] = __('Licence Deactivated'); unset($_SESSION['FILEMANAGER_KEY']); @@ -341,8 +414,8 @@ if (!empty($_POST['save'])) { } // Check system configuration -v_exec('v-list-sys-config', ['json'], false, $output); -$data = json_decode($output, true); +exec (VESTA_CMD . "v-list-sys-config json", $output, $return_var); +$data = json_decode(implode('', $output), true); $sys_arr = $data['config']; foreach ($sys_arr as $key => $value) { $_SESSION[$key] = $value; diff --git a/web/edit/user/index.php b/web/edit/user/index.php index 9dd2784d6..c0ea9cd5c 100644 --- a/web/edit/user/index.php +++ b/web/edit/user/index.php @@ -16,18 +16,21 @@ if (empty($_GET['user'])) { // Edit as someone else? if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=$_GET['user']; + $v_username=$_GET['user']; } else { - $user = $_SESSION['user']; + $user=$_SESSION['user']; + $v_username=$_SESSION['user']; } -$v_username = $user; // List user -v_exec('v-list-user', [$v_username, 'json'], true, $output); -$data = json_decode($output, true); +exec (VESTA_CMD."v-list-user ".escapeshellarg($v_username)." json", $output, $return_var); +check_return_code($return_var,$output); +$data = json_decode(implode('', $output), true); +unset($output); // Parse user -$v_password = ''; +$v_password = ""; $v_email = $data[$v_username]['CONTACT']; $v_package = $data[$v_username]['PACKAGE']; $v_language = $data[$v_username]['LANGUAGE']; @@ -35,7 +38,7 @@ $v_fname = $data[$v_username]['FNAME']; $v_lname = $data[$v_username]['LNAME']; $v_shell = $data[$v_username]['SHELL']; $v_ns = $data[$v_username]['NS']; -$nameservers = explode(', ', $v_ns); +$nameservers = explode(", ", $v_ns); $v_ns1 = $nameservers[0]; $v_ns2 = $nameservers[1]; $v_ns3 = $nameservers[2]; @@ -55,25 +58,29 @@ $v_time = $data[$v_username]['TIME']; $v_date = $data[$v_username]['DATE']; // List packages -v_exec('v-list-user-packages', ['json'], false, $output); -$packages = json_decode($output, true); +exec (VESTA_CMD."v-list-user-packages json", $output, $return_var); +$packages = json_decode(implode('', $output), true); +unset($output); // List languages -v_exec('v-list-sys-languages', ['json'], false, $output); -$languages = json_decode($output, true); +exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var); +$languages = json_decode(implode('', $output), true); +unset($output); // List shells -v_exec('v-list-sys-shells', ['json'], false, $output); -$shells = json_decode($output, true); +exec (VESTA_CMD."v-list-sys-shells json", $output, $return_var); +$shells = json_decode(implode('', $output), true); +unset($output); // Are you admin? // Check POST request if (!empty($_POST['save'])) { + // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } // Change password @@ -82,34 +89,38 @@ if (!empty($_POST['save'])) { $fp = fopen($v_password, "w"); fwrite($fp, $_POST['v_password']."\n"); fclose($fp); - v_exec('v-change-user-password', [$v_username, $v_password]); + exec (VESTA_CMD."v-change-user-password ".escapeshellarg($v_username)." ".$v_password, $output, $return_var); + check_return_code($return_var,$output); + unset($output); unlink($v_password); - $v_password = $_POST['v_password']; + $v_password = escapeshellarg($_POST['v_password']); } // Change package (admin only) if (($v_package != $_POST['v_package']) && ($_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) { - $v_package = $_POST['v_package']; - v_exec('v-change-user-package', [$v_username, $v_package]); + $v_package = escapeshellarg($_POST['v_package']); + exec (VESTA_CMD."v-change-user-package ".escapeshellarg($v_username)." ".$v_package, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Change language if (($v_language != $_POST['v_language']) && (empty($_SESSION['error_msg']))) { - $v_language = $_POST['v_language']; - v_exec('v-change-user-language', [$v_username, $v_language]); + $v_language = escapeshellarg($_POST['v_language']); + exec (VESTA_CMD."v-change-user-language ".escapeshellarg($v_username)." ".$v_language, $output, $return_var); + check_return_code($return_var,$output); if (empty($_SESSION['error_msg'])) { - if ((empty($_GET['user'])) || ($_GET['user'] == $_SESSION['user'])) { - $_SESSION['language'] = $_POST['v_language']; - } + if ((empty($_GET['user'])) || ($_GET['user'] == $_SESSION['user'])) $_SESSION['language'] = $_POST['v_language']; } + unset($output); } // Change shell (admin only) - if ($_SESSION['user'] == 'admin') { - if (($v_shell != $_POST['v_shell']) && (empty($_SESSION['error_msg']))) { - $v_shell = $_POST['v_shell']; - v_exec('v-change-user-shell', [$v_username, $v_shell]); - } + if (($v_shell != $_POST['v_shell']) && ($_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) { + $v_shell = escapeshellarg($_POST['v_shell']); + exec (VESTA_CMD."v-change-user-shell ".escapeshellarg($v_username)." ".$v_shell, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Change contact email @@ -117,37 +128,54 @@ if (!empty($_POST['save'])) { if (!filter_var($_POST['v_email'], FILTER_VALIDATE_EMAIL)) { $_SESSION['error_msg'] = __('Please enter valid email address.'); } else { - $v_email = $_POST['v_email']; - v_exec('v-change-user-contact', [$v_username, $v_email]); + $v_email = escapeshellarg($_POST['v_email']); + exec (VESTA_CMD."v-change-user-contact ".escapeshellarg($v_username)." ".$v_email, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } } // Change full name - if ((($v_fname != $_POST['v_fname']) || ($v_lname != $_POST['v_lname'])) && (empty($_SESSION['error_msg']))) { + if (($v_fname != $_POST['v_fname']) || ($v_lname != $_POST['v_lname']) && (empty($_SESSION['error_msg']))) { + $v_fname = escapeshellarg($_POST['v_fname']); + $v_lname = escapeshellarg($_POST['v_lname']); + exec (VESTA_CMD."v-change-user-name ".escapeshellarg($v_username)." ".$v_fname." ".$v_lname, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_fname = $_POST['v_fname']; $v_lname = $_POST['v_lname']; - v_exec('v-change-user-name', [$v_username, $v_fname, $v_lname]); } // Change NameServers - if ((($v_ns1 != $_POST['v_ns1']) || ($v_ns2 != $_POST['v_ns2']) || ($v_ns3 != $_POST['v_ns3']) || ($v_ns4 != $_POST['v_ns4']) || ($v_ns5 != $_POST['v_ns5']) - || ($v_ns6 != $_POST['v_ns6']) || ($v_ns7 != $_POST['v_ns7']) || ($v_ns8 != $_POST['v_ns8'])) && (empty($_SESSION['error_msg']))) { - $v_ns1 = $_POST['v_ns1']; - $v_ns2 = $_POST['v_ns2']; - $v_ns3 = $_POST['v_ns3']; - $v_ns4 = $_POST['v_ns4']; - $v_ns5 = $_POST['v_ns5']; - $v_ns6 = $_POST['v_ns6']; - $v_ns7 = $_POST['v_ns7']; - $v_ns8 = $_POST['v_ns8']; - $ns_args = [$v_username, $v_ns1, $v_ns2]; - if (!empty($_POST['v_ns3'])) $ns_args[] = $v_ns3; - if (!empty($_POST['v_ns4'])) $ns_args[] = $v_ns4; - if (!empty($_POST['v_ns5'])) $ns_args[] = $v_ns5; - if (!empty($_POST['v_ns6'])) $ns_args[] = $v_ns6; - if (!empty($_POST['v_ns7'])) $ns_args[] = $v_ns7; - if (!empty($_POST['v_ns8'])) $ns_args[] = $v_ns8; - v_exec('v-change-user-ns', $ns_args); + if (($v_ns1 != $_POST['v_ns1']) || ($v_ns2 != $_POST['v_ns2']) || ($v_ns3 != $_POST['v_ns3']) || ($v_ns4 != $_POST['v_ns4']) || ($v_ns5 != $_POST['v_ns5']) + || ($v_ns6 != $_POST['v_ns6']) || ($v_ns7 != $_POST['v_ns7']) || ($v_ns8 != $_POST['v_ns8']) && (empty($_SESSION['error_msg']))) { + $v_ns1 = escapeshellarg($_POST['v_ns1']); + $v_ns2 = escapeshellarg($_POST['v_ns2']); + $v_ns3 = escapeshellarg($_POST['v_ns3']); + $v_ns4 = escapeshellarg($_POST['v_ns4']); + $v_ns5 = escapeshellarg($_POST['v_ns5']); + $v_ns6 = escapeshellarg($_POST['v_ns6']); + $v_ns7 = escapeshellarg($_POST['v_ns7']); + $v_ns8 = escapeshellarg($_POST['v_ns8']); + $ns_cmd = VESTA_CMD."v-change-user-ns ".escapeshellarg($v_username)." ".$v_ns1." ".$v_ns2; + if (!empty($_POST['v_ns3'])) $ns_cmd = $ns_cmd." ".$v_ns3; + if (!empty($_POST['v_ns4'])) $ns_cmd = $ns_cmd." ".$v_ns4; + if (!empty($_POST['v_ns5'])) $ns_cmd = $ns_cmd." ".$v_ns5; + if (!empty($_POST['v_ns6'])) $ns_cmd = $ns_cmd." ".$v_ns6; + if (!empty($_POST['v_ns7'])) $ns_cmd = $ns_cmd." ".$v_ns7; + if (!empty($_POST['v_ns8'])) $ns_cmd = $ns_cmd." ".$v_ns8; + exec ($ns_cmd, $output, $return_var); + check_return_code($return_var,$output); + unset($output); + + $v_ns1 = str_replace("'","", $v_ns1); + $v_ns2 = str_replace("'","", $v_ns2); + $v_ns3 = str_replace("'","", $v_ns3); + $v_ns4 = str_replace("'","", $v_ns4); + $v_ns5 = str_replace("'","", $v_ns5); + $v_ns6 = str_replace("'","", $v_ns6); + $v_ns7 = str_replace("'","", $v_ns7); + $v_ns8 = str_replace("'","", $v_ns8); } // Set success message diff --git a/web/edit/web/index.php b/web/edit/web/index.php index 7fab12440..c0d1f6f80 100644 --- a/web/edit/web/index.php +++ b/web/edit/web/index.php @@ -16,17 +16,18 @@ if (empty($_GET['domain'])) { // Edit as someone else? if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=escapeshellarg($_GET['user']); } -$v_username = $user; -$v_domain = $_GET['domain']; - // List domain -v_exec('v-list-web-domain', [$user, $v_domain, 'json'], false, $output); -$data = json_decode($output, true); +$v_domain = escapeshellarg($_GET['domain']); +exec (VESTA_CMD."v-list-web-domain ".$user." ".$v_domain." json", $output, $return_var); +$data = json_decode(implode('', $output), true); +unset($output); // Parse domain +$v_username = $user; +$v_domain = $_GET['domain']; $v_ip = $data[$v_domain]['IP']; $v_template = $data[$v_domain]['TPL']; $v_aliases = str_replace(',', "\n", $data[$v_domain]['ALIAS']); @@ -35,9 +36,10 @@ $v_tpl = $data[$v_domain]['IP']; $v_cgi = $data[$v_domain]['CGI']; $v_elog = $data[$v_domain]['ELOG']; $v_ssl = $data[$v_domain]['SSL']; -if ($v_ssl == 'yes') { - v_exec('v-list-web-domain-ssl', [$user, $v_domain, 'json'], false, $output); - $ssl_str = json_decode($output, true); +if ( $v_ssl == 'yes' ) { + exec (VESTA_CMD."v-list-web-domain-ssl ".$user." '".$v_domain."' json", $output, $return_var); + $ssl_str = json_decode(implode('', $output), true); + unset($output); $v_ssl_crt = $ssl_str[$v_domain]['CRT']; $v_ssl_key = $ssl_str[$v_domain]['KEY']; $v_ssl_ca = $ssl_str[$v_domain]['CA']; @@ -49,10 +51,10 @@ $v_proxy_template = $data[$v_domain]['PROXY']; $v_proxy_ext = str_replace(',', ', ', $data[$v_domain]['PROXY_EXT']); $v_stats = $data[$v_domain]['STATS']; $v_stats_user = $data[$v_domain]['STATS_USER']; -if (!empty($v_stats_user)) $v_stats_password = ''; +if (!empty($v_stats_user)) $v_stats_password = ""; $v_ftp_user = $data[$v_domain]['FTP_USER']; $v_ftp_path = $data[$v_domain]['FTP_PATH']; -if (!empty($v_ftp_user)) $v_ftp_password = ''; +if (!empty($v_ftp_user)) $v_ftp_password = ""; $v_ftp_user_prepath = $data[$v_domain]['DOCUMENT_ROOT']; $v_ftp_user_prepath = str_replace('/public_html', '', $v_ftp_user_prepath, $occurance = 1); $v_ftp_email = $panel[$user]['CONTACT']; @@ -66,78 +68,87 @@ $v_time = $data[$v_domain]['TIME']; $v_date = $data[$v_domain]['DATE']; // List ip addresses -v_exec('v-list-user-ips', [$user, 'json'], false, $output); -$ips = json_decode($output, true); +exec (VESTA_CMD."v-list-user-ips ".$user." json", $output, $return_var); +$ips = json_decode(implode('', $output), true); +unset($output); // List web templates -v_exec('v-list-web-templates', ['json'], false, $output); -$templates = json_decode($output, true); +exec (VESTA_CMD."v-list-web-templates json", $output, $return_var); +$templates = json_decode(implode('', $output), true); +unset($output); // List backend templates if (!empty($_SESSION['WEB_BACKEND'])) { - v_exec('v-list-web-templates-backend', ['json'], false, $output); - $backend_templates = json_decode($output, true); + exec (VESTA_CMD."v-list-web-templates-backend json", $output, $return_var); + $backend_templates = json_decode(implode('', $output), true); + unset($output); } // List proxy templates if (!empty($_SESSION['PROXY_SYSTEM'])) { - v_exec('v-list-web-templates-proxy', ['json'], false, $output); - $proxy_templates = json_decode($output, true); + exec (VESTA_CMD."v-list-web-templates-proxy json", $output, $return_var); + $proxy_templates = json_decode(implode('', $output), true); + unset($output); } // List web stat engines -v_exec('v-list-web-stats', ['json'], false, $output); -$stats = json_decode($output, true); +exec (VESTA_CMD."v-list-web-stats json", $output, $return_var); +$stats = json_decode(implode('', $output), true); +unset($output); // Check POST request if (!empty($_POST['save'])) { - $v_domain = $_POST['v_domain']; + $v_domain = escapeshellarg($_POST['v_domain']); // Check token if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { header('location: /login/'); - exit; + exit(); } - // IP has been changed - if ($v_ip != $_POST['v_ip']) { - $v_ip = $_POST['v_ip']; + // Change web domain IP + if (($v_ip != $_POST['v_ip']) && (empty($_SESSION['error_msg']))) { + $v_ip = escapeshellarg($_POST['v_ip']); + exec (VESTA_CMD."v-change-web-domain-ip ".$v_username." ".$v_domain." ".$v_ip." 'no'", $output, $return_var); + check_return_code($return_var,$output); + $restart_web = 'yes'; + $restart_proxy = 'yes'; + unset($output); + } - // Change web domain IP - if (empty($_SESSION['error_msg'])) { - v_exec('v-change-web-domain-ip', [$v_username, $v_domain, $v_ip, 'no']); - $restart_web = 'yes'; - $restart_proxy = 'yes'; + // Chane dns domain IP + if (($v_ip != $_POST['v_ip']) && (empty($_SESSION['error_msg']))) { + exec (VESTA_CMD."v-list-dns-domain ".$v_username." ".$v_domain." json", $output, $return_var); + unset($output); + if ($return_var == 0 ) { + exec (VESTA_CMD."v-change-dns-domain-ip ".$v_username." ".$v_domain." ".$v_ip." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); + $restart_dns = 'yes'; } + } - // Chane dns domain IP - if (empty($_SESSION['error_msg'])) { - $return_var = v_exec('v-list-dns-domain', [$v_username, $v_domain, 'json'], false); - if ($return_var == 0) { - v_exec('v-change-dns-domain-ip', [$v_username, $v_domain, $v_ip, 'no']); + // Change dns ip for each alias + if (($v_ip != $_POST['v_ip']) && (empty($_SESSION['error_msg']))) { + foreach($valiases as $v_alias ){ + exec (VESTA_CMD."v-list-dns-domain ".$v_username." '".$v_alias."' json", $output, $return_var); + unset($output); + if ($return_var == 0 ) { + exec (VESTA_CMD."v-change-dns-domain-ip ".$v_username." '".$v_alias."' ".$v_ip, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $restart_dns = 'yes'; } } - - // Change dns ip for each alias - if (empty($_SESSION['error_msg'])) { - foreach ($valiases as $v_alias) { - $return_var = v_exec('v-list-dns-domain', [$v_username, $v_alias, 'json'], false); - if ($return_var == 0) { - v_exe ('v-change-dns-domain-ip', [$v_username, $v_alias, $v_ip]); - $restart_dns = 'yes'; - } - } - } } // Change template (admin only) - if ($_SESSION['user'] == 'admin') { - if (($v_template != $_POST['v_template']) && (empty($_SESSION['error_msg']))) { - $v_template = $_POST['v_template']; - v_exec('v-change-web-domain-tpl', [$v_username, $v_domain, $v_template, 'no']); - $restart_web = 'yes'; - } + if (($v_template != $_POST['v_template']) && ( $_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) { + $v_template = escapeshellarg($_POST['v_template']); + exec (VESTA_CMD."v-change-web-domain-tpl ".$v_username." ".$v_domain." ".$v_template." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); + $restart_web = 'yes'; } // Change aliases @@ -153,12 +164,18 @@ if (!empty($_POST['save'])) { if ((empty($_SESSION['error_msg'])) && (!empty($alias))) { $restart_web = 'yes'; $restart_proxy = 'yes'; - $v_template = $_POST['v_template']; - v_exec('v-delete-web-domain-alias', [$v_username, $v_domain, $alias, 'no']); + $v_template = escapeshellarg($_POST['v_template']); + exec (VESTA_CMD."v-delete-web-domain-alias ".$v_username." ".$v_domain." '".$alias."' 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); + if (empty($_SESSION['error_msg'])) { - $return_var = v_exec('v-list-dns-domain', [$v_username, $v_domain], false); + exec (VESTA_CMD."v-list-dns-domain ".$v_username." ".$v_domain, $output, $return_var); + unset($output); if ($return_var == 0) { - v_exec('v-delete-dns-on-web-alias', [$v_username, $v_domain, $alias, 'no']); + exec (VESTA_CMD."v-delete-dns-on-web-alias ".$v_username." ".$v_domain." '".$alias."' 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $restart_dns = 'yes'; } } @@ -170,12 +187,17 @@ if (!empty($_POST['save'])) { if ((empty($_SESSION['error_msg'])) && (!empty($alias))) { $restart_web = 'yes'; $restart_proxy = 'yes'; - $v_template = $_POST['v_template']; - v_exec('v-add-web-domain-alias', [$v_username, $v_domain, $alias, 'no']); + $v_template = escapeshellarg($_POST['v_template']); + exec (VESTA_CMD."v-add-web-domain-alias ".$v_username." ".$v_domain." '".$alias."' 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); if (empty($_SESSION['error_msg'])) { - $return_var = v_exec('v-list-dns-domain', [$v_username, $v_domain], false); + exec (VESTA_CMD."v-list-dns-domain ".$v_username." ".$v_domain, $output, $return_var); + unset($output); if ($return_var == 0) { - v_exec('v-add-dns-on-web-alias', [$v_username, $alias, $v_ip, 'no']); + exec (VESTA_CMD."v-add-dns-on-web-alias ".$v_username." ".$alias." ".$v_ip." no", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $restart_dns = 'yes'; } } @@ -183,17 +205,19 @@ if (!empty($_POST['save'])) { } } - // Change backend template (admin only) - if ($_SESSION['user'] == 'admin') { - if ((!empty($_SESSION['WEB_BACKEND'])) && ($v_backend_template != $_POST['v_backend_template']) && (empty($_SESSION['error_msg']))) { + // Change backend template + if ((!empty($_SESSION['WEB_BACKEND'])) && ( $v_backend_template != $_POST['v_backend_template']) && ( $_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) { $v_backend_template = $_POST['v_backend_template']; - v_exec('v-change-web-domain-backend-tpl', [$v_username, $v_domain, $v_backend_template]); - } + exec (VESTA_CMD."v-change-web-domain-backend-tpl ".$v_username." ".$v_domain." ".escapeshellarg($v_backend_template), $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Delete proxy support if ((!empty($_SESSION['PROXY_SYSTEM'])) && (!empty($v_proxy)) && (empty($_POST['v_proxy'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-delete-web-domain-proxy', [$v_username, $v_domain, 'no']); + exec (VESTA_CMD."v-delete-web-domain-proxy ".$v_username." ".$v_domain." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); unset($v_proxy); $restart_proxy = 'yes'; } @@ -205,11 +229,13 @@ if (!empty($_POST['save'])) { $ext = preg_replace('/\s+/', ' ',$ext); $ext = trim($ext); $ext = str_replace(' ', ", ", $ext); - if (($v_proxy_template != $_POST['v_proxy_template']) || ($v_proxy_ext != $ext)) { + if (( $v_proxy_template != $_POST['v_proxy_template']) || ($v_proxy_ext != $ext)) { $ext = str_replace(', ', ",", $ext); if (!empty($_POST['v_proxy_template'])) $v_proxy_template = $_POST['v_proxy_template']; - v_exec('v-change-web-domain-proxy-tpl', [$v_username, $v_domain, $v_proxy_template, $ext, 'no']); + exec (VESTA_CMD."v-change-web-domain-proxy-tpl ".$v_username." ".$v_domain." ".escapeshellarg($v_proxy_template)." ".escapeshellarg($ext)." 'no'", $output, $return_var); + check_return_code($return_var,$output); $v_proxy_ext = str_replace(',', ', ', $ext); + unset($output); $restart_proxy = 'yes'; } } @@ -225,13 +251,17 @@ if (!empty($_POST['save'])) { $ext = str_replace(' ', ",", $ext); $v_proxy_ext = str_replace(',', ', ', $ext); } - v_exec('v-add-web-domain-proxy', [$v_username, $v_domain, $v_proxy_template, $ext, 'no']); + exec (VESTA_CMD."v-add-web-domain-proxy ".$v_username." ".$v_domain." ".escapeshellarg($v_proxy_template)." ".escapeshellarg($ext)." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $restart_proxy = 'yes'; } // Delete SSL certificate - if (($v_ssl == 'yes') && (empty($_POST['v_ssl'])) && (empty($_SESSION['error_msg']))) { - v_exec('v-delete-web-domain-ssl', [$v_username, $v_domain, 'no']); + if (( $v_ssl == 'yes' ) && (empty($_POST['v_ssl'])) && (empty($_SESSION['error_msg']))) { + exec (VESTA_CMD."v-delete-web-domain-ssl ".$v_username." ".$v_domain." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_ssl = 'no'; $restart_web = 'yes'; $restart_proxy = 'yes'; @@ -267,7 +297,9 @@ if (!empty($_POST['save'])) { fclose($fp); } - v_exec('v-change-web-domain-sslcert', [$user, $v_domain, $tmpdir, 'no']); + exec (VESTA_CMD."v-change-web-domain-sslcert ".$user." ".$v_domain." ".$tmpdir." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $restart_web = 'yes'; $restart_proxy = 'yes'; $v_ssl_crt = $_POST['v_ssl_crt']; @@ -296,6 +328,7 @@ if (!empty($_POST['save'])) { if ((!empty($_POST['v_ssl'])) && (empty($_POST['v_ssl_crt']))) $errors[] = 'ssl certificate'; if ((!empty($_POST['v_ssl'])) && (empty($_POST['v_ssl_key']))) $errors[] = 'ssl key'; if ((!empty($_POST['v_ssl'])) && (empty($_POST['v_ssl_home']))) $errors[] = 'ssl home'; + $v_ssl_home = escapeshellarg($_POST['v_ssl_home']); if (!empty($errors[0])) { foreach ($errors as $i => $error) { if ( $i == 0 ) { @@ -304,41 +337,41 @@ if (!empty($_POST['save'])) { $error_msg = $error_msg.", ".$error; } } - $_SESSION['error_msg'] = __('Field "%s" can not be blank.', $error_msg); + $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg); } else { - $v_ssl_home = $_POST['v_ssl_home']; - $v_ssl_crt = str_replace("\r\n", "\n", $_POST['v_ssl_crt']); - $v_ssl_key = str_replace("\r\n", "\n", $_POST['v_ssl_key']); - $v_ssl_ca = str_replace("\r\n", "\n", $_POST['v_ssl_ca']); - - exec('mktemp -d', $mktemp_output, $return_var); + exec ('mktemp -d', $mktemp_output, $return_var); $tmpdir = $mktemp_output[0]; // Certificate if (!empty($_POST['v_ssl_crt'])) { $fp = fopen($tmpdir."/".$_POST['v_domain'].".crt", 'w'); - fwrite($fp, $v_ssl_crt); + fwrite($fp, str_replace("\r\n", "\n", $_POST['v_ssl_crt'])); fclose($fp); } // Key if (!empty($_POST['v_ssl_key'])) { $fp = fopen($tmpdir."/".$_POST['v_domain'].".key", 'w'); - fwrite($fp, $v_ssl_key); + fwrite($fp, str_replace("\r\n", "\n", $_POST['v_ssl_key'])); fclose($fp); } // CA if (!empty($_POST['v_ssl_ca'])) { $fp = fopen($tmpdir."/".$_POST['v_domain'].".ca", 'w'); - fwrite($fp, $v_ssl_ca); + fwrite($fp, str_replace("\r\n", "\n", $_POST['v_ssl_ca'])); fclose($fp); } - - v_exec('v-add-web-domain-ssl', [$user, $v_domain, $tmpdir, $v_ssl_home, 'no']); + exec (VESTA_CMD."v-add-web-domain-ssl ".$user." ".$v_domain." ".$tmpdir." ".$v_ssl_home." 'no'", $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_ssl = 'yes'; $restart_web = 'yes'; $restart_proxy = 'yes'; + $v_ssl_crt = $_POST['v_ssl_crt']; + $v_ssl_key = $_POST['v_ssl_key']; + $v_ssl_ca = $_POST['v_ssl_ca']; + $v_ssl_home = $_POST['v_ssl_home']; // Cleanup certificate tempfiles if (!empty($_POST['v_ssl_crt'])) { @@ -358,36 +391,47 @@ if (!empty($_POST['save'])) { } // Change document root for ssl domain - if (($v_ssl == 'yes') && (!empty($_POST['v_ssl'])) && (empty($_SESSION['error_msg']))) { - if ($v_ssl_home != $_POST['v_ssl_home']) { + if (( $v_ssl == 'yes') && (!empty($_POST['v_ssl'])) && (empty($_SESSION['error_msg']))) { + if ( $v_ssl_home != $_POST['v_ssl_home'] ) { + $v_ssl_home = escapeshellarg($_POST['v_ssl_home']); + exec (VESTA_CMD."v-change-web-domain-sslhome ".$user." ".$v_domain." ".$v_ssl_home." 'no'", $output, $return_var); + check_return_code($return_var,$output); $v_ssl_home = $_POST['v_ssl_home']; - v_exec('v-change-web-domain-sslhome', [$user, $v_domain, $v_ssl_home, 'no']); + unset($output); } } // Delete web stats if ((!empty($v_stats)) && ($_POST['v_stats'] == 'none') && (empty($_SESSION['error_msg']))) { + exec (VESTA_CMD."v-delete-web-domain-stats ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_stats = ''; - v_exec('v-delete-web-domain-stats', [$v_username, $v_domain]); } // Change web stats engine if ((!empty($v_stats)) && ($_POST['v_stats'] != $v_stats) && (empty($_SESSION['error_msg']))) { - $v_stats = $_POST['v_stats']; - v_exec('v-change-web-domain-stats', [$v_username, $v_domain, $v_stats]); + $v_stats = escapeshellarg($_POST['v_stats']); + exec (VESTA_CMD."v-change-web-domain-stats ".$v_username." ".$v_domain." ".$v_stats, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Add web stats if ((empty($v_stats)) && ($_POST['v_stats'] != 'none') && (empty($_SESSION['error_msg']))) { - $v_stats = $_POST['v_stats']; - v_exec('v-add-web-domain-stats', [$v_username, $v_domain, $v_stats]); + $v_stats = escapeshellarg($_POST['v_stats']); + exec (VESTA_CMD."v-add-web-domain-stats ".$v_username." ".$v_domain." ".$v_stats, $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Delete web stats authorization if ((!empty($v_stats_user)) && (empty($_POST['v_stats_auth'])) && (empty($_SESSION['error_msg']))) { + exec (VESTA_CMD."v-delete-web-domain-stats-user ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $v_stats_user = ''; $v_stats_password = ''; - v_exec('v-delete-web-domain-stats-user', [$v_username, $v_domain]); } // Change web stats user or password @@ -403,14 +447,16 @@ if (!empty($_POST['save'])) { } $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg); } else { - $v_stats_user = $_POST['v_stats_user']; + $v_stats_user = escapeshellarg($_POST['v_stats_user']); $v_stats_password = tempnam("/tmp","vst"); $fp = fopen($v_stats_password, "w"); fwrite($fp, $_POST['v_stats_password']."\n"); fclose($fp); - v_exec('v-add-web-domain-stats-user', [$v_username, $v_domain, $v_stats_user, $v_stats_password]); + exec (VESTA_CMD."v-add-web-domain-stats-user ".$v_username." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var); + check_return_code($return_var,$output); + unset($output); unlink($v_stats_password); - $v_stats_password = $_POST['v_stats_password']; + $v_stats_password = escapeshellarg($_POST['v_stats_password']); } } @@ -428,14 +474,16 @@ if (!empty($_POST['save'])) { $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg); } if (($v_stats_user != $_POST['v_stats_user']) || (!empty($_POST['v_stats_password'])) && (empty($_SESSION['error_msg']))) { - $v_stats_user = $_POST['v_stats_user']; + $v_stats_user = escapeshellarg($_POST['v_stats_user']); $v_stats_password = tempnam("/tmp","vst"); $fp = fopen($v_stats_password, "w"); fwrite($fp, $_POST['v_stats_password']."\n"); fclose($fp); - v_exec('v-add-web-domain-stats-user', [$v_username, $v_domain, $v_stats_user, $v_stats_password]); + exec (VESTA_CMD."v-add-web-domain-stats-user ".$v_username." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var); + check_return_code($return_var,$output); + unset($output); unlink($v_stats_password); - $v_stats_password = $_POST['v_stats_password']; + $v_stats_password = escapeshellarg($_POST['v_stats_password']); } } @@ -465,13 +513,15 @@ if (!empty($_POST['save'])) { // Add ftp account $v_ftp_username = $v_ftp_user_data['v_ftp_user']; $v_ftp_username_full = $user . '_' . $v_ftp_user_data['v_ftp_user']; - $v_ftp_path = trim($v_ftp_user_data['v_ftp_path']); + $v_ftp_user = escapeshellarg($v_ftp_username); + $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path'])); if (empty($_SESSION['error_msg'])) { $v_ftp_password = tempnam("/tmp","vst"); $fp = fopen($v_ftp_password, "w"); fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n"); fclose($fp); - v_exec('v-add-web-domain-ftp', [$v_username, $v_domain, $v_ftp_username, $v_ftp_password, $v_ftp_path]); + exec (VESTA_CMD."v-add-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var); + check_return_code($return_var,$output); if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) { $to = $v_ftp_user_data['v_ftp_email']; $subject = __("FTP login credentials"); @@ -481,14 +531,16 @@ if (!empty($_POST['save'])) { send_email($to, $subject, $mailtext, $from); unset($v_ftp_email); } + unset($output); unlink($v_ftp_password); - $v_ftp_password = $v_ftp_user_data['v_ftp_password']; + $v_ftp_password = escapeshellarg($v_ftp_user_data['v_ftp_password']); } if ($return_var == 0) { - $v_ftp_password = ''; + $v_ftp_password = ""; $v_ftp_user_data['is_new'] = 0; - } else { + } + else { $v_ftp_user_data['is_new'] = 1; } @@ -507,7 +559,10 @@ if (!empty($_POST['save'])) { // Delete FTP account if ($v_ftp_user_data['delete'] == 1) { $v_ftp_username = $user . '_' . $v_ftp_user_data['v_ftp_user']; - v_exec('v-delete-web-domain-ftp', [$v_username, $v_domain, $v_ftp_username]); + exec (VESTA_CMD."v-delete-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_username, $output, $return_var); + check_return_code($return_var,$output); + unset($output); + continue; } @@ -526,9 +581,10 @@ if (!empty($_POST['save'])) { // Change FTP account path $v_ftp_username = $user . '_' . $v_ftp_user_data['v_ftp_user']; //preg_replace("/^".$user."_/", "", $v_ftp_user_data['v_ftp_user']); + $v_ftp_username = escapeshellarg($v_ftp_username); //if (!empty($v_ftp_user_data['v_ftp_path'])) { - $v_ftp_path = trim($v_ftp_user_data['v_ftp_path']); - v_exec('v-change-web-domain-ftp-path', [$v_username, $v_domain, $v_ftp_username, $v_ftp_path]); + $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path'])); + exec (VESTA_CMD."v-change-web-domain-ftp-path ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_path, $output, $return_var); //} // Change FTP account password @@ -537,7 +593,7 @@ if (!empty($_POST['save'])) { $fp = fopen($v_ftp_password, "w"); fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n"); fclose($fp); - v_exec('v-change-web-domain-ftp-password', [$v_username, $v_domain, $v_ftp_username, $v_ftp_password]); + exec (VESTA_CMD."v-change-web-domain-ftp-password ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password, $output, $return_var); unlink($v_ftp_password); $to = $v_ftp_user_data['v_ftp_email']; @@ -548,6 +604,8 @@ if (!empty($_POST['save'])) { send_email($to, $subject, $mailtext, $from); unset($v_ftp_email); } + check_return_code($return_var, $output); + unset($output); $v_ftp_users_updated[] = array( 'is_new' => 0, @@ -563,17 +621,23 @@ if (!empty($_POST['save'])) { // Restart web server if (!empty($restart_web) && (empty($_SESSION['error_msg']))) { - v_exec('v-restart-web'); + exec (VESTA_CMD."v-restart-web", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Restart proxy server if ((!empty($_SESSION['PROXY_SYSTEM'])) && !empty($restart_proxy) && (empty($_SESSION['error_msg']))) { - v_exec('v-restart-proxy'); + exec (VESTA_CMD."v-restart-proxy", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Restart dns server if (!empty($restart_dns) && (empty($_SESSION['error_msg']))) { - v_exec('v-restart-dns'); + exec (VESTA_CMD."v-restart-dns", $output, $return_var); + check_return_code($return_var,$output); + unset($output); } // Set success message diff --git a/web/file_manager/fm_api.php b/web/file_manager/fm_api.php index 8d7837ffb..f4629794f 100644 --- a/web/file_manager/fm_api.php +++ b/web/file_manager/fm_api.php @@ -10,12 +10,13 @@ include($_SERVER['DOCUMENT_ROOT']."/file_manager/fm_core.php"); // todo: set in session? if (empty($panel)) { - $return_var = v_exec('v-list-user', [$user, 'json'], false, $output); - if ($return_var > 0) { + $command = VESTA_CMD."v-list-user '".$user."' 'json'"; + exec ($command, $output, $return_var); + if ( $return_var > 0 ) { header("Location: /error/"); exit; } - $panel = json_decode($output, true); + $panel = json_decode(implode('', $output), true); } $fm = new FileManager($user); @@ -30,23 +31,27 @@ switch ($_REQUEST['action']) { break; case 'check_file_type': $dir = $_REQUEST['dir']; + print json_encode($fm->checkFileType($dir)); break; case 'rename_file': $dir = $_REQUEST['dir']; $item = $_REQUEST['item']; $target_name = $_REQUEST['target_name']; + print json_encode($fm->renameFile($dir, $item, $target_name)); break; case 'rename_directory': $dir = $_REQUEST['dir']; $item = $_REQUEST['item']; $target_name = $_REQUEST['target_name']; + print json_encode($fm->renameDirectory($dir, $item, $target_name)); break; case 'delete_files': $dir = $_REQUEST['dir']; $item = $_REQUEST['item']; + print json_encode($fm->deleteItem($dir, $item)); break; case 'create_file': @@ -59,6 +64,7 @@ switch ($_REQUEST['action']) { $dirname = $_REQUEST['dirname']; print json_encode($fm->createDir($dir, $dirname)); break; + case 'open_file': $dir = $_REQUEST['dir']; print json_encode($fm->open_file($dir)); diff --git a/web/file_manager/fm_core.php b/web/file_manager/fm_core.php index fc0660d27..724368989 100644 --- a/web/file_manager/fm_core.php +++ b/web/file_manager/fm_core.php @@ -1,9 +1,7 @@ 0, @@ -15,45 +13,26 @@ class FileManager { 'SIZE' => 6, 'NAME' => 7 ); - + protected $user = null; public $ROOT_DIR = null; - - - static function v_exec($command, array $arguments=[], $checkReturn=true, &$output=null) { - $output = ''; - $return_var = v_exec($command, $arguments, false, $output); - return $checkReturn ? self::check_return_code($return_var, explode("\n", $output)) : null; - } - - static function check_return_code($return_var, $output) { - if ($return_var != 0) { - $error = implode('
', $output); - return $error; - //if (empty($error)) $error = __('Error code:',$return_var); - //$_SESSION['error_msg'] = $error; - } - - return null; - } - - + public function setRootDir($root = null) { if (null != $root) { - $root = realpath($root); + $root = realpath($root); } $this->ROOT_DIR = $root; } - + public function __construct($user) { $this->user = $user; } - + /*public function init() { $path = !empty($_REQUEST['dir']) ? $_REQUEST['dir'] : ''; $start_url = !empty($path) ? $this->ROOT_DIR . '/' . $path : $this->ROOT_DIR; $listing = $this->getDirectoryListing($path); - + return $data = array( 'result' => true, 'ROOT_DIR' => $this->ROOT_DIR, @@ -62,52 +41,55 @@ class FileManager { 'listing' => $listing ); }*/ - + public function checkFileType($dir) { $dir = $this->formatFullPath($dir); - - $error = self::v_exec('v-get-fs-file-type', [$this->user, $dir]); - + exec(VESTA_CMD . "v-get-fs-file-type {$this->user} {$dir}", $output, $return_var); + $error = self::check_return_code($return_var, $output); if (empty($error)) { return array( 'result' => true, 'data' => implode('', $output) ); - } else { + } + else { return array( 'result' => false, 'message' => $error ); } } - + public function formatFullPath($path_part = '') { if (substr($path_part, 0, strlen($this->ROOT_DIR)) === $this->ROOT_DIR) { $path = $path_part; - } else { + } + else { $path = $this->ROOT_DIR . '/' . $path_part; } //var_dump($path);die(); //$path = str_replace(' ', '\ ', $path); - return $path; + return escapeshellarg($path); } - + function deleteItem($dir, $item) { $dir = $this->formatFullPath($item); + exec (VESTA_CMD . "v-delete-fs-directory {$this->user} {$dir}", $output, $return_var); - $error = self::v_exec('v-delete-fs-directory', [$this->user, $dir]); - + $error = self::check_return_code($return_var, $output); + if (empty($error)) { return array( 'result' => true ); - } else { + } + else { return array( 'result' => false, 'message' => $error ); } - + /*if (is_readable($item)) { unlink($item); } @@ -121,76 +103,100 @@ class FileManager { 'result' => true );*/ } - + function copyFile($item, $dir, $target_dir, $filename) { $src = $this->formatFullPath($item); $dst = $this->formatFullPath($target_dir); + + exec (VESTA_CMD . "v-copy-fs-file {$this->user} {$src} {$dst}", $output, $return_var); - $error = self::v_exec('v-copy-fs-file', [$this->user, $src, $dst]); - + $error = self::check_return_code($return_var, $output); + if (empty($error)) { return array( 'result' => true ); - } else { + } + else { return array( 'result' => false, 'message' => $error ); } } - - + + function copyDirectory($item, $dir, $target_dir, $filename) { $src = $this->formatFullPath($item); $dst = $this->formatFullPath($target_dir); + + exec (VESTA_CMD . "v-copy-fs-directory {$this->user} {$src} {$dst}", $output, $return_var); - $error = self::v_exec('v-copy-fs-directory', [$this->user, $src, $dst]); + $error = self::check_return_code($return_var, $output); + if (empty($error)) { return array( 'result' => true ); - } else { + } + else { return array( 'result' => false, 'message' => $error ); } } - + + static function check_return_code($return_var, $output) { + if ($return_var != 0) { + $error = implode('
', $output); + return $error; + //if (empty($error)) $error = __('Error code:',$return_var); + //$_SESSION['error_msg'] = $error; + } + + return null; + } + function createFile($dir, $filename) { $dir = $this->formatFullPath($dir . '/' . $filename); - $error = self::v_exec('v-add-fs-file', [$this->user, $dir]); + exec (VESTA_CMD . "v-add-fs-file {$this->user} {$dir}", $output, $return_var); + $error = self::check_return_code($return_var, $output); + if (empty($error)) { return array( 'result' => true ); - } else { + } + else { return array( 'result' => false, 'message' => $error ); } } - + function packItem($item, $dir, $target_dir, $filename) { $item = $this->formatFullPath($item); $dst_item = $this->formatFullPath($target_dir); + $dst_item = str_replace('.tar.gz', '', $dst_item); - + //$item = str_replace($dir . '/', '', $item); //var_dump(VESTA_CMD . "v-add-fs-archive {$this->user} {$dst_item} {$item}");die(); + exec (VESTA_CMD . "v-add-fs-archive {$this->user} {$dst_item} {$item}", $output, $return_var); - $error = self::v_exec('v-add-fs-archive', [$this->user, $dst_item, $item]); - + $error = self::check_return_code($return_var, $output); + if (empty($error)) { return array( 'result' => true ); - } else { + } + else { return array( 'result' => false, 'message' => $error @@ -199,58 +205,83 @@ class FileManager { } function backupItem($item) { + $src_item = $this->formatFullPath($item); + $dst_item_name = $item . '~' . date('Ymd_His'); + $dst_item = $this->formatFullPath($dst_item_name); //print VESTA_CMD . "v-add-fs-archive {$this->user} {$item} {$dst_item}";die(); + exec (VESTA_CMD . "v-copy-fs-file {$this->user} {$src_item} {$dst_item}", $output, $return_var); - $error = self::v_exec('v-copy-fs-file', [$this->user, $src_item, $dst_item]); - + $error = self::check_return_code($return_var, $output); + if (empty($error)) { return array( 'result' => true, 'filename' => $dst_item_name ); - } else { + } + else { + return array( + 'result' => false, + 'message' => $error + ); + } + + $error = self::check_return_code($return_var, $output); + + if (empty($error)) { + return array( + 'result' => true + ); + } + else { return array( 'result' => false, 'message' => $error ); } } - + function unpackItem($item, $dir, $target_dir, $filename) { $item = $this->formatFullPath($item); $dst_item = $this->formatFullPath($target_dir); - $error = self::v_exec('v-extract-fs-archive', [$this->user, $item, $dst_item]); + exec (VESTA_CMD . "v-extract-fs-archive {$this->user} {$item} {$dst_item}", $output, $return_var); + $error = self::check_return_code($return_var, $output); + if (empty($error)) { return array( 'result' => true ); - } else { + } + else { return array( 'result' => false, 'message' => $error ); } } - + function renameFile($dir, $item, $target_name) { $item = $this->formatFullPath($dir . '/' . $item); $dst_item = $this->formatFullPath($dir . '/' . $target_name); + +// var_dump(VESTA_CMD . "v-move-fs-file {$this->user} {$item} {$dst_item}");die(); -//var_dump(VESTA_CMD . "v-move-fs-file {$this->user} {$item} {$dst_item}");die(); - - $error = self::v_exec('v-move-fs-file', [$this->user, $item, $dst_item]); + exec (VESTA_CMD . "v-move-fs-file {$this->user} {$item} {$dst_item}", $output, $return_var); + $error = self::check_return_code($return_var, $output); + if (empty($error)) { return array( 'result' => true ); - } else { + } + else { return array( 'result' => false, 'message' => $error @@ -267,43 +298,51 @@ class FileManager { ); } - $error = self::v_exec('v-move-fs-directory', [$this->user, $item, $dst_item]); + exec (VESTA_CMD . "v-move-fs-directory {$this->user} {$item} {$dst_item}", $output, $return_var); + + $error = self::check_return_code($return_var, $output); + if (empty($error)) { return array( 'result' => true ); - } else { + } + else { return array( 'result' => false, 'message' => $error ); } } - + function createDir($dir, $dirname) { $dir = $this->formatFullPath($dir . '/' . $dirname); - $error = self::v_exec('v-add-fs-directory', [$this->user, $dir]); + exec (VESTA_CMD . "v-add-fs-directory {$this->user} {$dir}", $output, $return_var); + $error = self::check_return_code($return_var, $output); + if (empty($error)) { return array( 'result' => true ); - } else { + } + else { return array( 'result' => false, 'message' => $error ); } } - + function getDirectoryListing($dir = '') { $dir = $this->formatFullPath($dir); - self::v_exec('v-list-fs-directory', [$this->user, $dir], false, $output); - return $this->parseListing(explode("\n", $output)); - } + exec (VESTA_CMD . "v-list-fs-directory {$this->user} {$dir}", $output, $return_var); + return $this->parseListing($output); + } + public function ls($dir = '') { $listing = $this->getDirectoryListing($dir); @@ -312,7 +351,7 @@ class FileManager { 'listing' => $listing ); } - + public function open_file($dir = '') { $listing = $this->getDirectoryListing($dir); @@ -321,7 +360,7 @@ class FileManager { 'listing' => $listing ); } - + public function parseListing($raw) { $data = array(); foreach ($raw as $o) { @@ -337,7 +376,7 @@ class FileManager { 'name' => $info[$this->info_positions['NAME']] ); } - + return $data; } diff --git a/web/generate/ssl/index.php b/web/generate/ssl/index.php index 3439f71f4..5ccc2f295 100644 --- a/web/generate/ssl/index.php +++ b/web/generate/ssl/index.php @@ -31,7 +31,7 @@ $_SESSION['back'] = ''; if (!isset($_POST['generate'])) { include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/generate_ssl.html'); include($_SERVER['DOCUMENT_ROOT'].'/templates/footer.html'); - exit; + exit(); } // Check input @@ -41,7 +41,6 @@ if (empty($_POST['v_state'])) $errors[] = __('domain'); if (empty($_POST['v_locality'])) $errors[] = __('city'); if (empty($_POST['v_org'])) $errors[] = __('organization'); if (empty($_POST['v_email'])) $errors[] = __('email'); - $v_domain = $_POST['v_domain']; $v_email = $_POST['v_email']; $v_country = $_POST['v_country']; @@ -62,24 +61,44 @@ if (!empty($errors[0])) { include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/generate_ssl.html'); include($_SERVER['DOCUMENT_ROOT'].'/templates/footer.html'); unset($_SESSION['error_msg']); - exit; + exit(); } -$return_var = v_exec('v-generate-ssl-cert', [$v_domain, $v_email, $v_country, $v_state, $v_locality, $v_org, 'IT', 'json'], true, $output); +// Protect input +$v_domain = escapeshellarg($_POST['v_domain']); +$v_email = escapeshellarg($_POST['v_email']); +$v_country = escapeshellarg($_POST['v_country']); +$v_state = escapeshellarg($_POST['v_state']); +$v_locality = escapeshellarg($_POST['v_locality']); +$v_org = escapeshellarg($_POST['v_org']); + +exec (VESTA_CMD."v-generate-ssl-cert ".$v_domain." ".$v_email." ".$v_country." ".$v_state." ".$v_locality." ".$v_org." IT json", $output, $return_var); + +// Revert to raw values +$v_domain = $_POST['v_domain']; +$v_email = $_POST['v_email']; +$v_country = $_POST['v_country']; +$v_state = $_POST['v_state']; +$v_locality = $_POST['v_locality']; +$v_org = $_POST['v_org']; // Check return code if ($return_var != 0) { + $error = implode('
', $output); + if (empty($error)) $error = __('Error code:',$return_var); + $_SESSION['error_msg'] = $error; include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/generate_ssl.html'); include($_SERVER['DOCUMENT_ROOT'].'/templates/footer.html'); unset($_SESSION['error_msg']); - exit; + exit(); } // OK message $_SESSION['ok_msg'] = __('SSL_GENERATED_OK'); // Parse output -$data = json_decode($output, true); +$data = json_decode(implode('', $output), true); +unset($output); $v_crt = $data[$v_domain]['CRT']; $v_key = $data[$v_domain]['KEY']; $v_csr = $data[$v_domain]['CSR']; diff --git a/web/inc/exec.php b/web/inc/exec.php deleted file mode 100644 index 0c2d9618a..000000000 --- a/web/inc/exec.php +++ /dev/null @@ -1,85 +0,0 @@ - 0) { - header('Location: /error/'); - exit; - } -} - -function check_return_code($return_var, $output) { - if ($return_var != 0) { - $error = implode('
', $output); - if (empty($error)) $error = __('Error code:', $return_var); - $_SESSION['error_msg'] = $error; - } -} - -/** - * Build shell command arguments from a string array. - * @param string[] $arguments Unescaped command line arguments. (eg. ['-a', "b'c"], default: []) - * @return string Escaped arguments. - */ -function build_shell_args($arguments=[]) { - $ret = []; - // Convert $arguments to an array - if (!is_array($arguments)) $arguments = !is_null($arguments) ? [$arguments] : []; - foreach ($arguments as $arg) { - // Convert $arg to a string if $arg is an array (for an argument like this: ?abc[def]=ghi) - if (is_array($arg)) $arg = implode('', $arg); - // Convert $arg to a string (just in case) - if (!is_string($arg)) $arg = (string)$arg; - // Append the argument - $ret[] = escapeshellarg($arg); - } - return implode(' ', $ret); -} - -/** - * Execute a command. - * @param string $command Command to execute. (eg. ls) - * @param string[] $arguments (optional) Unescaped command line arguments. (eg. ['-a', '/'], default: []) - * @param string &$output (optional) Variable to contain output from the command. - * @return int Exit code (return status) of the executed command. - */ -function safe_exec($command, $arguments=[], &$output=null) { - $cmd = build_shell_args($command); - $arg = build_shell_args($arguments); - if (!empty($arg)) { - $cmd .= ' ' . $arg; - } - // Execute - exec($cmd, $rawOutput, $status); - $output = implode("\n", $rawOutput); - return $status; -} - -/** - * Execute a vesta command line APIs (VESTA_CMD/v-*). - * (Wrapper function of `safe_exec`.) - * @see safe_exec - * @param string $command Command to execute. (eg. v-search-object) - * @param string[] $arguments (optional) Unescaped command line arguments. (eg. ["We've", 'json'], default: []) - * @param bool $checkReturn (optional) If this set to true, check_return_code will be called after the command executes. (default: true) - * @param string &$output (optional) Variable to contain output from the command. - * @return int Exit code (return status) of the executed command. - */ -function v_exec($command, $arguments=[], $checkReturn=true, &$output=null) { - // Check command - if (preg_match('#^\.*$|/#', $command)) return -1; - // Convert $arguments to an array - if (!is_array($arguments)) $arguments = !is_null($arguments) ? [$arguments] : []; - // Execute - $status = safe_exec([SUDO_CMD, VESTA_BIN_DIR.$command], $arguments, $output); - if ($checkReturn) { - check_return_code($status, explode("\n", $output)); - } - return $status; -} diff --git a/web/inc/i18n.php b/web/inc/i18n.php index 92c3b991d..1dab4cae4 100644 --- a/web/inc/i18n.php +++ b/web/inc/i18n.php @@ -1,8 +1,6 @@ 1) { + if (count($args)>1) { $args[0] = $text; - return call_user_func_array('sprintf', $args); + return call_user_func_array("sprintf",$args); } else { return $text; } @@ -44,8 +42,8 @@ function _translate() { */ function __() { $args = func_get_args(); - array_unshift($args, $_SESSION['language']); - return call_user_func_array('_translate', $args); + array_unshift($args,$_SESSION['language']); + return call_user_func_array("_translate",$args); } /** @@ -88,15 +86,16 @@ function detect_user_language($fallback='en') { arsort($accept_langs_sorted); // List languages - v_exec('v-list-sys-languages', ['json'], false, $output); - $languages = json_decode($output, true); + exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var); + $languages = json_decode(implode('', $output), true); + unset($output); // Find best matching language - foreach ($accept_langs_sorted as $req_lang => $dummy) { + foreach ($accept_langs_sorted as $user_lang => $dummy) { $decision = ''; foreach ($languages as $prov_lang) { if (strlen($decision) > strlen($prov_lang)) continue; - if (stripos($req_lang, $prov_lang) !== false) { + if (strpos($user_lang, $prov_lang) !== false) { $decision = $prov_lang; } } @@ -110,4 +109,4 @@ function detect_user_language($fallback='en') { // Store result for reusing $user_lang = $fallback; return $user_lang; -} +} \ No newline at end of file diff --git a/web/inc/mail-wrapper.php b/web/inc/mail-wrapper.php index 1c47979cb..a8c48a09e 100755 --- a/web/inc/mail-wrapper.php +++ b/web/inc/mail-wrapper.php @@ -8,15 +8,14 @@ if (empty($argv[1])) { $options = getopt("s:f:"); -require_once(__DIR__.'/exec.php'); -define('NO_AUTH_REQUIRED', true); +define('NO_AUTH_REQUIRED',true); include("/usr/local/vesta/web/inc/main.php"); // Set system language -v_exec('v-list-sys-config', ['json'], false, $output); -$data = json_decode($output, true); -if (!empty($data['config']['LANGUAGE'])) { +exec (VESTA_CMD . "v-list-sys-config json", $output, $return_var); +$data = json_decode(implode('', $output), true); +if (!empty( $data['config']['LANGUAGE'])) { $_SESSION['language'] = $data['config']['LANGUAGE']; } else { $_SESSION['language'] = 'en'; diff --git a/web/inc/main.php b/web/inc/main.php index 6bebfa644..b3453dce3 100644 --- a/web/inc/main.php +++ b/web/inc/main.php @@ -1,8 +1,7 @@ $favourite){ @@ -70,7 +71,7 @@ function get_favourites(){ $items = explode(',', $favourite); foreach($items as $item){ - if ($item) + if($item) $favourites[$key][trim($item)] = 1; } } @@ -78,15 +79,34 @@ function get_favourites(){ $_SESSION['favourites'] = $favourites; } -function top_panel($user, $TAB) { - global $panel; - $return_var = v_exec('v-list-user', [$user, 'json'], false, $output); - if ($return_var > 0) { - header('Location: /error/'); + + +function check_error($return_var) { + if ( $return_var > 0 ) { + header("Location: /error/"); exit; } - $panel = json_decode($output, true); - if ($user == 'admin') { +} + +function check_return_code($return_var,$output) { + if ($return_var != 0) { + $error = implode('
', $output); + if (empty($error)) $error = __('Error code:',$return_var); + $_SESSION['error_msg'] = $error; + } +} + +function top_panel($user, $TAB) { + global $panel; + $command = VESTA_CMD."v-list-user '".$user."' 'json'"; + exec ($command, $output, $return_var); + if ( $return_var > 0 ) { + header("Location: /error/"); + exit; + } + $panel = json_decode(implode('', $output), true); + unset($output); + if ( $user == 'admin' ) { include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/panel.html'); } else { include($_SERVER['DOCUMENT_ROOT'].'/templates/user/panel.html'); diff --git a/web/list/backup/exclusions/index.php b/web/list/backup/exclusions/index.php index 919c03b1c..d03e98614 100644 --- a/web/list/backup/exclusions/index.php +++ b/web/list/backup/exclusions/index.php @@ -12,8 +12,9 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // Data -v_exec('v-list-user-backup-exclusions', [$user, 'json'], false, $output); -$data = json_decode($output, true); +exec (VESTA_CMD."v-list-user-backup-exclusions $user json", $output, $return_var); +$data = json_decode(implode('', $output), true); +unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_backup_exclusions.html'); // Back uri diff --git a/web/list/backup/index.php b/web/list/backup/index.php index ccb7a947b..a79205724 100644 --- a/web/list/backup/index.php +++ b/web/list/backup/index.php @@ -13,14 +13,16 @@ top_panel($user,$TAB); // Data if (empty($_GET['backup'])){ - v_exec('v-list-user-backups', [$user, 'json'], false, $output); - $data = json_decode($output, true); - $data = array_reverse($data, true); + exec (VESTA_CMD."v-list-user-backups $user json", $output, $return_var); + $data = json_decode(implode('', $output), true); + $data = array_reverse($data,true); + unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_backup.html'); } else { - v_exec('v-list-user-backup', [$user, $_GET['backup'], 'json'], false, $output); - $data = json_decode($output, true); - $data = array_reverse($data, true); + exec (VESTA_CMD."v-list-user-backup $user '".escapeshellarg($_GET['backup'])."' json", $output, $return_var); + $data = json_decode(implode('', $output), true); + $data = array_reverse($data,true); + unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_backup_detail.html'); } diff --git a/web/list/cron/index.php b/web/list/cron/index.php index 303154c02..19f66379c 100644 --- a/web/list/cron/index.php +++ b/web/list/cron/index.php @@ -13,9 +13,10 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // Data -v_exec('v-list-cron-jobs', [$user, 'json'], false, $output); -$data = json_decode($output, true); -$data = array_reverse($data, true); +exec (VESTA_CMD."v-list-cron-jobs $user json", $output, $return_var); +$data = json_decode(implode('', $output), true); +$data = array_reverse($data,true); +unset($output); if ($_SESSION['user'] == 'admin') { include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_cron.html'); diff --git a/web/list/db/index.php b/web/list/db/index.php index beb775811..4262b61fd 100644 --- a/web/list/db/index.php +++ b/web/list/db/index.php @@ -12,9 +12,10 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // Data -v_exec('v-list-databases', [$user, 'json'], false, $output); -$data = json_decode($output, true); +exec (VESTA_CMD."v-list-databases $user json", $output, $return_var); +$data = json_decode(implode('', $output), true); $data = array_reverse($data, true); +unset($output); if ($_SESSION['user'] == 'admin') { include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_db.html'); diff --git a/web/list/directory/index.php b/web/list/directory/index.php index a50a90929..737e19db3 100644 --- a/web/list/directory/index.php +++ b/web/list/directory/index.php @@ -11,16 +11,17 @@ if ((!isset($_SESSION['FILEMANAGER_KEY'])) || (empty($_SESSION['FILEMANAGER_KEY' // Check login_as feature if (($_SESSION['user'] == 'admin') && (!empty($_SESSION['look']))) { - $user = $_SESSION['look']; + $user=$_SESSION['look']; } if (empty($panel)) { - $return_var = v_exec('v-list-user', [$user, 'json'], false, $output); - if ($return_var > 0) { + $command = VESTA_CMD."v-list-user '".$user."' 'json'"; + exec ($command, $output, $return_var); + if ( $return_var > 0 ) { header("Location: /error/"); exit; } - $panel = json_decode($output, true); + $panel = json_decode(implode('', $output), true); } $path_a = !empty($_REQUEST['dir_a']) ? $_REQUEST['dir_a'] : ''; diff --git a/web/list/dns/index.php b/web/list/dns/index.php index 4f4af1896..0b9951a7a 100644 --- a/web/list/dns/index.php +++ b/web/list/dns/index.php @@ -14,18 +14,20 @@ top_panel($user,$TAB); // Data if (empty($_GET['domain'])){ - v_exec('v-list-dns-domains', [$user, 'json'], false, $output); - $data = json_decode($output, true); + exec (VESTA_CMD."v-list-dns-domains $user json", $output, $return_var); + $data = json_decode(implode('', $output), true); $data = array_reverse($data, true); + unset($output); if ($_SESSION['user'] == 'admin') { include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_dns.html'); } else { include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_dns.html'); } } else { - v_exec('v-list-dns-records', [$user, $_GET['domain'], 'json'], false, $output); - $data = json_decode($output, true); + exec (VESTA_CMD."v-list-dns-records '".$user."' '".escapeshellarg($_GET['domain'])."' 'json'", $output, $return_var); + $data = json_decode(implode('', $output), true); $data = array_reverse($data, true); + unset($output); if ($_SESSION['user'] == 'admin') { include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_dns_rec.html'); } else { diff --git a/web/list/favorites/index.php b/web/list/favorites/index.php index 04ef3e149..0ddc4c0b0 100644 --- a/web/list/favorites/index.php +++ b/web/list/favorites/index.php @@ -5,20 +5,20 @@ error_reporting(NULL); echo '
Favorites:
'; // Data - v_exec('v-list-user-favourites', [$_SESSION['user'], 'json'], false, $output); + exec (VESTA_CMD."v-list-user-favourites ".$_SESSION['user']." json", $output, $return_var); -// print_r($output); +// print_r(implode('', $output)); // $json = '{ "Favourites": { "USER": "", "WEB": "bulletfarm.com", "DNS": "", "MAIL": "", "DB": "", "CRON": "", "BACKUP": "", "IP": "", "PACKAGE": "", "FIREWALL": ""}}'; // $data = json_decode($json, true); - $data = json_decode($output.'}', true); - $data = array_reverse($data, true); + $data = json_decode(implode('', $output).'}', true); + $data = array_reverse($data,true); print_r($data); // $data = array_reverse($data,true); -// $data = json_decode($output, true); +// $data = json_decode(implode('', $output), true); ?> \ No newline at end of file diff --git a/web/list/firewall/banlist/index.php b/web/list/firewall/banlist/index.php index 55c743cb8..32393229c 100644 --- a/web/list/firewall/banlist/index.php +++ b/web/list/firewall/banlist/index.php @@ -19,9 +19,10 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // Data -v_exec('v-list-firewall-ban', ['json'], false, $output); -$data = json_decode($output, true); +exec (VESTA_CMD."v-list-firewall-ban json", $output, $return_var); +$data = json_decode(implode('', $output), true); $data = array_reverse($data, true); +unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_firewall_banlist.html'); // Back uri diff --git a/web/list/firewall/index.php b/web/list/firewall/index.php index 7363eef85..62b8cbfdd 100644 --- a/web/list/firewall/index.php +++ b/web/list/firewall/index.php @@ -19,9 +19,10 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // Data -v_exec('v-list-firewall', ['json'], false, $output); -$data = json_decode($output, true); +exec (VESTA_CMD."v-list-firewall json", $output, $return_var); +$data = json_decode(implode('', $output), true); $data = array_reverse($data, true); +unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_firewall.html'); // Back uri diff --git a/web/list/ip/index.php b/web/list/ip/index.php index 1f019cc8b..510da61aa 100644 --- a/web/list/ip/index.php +++ b/web/list/ip/index.php @@ -13,9 +13,10 @@ top_panel($user,$TAB); // Data if ($_SESSION['user'] == 'admin') { - v_exec('v-list-sys-ips', ['json'], false, $output); - $data = json_decode($output, true); + exec (VESTA_CMD."v-list-sys-ips json", $output, $return_var); + $data = json_decode(implode('', $output), true); $data = array_reverse($data, true); + unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_ip.html'); } diff --git a/web/list/log/index.php b/web/list/log/index.php index 916e74da0..c0e226e45 100644 --- a/web/list/log/index.php +++ b/web/list/log/index.php @@ -12,10 +12,11 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // Data -$return_var = v_exec('v-list-user-log', [$user, 'json'], false, $output); +exec (VESTA_CMD."v-list-user-log $user json", $output, $return_var); check_error($return_var); -$data = json_decode($output, true); +$data = json_decode(implode('', $output), true); $data = array_reverse($data); +unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_log.html'); diff --git a/web/list/mail/index.php b/web/list/mail/index.php index 1b2748c06..6555ccbae 100644 --- a/web/list/mail/index.php +++ b/web/list/mail/index.php @@ -14,18 +14,20 @@ top_panel($user,$TAB); // Data if (empty($_GET['domain'])){ - v_exec('v-list-mail-domains', [$user, 'json'], false, $output); - $data = json_decode($output, true); + exec (VESTA_CMD."v-list-mail-domains $user json", $output, $return_var); + $data = json_decode(implode('', $output), true); $data = array_reverse($data, true); + unset($output); if ($_SESSION['user'] == 'admin') { include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_mail.html'); } else { include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_mail.html'); } } else { - v_exec('v-list-mail-accounts', [$user, $_GET['domain'], 'json'], false, $output); - $data = json_decode($output, true); + exec (VESTA_CMD."v-list-mail-accounts '".$user."' '".escapeshellarg($_GET['domain'])."' json", $output, $return_var); + $data = json_decode(implode('', $output), true); $data = array_reverse($data, true); + unset($output); if ($_SESSION['user'] == 'admin') { include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_mail_acc.html'); } else { diff --git a/web/list/notifications/index.php b/web/list/notifications/index.php index 870debd98..1b6a0d1c5 100644 --- a/web/list/notifications/index.php +++ b/web/list/notifications/index.php @@ -5,17 +5,17 @@ error_reporting(NULL); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); -if ($_REQUEST['ajax'] == 1) { +if($_REQUEST['ajax'] == 1){ // Data - v_exec('v-list-user-notifications', [$user, 'json'], false, $output); - $data = json_decode($output, true); - $data = array_reverse($data, true); - foreach ($data as $key => $note) { + exec (VESTA_CMD."v-list-user-notifications $user json", $output, $return_var); + $data = json_decode(implode('', $output), true); + $data = array_reverse($data,true); + foreach($data as $key => $note){ $note['ID'] = $key; $data[$key] = $note; } echo json_encode($data); - exit; + exit(); } @@ -28,9 +28,9 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // Data -v_exec('v-list-user-notifications', [$user, 'json'], false, $output); -$data = json_decode($output, true); -$data = array_reverse($data, true); +exec (VESTA_CMD."v-list-user-notifications $user json", $output, $return_var); +$data = json_decode(implode('', $output), true); +$data = array_reverse($data,true); if ($_SESSION['user'] == 'admin') { include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_notifications.html'); } else { diff --git a/web/list/package/index.php b/web/list/package/index.php index c2aa5dd25..61e44c179 100644 --- a/web/list/package/index.php +++ b/web/list/package/index.php @@ -18,8 +18,9 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // Data -v_exec('v-list-user-packages', ['json'], false, $output); -$data = json_decode($output, true); +exec (VESTA_CMD."v-list-user-packages json", $output, $return_var); +$data = json_decode(implode('', $output), true); +unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_packages.html'); // Back uri diff --git a/web/list/rrd/index.php b/web/list/rrd/index.php index 3ccb727a0..725a584e9 100644 --- a/web/list/rrd/index.php +++ b/web/list/rrd/index.php @@ -13,8 +13,9 @@ top_panel($user,$TAB); // Data if ($_SESSION['user'] == 'admin') { - v_exec('v-list-sys-rrd', ['json'], false, $output); - $data = json_decode($output, true); + exec (VESTA_CMD."v-list-sys-rrd json", $output, $return_var); + $data = json_decode(implode('', $output), true); + unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_rrd.html'); } diff --git a/web/list/server/index.php b/web/list/server/index.php index 1a0ef3c2f..7db575457 100644 --- a/web/list/server/index.php +++ b/web/list/server/index.php @@ -15,50 +15,60 @@ if ($_SESSION['user'] != 'admin') { if (isset($_GET['cpu'])) { $TAB = 'CPU'; include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_server_info.html'); - v_exec('v-list-sys-cpu-status', [], false, $output); - echo $output . "\n"; + exec (VESTA_CMD.'v-list-sys-cpu-status', $output, $return_var); + foreach($output as $file) { + echo $file . "\n"; + } echo " \n\n\n"; - exit; + exit(); } // Memory info if (isset($_GET['mem'])) { $TAB = 'MEMORY'; include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_server_info.html'); - v_exec('v-list-sys-memory-status', [], false, $output); - echo $output . "\n"; + exec (VESTA_CMD.'v-list-sys-memory-status', $output, $return_var); + foreach($output as $file) { + echo $file . "\n"; + } echo " \n\n\n"; - exit; + exit(); } // Disk info if (isset($_GET['disk'])) { $TAB = 'MEMORY'; include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_server_info.html'); - v_exec('v-list-sys-disk-status', [], false, $output); - echo $output . "\n"; + exec (VESTA_CMD.'v-list-sys-disk-status', $output, $return_var); + foreach($output as $file) { + echo $file . "\n"; + } echo " \n\n\n"; - exit; + exit(); } // Network info if (isset($_GET['net'])) { $TAB = 'MEMORY'; include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_server_info.html'); - v_exec('v-list-sys-network-status', [], false, $output); - echo $output . "\n"; + exec (VESTA_CMD.'v-list-sys-network-status', $output, $return_var); + foreach($output as $file) { + echo $file . "\n"; + } echo " \n\n\n"; - exit; + exit(); } // Web info if (isset($_GET['web'])) { $TAB = 'WEB'; include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_server_info.html'); - v_exec('v-list-sys-web-status', [], false, $output); - echo $output . "\n"; + exec (VESTA_CMD.'v-list-sys-web-status', $output, $return_var); + foreach($output as $file) { + echo $file . "\n"; + } echo " \n\n\n"; - exit; + exit(); } @@ -66,34 +76,40 @@ if (isset($_GET['web'])) { if (isset($_GET['dns'])) { $TAB = 'DNS'; include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_server_info.html'); - $return_var = v_exec('v-list-sys-dns-status', [], false, $output); - echo $output . "\n"; + exec (VESTA_CMD.'v-list-sys-dns-status', $output, $return_var); + foreach($output as $file) { + echo $file . "\n"; + } echo " \n\n\n"; - exit; + exit(); } // Mail info if (isset($_GET['mail'])) { $TAB = 'MAIL'; include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_server_info.html'); - $return_var = v_exec('v-list-sys-mail-status', [], false, $output); - if ($return_var == 0) { - echo $output . "\n"; + exec (VESTA_CMD.'v-list-sys-mail-status', $output, $return_var); + if ($return_var == 0 ) { + foreach($output as $file) { + echo $file . "\n"; + } } echo " \n\n\n"; - exit; + exit(); } // DB info if (isset($_GET['db'])) { $TAB = 'DB'; include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_server_info.html'); - $return_var = v_exec('v-list-sys-db-status', [], false, $output); - if ($return_var == 0) { - echo $output . "\n"; + exec (VESTA_CMD.'v-list-sys-db-status', $output, $return_var); + if ($return_var == 0 ) { + foreach($output as $file) { + echo $file . "\n"; + } } echo " \n\n\n"; - exit; + exit(); } @@ -104,12 +120,12 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // Data -v_exec('v-list-sys-info', ['json'], false, $output); -$sys = json_decode($output, true); - -v_exec('v-list-sys-services', ['json'], false, $output); -$data = json_decode($output, true); - +exec (VESTA_CMD."v-list-sys-info json", $output, $return_var); +$sys = json_decode(implode('', $output), true); +unset($output); +exec (VESTA_CMD."v-list-sys-services json", $output, $return_var); +$data = json_decode(implode('', $output), true); +unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_services.html'); // Back uri diff --git a/web/list/stats/index.php b/web/list/stats/index.php index 86aebe5eb..ac97d4f22 100644 --- a/web/list/stats/index.php +++ b/web/list/stats/index.php @@ -14,24 +14,28 @@ top_panel($user,$TAB); // Data if ($user == 'admin') { if (empty($_GET['user'])) { - v_exec('v-list-users-stats', ['json'], false, $output); - $data = json_decode($output, true); + exec (VESTA_CMD."v-list-users-stats json", $output, $return_var); + $data = json_decode(implode('', $output), true); $data = array_reverse($data, true); + unset($output); } else { - $v_user = $_GET['user']; - v_exec('v-list-user-stats', [$v_user, 'json'], false, $output); - $data = json_decode($output, true); + $v_user = escapeshellarg($_GET['user']); + exec (VESTA_CMD."v-list-user-stats $v_user json", $output, $return_var); + $data = json_decode(implode('', $output), true); $data = array_reverse($data, true); + unset($output); } - v_exec('v-list-sys-users', ['json'], false, $output); - $users = json_decode($output, true); + exec (VESTA_CMD."v-list-sys-users 'json'", $output, $return_var); + $users = json_decode(implode('', $output), true); + unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_stats.html'); } else { - v_exec('v-list-user-stats', [$user, 'json'], false, $output); - $data = json_decode($output, true); + exec (VESTA_CMD."v-list-user-stats $user json", $output, $return_var); + $data = json_decode(implode('', $output), true); $data = array_reverse($data, true); + unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_stats.html'); } diff --git a/web/list/updates/index.php b/web/list/updates/index.php index be09791fb..f2c553087 100644 --- a/web/list/updates/index.php +++ b/web/list/updates/index.php @@ -13,11 +13,12 @@ top_panel($user,$TAB); // Data if ($_SESSION['user'] == 'admin') { - v_exec('v-list-sys-vesta-updates', ['json'], false, $output); - $data = json_decode($output, true); - - v_exec('v-list-sys-vesta-autoupdate', ['plain'], false, $output); - $autoupdate = strtok($output, "\n"); + exec (VESTA_CMD."v-list-sys-vesta-updates json", $output, $return_var); + $data = json_decode(implode('', $output), true); + unset($output); + exec (VESTA_CMD."v-list-sys-vesta-autoupdate plain", $output, $return_var); + $autoupdate = $output['0']; + unset($output); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_updates.html'); } diff --git a/web/list/user/index.php b/web/list/user/index.php index 9313fbee0..129a78c4a 100644 --- a/web/list/user/index.php +++ b/web/list/user/index.php @@ -15,17 +15,17 @@ top_panel($user,$TAB); // Data if ($_SESSION['user'] == 'admin') { if ($user == 'admin') { - v_exec('v-list-users', ['json'], false, $output); + exec (VESTA_CMD . "v-list-users json", $output, $return_var); } else { - v_exec('v-list-user', [$user, 'json'], false, $output); + exec (VESTA_CMD . "v-list-user ".$user." json", $output, $return_var); } - $data = json_decode($output, true); - $data = array_reverse($data, true); + $data = json_decode(implode('', $output), true); + $data = array_reverse($data,true); display_error_block(); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_user.html'); } else { - v_exec('v-list-user', [$user, 'json'], false, $output); - $data = json_decode($output, true); + exec (VESTA_CMD . "v-list-user ".$user." json", $output, $return_var); + $data = json_decode(implode('', $output), true); display_error_block(); include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_user.html'); } diff --git a/web/list/web-log/index.php b/web/list/web-log/index.php index 025f783c7..9859cedac 100644 --- a/web/list/web-log/index.php +++ b/web/list/web-log/index.php @@ -7,14 +7,15 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Header include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_weblog.html'); -$v_domain = $_GET['domain']; +$v_domain = escapeshellarg($_GET['domain']); if ($_GET['type'] == 'access') $type = 'access'; if ($_GET['type'] == 'error') $type = 'error'; -$return_var = v_exec("v-list-web-domain-{$type}log", [$user, $v_domain], false, $output); +exec (VESTA_CMD."v-list-web-domain-".$type."log $user ".$v_domain, $output, $return_var); -if ($return_var == 0) { - print $output . "\n"; +if ($return_var == 0 ) { + foreach($output as $file) { + echo $file . "\n"; + } } - echo " \n\n\n"; \ No newline at end of file diff --git a/web/list/web/index.php b/web/list/web/index.php index 6d140ad5b..52b0c78e4 100644 --- a/web/list/web/index.php +++ b/web/list/web/index.php @@ -12,9 +12,9 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html'); top_panel($user,$TAB); // Data -v_exec('v-list-web-domains', [$user, 'json'], false, $output); -$data = json_decode($output, true); -$data = array_reverse($data, true); +exec (VESTA_CMD."v-list-web-domains $user json", $output, $return_var); +$data = json_decode(implode('', $output), true); +$data = array_reverse($data,true); if ($_SESSION['user'] == 'admin') { include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_web.html'); } else { diff --git a/web/login/index.php b/web/login/index.php index 97fa7ef1c..f084ae174 100644 --- a/web/login/index.php +++ b/web/login/index.php @@ -21,9 +21,9 @@ if (isset($_GET['logout'])) { // Login as someone else if (isset($_SESSION['user'])) { if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) { - $return_var = v_exec('v-list-user', [$_GET['loginas'], 'json'], false, $output); - if ($return_var == 0) { - $data = json_decode($output, true); + exec (VESTA_CMD . "v-list-user ".escapeshellarg($_GET['loginas'])." json", $output, $return_var); + if ( $return_var == 0 ) { + $data = json_decode(implode('', $output), true); reset($data); $_SESSION['look'] = key($data); $_SESSION['look_alert'] = 'yes'; @@ -35,7 +35,7 @@ if (isset($_SESSION['user'])) { // Basic auth if (isset($_POST['user']) && isset($_POST['password'])) { - $v_user = $_POST['user']; + $v_user = escapeshellarg($_POST['user']); // Send password via tmp file $v_password = exec('mktemp -p /tmp'); @@ -44,21 +44,24 @@ if (isset($_POST['user']) && isset($_POST['password'])) { fclose($fp); // Check user & password - $return_var = v_exec('v-check-user-password', [$v_user, $v_password, $_SERVER['REMOTE_ADDR']]); + exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'", $output, $return_var); + unset($output); // Remove tmp file unlink($v_password); // Check API answer - if ($return_var > 0) { + if ( $return_var > 0 ) { $ERROR = "".__('Invalid username or password').""; + } else { + // Make root admin user if ($_POST['user'] == 'root') $v_user = 'admin'; // Get user speciefic parameters - v_exec('v-list-user', [$v_user, 'json'], false, $output); - $data = json_decode($output, true); + exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var); + $data = json_decode(implode('', $output), true); // Define session user $_SESSION['user'] = key($data); @@ -72,7 +75,7 @@ if (isset($_POST['user']) && isset($_POST['password'])) { // Redirect request to control panel interface if (!empty($_SESSION['request_uri'])) { - header('Location: '.$_SESSION['request_uri']); + header("Location: ".$_SESSION['request_uri']); unset($_SESSION['request_uri']); exit; } else { @@ -83,8 +86,8 @@ if (isset($_POST['user']) && isset($_POST['password'])) { } // Check system configuration -v_exec('v-list-sys-config', ['json'], false, $output); -$data = json_decode($output, true); +exec (VESTA_CMD . "v-list-sys-config json", $output, $return_var); +$data = json_decode(implode('', $output), true); $sys_arr = $data['config']; foreach ($sys_arr as $key => $value) { $_SESSION[$key] = $value; diff --git a/web/reset/index.php b/web/reset/index.php index 96e9c0ff1..abde3c145 100644 --- a/web/reset/index.php +++ b/web/reset/index.php @@ -11,25 +11,28 @@ if (isset($_SESSION['user'])) { include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if ((!empty($_POST['user'])) && (empty($_POST['code']))) { + $v_user = escapeshellarg($_POST['user']); $user = $_POST['user']; - $return_var = v_exec('v-list-user', [$user, 'json'], false, $output); - if ($return_var == 0) { - $data = json_decode($output, true); + $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user"; + exec ($cmd." ".$v_user." json", $output, $return_var); + if ( $return_var == 0 ) { + $data = json_decode(implode('', $output), true); $rkey = $data[$user]['RKEY']; $fname = $data[$user]['FNAME']; $lname = $data[$user]['LNAME']; $contact = $data[$user]['CONTACT']; $to = $data[$user]['CONTACT']; - $subject = __('MAIL_RESET_SUBJECT', date('Y-m-d H:i:s')); + $subject = __('MAIL_RESET_SUBJECT',date("Y-m-d H:i:s")); $hostname = exec('hostname'); - $from = __('MAIL_FROM', $hostname); - if (!empty($fname) || !empty($lname)) { - $mailtext = __('GREETINGS_GORDON_FREEMAN', $fname, $lname); + $from = __('MAIL_FROM',$hostname); + if (!empty($fname)) { + $mailtext = __('GREETINGS_GORDON_FREEMAN',$fname,$lname); } else { $mailtext = __('GREETINGS'); } - $mailtext .= __('PASSWORD_RESET_REQUEST', $_SERVER['HTTP_HOST'], $user, $rkey, $_SERVER['HTTP_HOST'], $user, $rkey); + $mailtext .= __('PASSWORD_RESET_REQUEST',$_SERVER['HTTP_HOST'],$user,$rkey,$_SERVER['HTTP_HOST'],$user,$rkey); if (!empty($rkey)) send_email($to, $subject, $mailtext, $from); + unset($output); } header("Location: /reset/?action=code&user=".$_POST['user']); @@ -37,20 +40,23 @@ if ((!empty($_POST['user'])) && (empty($_POST['code']))) { } if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['password'])) ) { - if ($_POST['password'] == $_POST['password_confirm']) { + if ( $_POST['password'] == $_POST['password_confirm'] ) { + $v_user = escapeshellarg($_POST['user']); $user = $_POST['user']; - $return_var = v_exec('v-list-user', [$user, 'json'], false, $output); - if ($return_var == 0) { - $data = json_decode($output, true); + $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user"; + exec ($cmd." ".$v_user." json", $output, $return_var); + if ( $return_var == 0 ) { + $data = json_decode(implode('', $output), true); $rkey = $data[$user]['RKEY']; if ($rkey == $_POST['code']) { $v_password = tempnam("/tmp","vst"); $fp = fopen($v_password, "w"); fwrite($fp, $_POST['password']."\n"); fclose($fp); - $return_var = v_exec('v-change-user-password', [$user, $v_password], false); + $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-change-user-password"; + exec ($cmd." ".$v_user." ".$v_password, $output, $return_var); unlink($v_password); - if ($return_var > 0) { + if ( $return_var > 0 ) { $ERROR = "".__('An internal error occurred').""; } else { $_SESSION['user'] = $_POST['user']; diff --git a/web/reset/mail/index.php b/web/reset/mail/index.php index dafb745cc..9315d0418 100644 --- a/web/reset/mail/index.php +++ b/web/reset/mail/index.php @@ -102,21 +102,25 @@ function to64 ($v, $n) // Check arguments if ((!empty($_POST['email'])) && (!empty($_POST['password'])) && (!empty($_POST['new']))) { list($v_account, $v_domain) = explode('@', $_POST['email']); + $v_domain = escapeshellarg($v_domain); + $v_account = escapeshellarg($v_account); $v_password = $_POST['password']; // Get domain owner - $return_var = v_exec('v-search-domain-owner', [$v_domain, 'mail'], false, $output); + exec (VESTA_CMD."v-search-domain-owner ".$v_domain." 'mail'", $output, $return_var); if ($return_var == 0) { - $v_user = strtok($output, "\n"); + $v_user = $output[0]; } + unset($output); // Get current md5 hash if (!empty($v_user)) { - $return_var = v_exec('v-get-mail-account-value', [$v_user, $v_domain, $v_account, 'md5'], false, $output); + exec (VESTA_CMD."v-get-mail-account-value '".$v_user."' ".$v_domain." ".$v_account." 'md5'", $output, $return_var); if ($return_var == 0) { - $v_hash = strtok($output, "\n"); + $v_hash = $output[0]; } } + unset($output); // Compare hashes if (!empty($v_hash)) { @@ -125,14 +129,14 @@ if ((!empty($_POST['email'])) && (!empty($_POST['password'])) && (!empty($_POST[ $n_hash = '{MD5}'.$n_hash; // Change password - if ($v_hash == $n_hash) { + if ( $v_hash == $n_hash ) { $v_new_password = tempnam("/tmp","vst"); $fp = fopen($v_new_password, "w"); fwrite($fp, $_POST['new']."\n"); fclose($fp); - $return_var = v_exec('v-change-mail-account-password', [$v_user, $v_domain, $v_account, $v_new_password], false, $output); + exec (VESTA_CMD."v-change-mail-account-password '".$v_user."' ".$v_domain." ".$v_account." ".$v_new_password, $output, $return_var); if ($return_var == 0) { - echo 'ok'; + echo "ok"; exit; } } diff --git a/web/restart/service/index.php b/web/restart/service/index.php index 8952fcc0f..5f42e5e5d 100644 --- a/web/restart/service/index.php +++ b/web/restart/service/index.php @@ -8,17 +8,18 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if ($_SESSION['user'] == 'admin') { if (!empty($_GET['srv'])) { if ($_GET['srv'] == 'iptables') { - $return_var = v_exec('v-update-firewall', [], false, $output); + exec (VESTA_CMD."v-update-firewall", $output, $return_var); } else { - $v_service = $_GET['srv']; - $return_var = v_exec('v-restart-service', [$v_service], false, $output); + $v_service = escapeshellarg($_GET['srv']); + exec (VESTA_CMD."v-restart-service ".$v_service, $output, $return_var); } } if ($return_var != 0) { $error = implode('
', $output); - if (empty($error)) $error = __('SERVICE_ACTION_FAILED', __('restart'), htmlentities($_GET['srv'])); - $_SESSION['error_msg'] = $error; + if (empty($error)) $error = __('SERVICE_ACTION_FAILED',__('restart'),$v_service); + $_SESSION['error_msg'] = $error; } + unset($output); } header("Location: /list/server/"); diff --git a/web/restart/system/index.php b/web/restart/system/index.php index b4b624171..4facc5a5a 100644 --- a/web/restart/system/index.php +++ b/web/restart/system/index.php @@ -3,14 +3,14 @@ error_reporting(NULL); ob_start(); session_start(); - include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if ($_SESSION['user'] == 'admin') { if (!empty($_GET['hostname'])) { - v_exec('v-restart-system', ['yes'], false); + exec (VESTA_CMD."v-restart-system yes", $output, $return_var); $_SESSION['error_msg'] = 'The system is going down for reboot NOW!'; } + unset($output); } header("Location: /list/server/"); diff --git a/web/schedule/backup/index.php b/web/schedule/backup/index.php index c69a57935..67c7b44ff 100644 --- a/web/schedule/backup/index.php +++ b/web/schedule/backup/index.php @@ -5,15 +5,21 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); -$return_var = v_exec('v-schedule-user-backup', [$user]); -switch ($return_var) { - case 0: - $_SESSION['error_msg'] = __('BACKUP_SCHEDULED'); - break; - case 4: - $_SESSION['error_msg'] = __('BACKUP_EXISTS'); - break; -} +$v_username = escapeshellarg($user); +exec (VESTA_CMD."v-schedule-user-backup ".$v_username, $output, $return_var); +if ($return_var == 0) { + $_SESSION['error_msg'] = __('BACKUP_SCHEDULED'); +} else { + $_SESSION['error_msg'] = implode('
', $output); + if (empty($_SESSION['error_msg'])) { + $_SESSION['error_msg'] = __('Error: vesta did not return any output.'); + } + if ($return_var == 4) { + $_SESSION['error_msg'] = __('BACKUP_EXISTS'); + } + +} +unset($output); header("Location: /list/backup/"); exit; diff --git a/web/schedule/restore/index.php b/web/schedule/restore/index.php index 452ac103a..ce7d5d03d 100644 --- a/web/schedule/restore/index.php +++ b/web/schedule/restore/index.php @@ -6,7 +6,7 @@ session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); -$backup = $_GET['backup']; +$backup = escapeshellarg($_GET['backup']); $web = 'no'; $dns = 'no'; @@ -15,27 +15,30 @@ $db = 'no'; $cron = 'no'; $udir = 'no'; -if ($_GET['type'] == 'web') $web = $_GET['object']; -if ($_GET['type'] == 'dns') $dns = $_GET['object']; -if ($_GET['type'] == 'mail') $mail = $_GET['object']; -if ($_GET['type'] == 'db') $db = $_GET['object']; +if ($_GET['type'] == 'web') $web = escapeshellarg($_GET['object']); +if ($_GET['type'] == 'dns') $dns = escapeshellarg($_GET['object']); +if ($_GET['type'] == 'mail') $mail = escapeshellarg($_GET['object']); +if ($_GET['type'] == 'db') $db = escapeshellarg($_GET['object']); if ($_GET['type'] == 'cron') $cron = 'yes'; -if ($_GET['type'] == 'udir') $udir = $_GET['object']; +if ($_GET['type'] == 'udir') $udir = escapeshellarg($_GET['object']); if (!empty($_GET['type'])) { - $restore_args = [$user, $backup, $web, $dns, $mail, $db, $cron, $udir]; + $restore_cmd = VESTA_CMD."v-schedule-user-restore ".$user." ".$backup." ".$web." ".$dns." ".$mail." ".$db." ".$cron." ".$udir; } else { - $restore_args = [$user, $backup]; + $restore_cmd = VESTA_CMD."v-schedule-user-restore ".$user." ".$backup; } -$return_var = v_exec('v-schedule-user-restore', $restore_args); -switch ($return_var) { - case 0: - $_SESSION['error_msg'] = __('RESTORE_SCHEDULED'); - break; - case 4: +exec ($restore_cmd, $output, $return_var); +if ($return_var == 0) { + $_SESSION['error_msg'] = __('RESTORE_SCHEDULED'); +} else { + $_SESSION['error_msg'] = implode('
', $output); + if (empty($_SESSION['error_msg'])) { + $_SESSION['error_msg'] = __('Error: vesta did not return any output.'); + } + if ($return_var == 4) { $_SESSION['error_msg'] = __('RESTORE_EXISTS'); - break; + } } header("Location: /list/backup/?backup=" . $_GET['backup']); diff --git a/web/search/index.php b/web/search/index.php index f0870e52a..fc5ffd069 100644 --- a/web/search/index.php +++ b/web/search/index.php @@ -9,9 +9,9 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check query $q = $_GET['q']; if (empty($q)) { - $back = getenv('HTTP_REFERER'); + $back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /"); @@ -29,12 +29,13 @@ $lang = 'ru_RU.utf8'; // Data if ($_SESSION['user'] == 'admin') { - v_exec('v-search-object', [$q, 'json'], false, $output); - $data = json_decode($output, true); + $q = escapeshellarg($q); + exec (VESTA_CMD."v-search-object ".$q." json", $output, $return_var); + $data = json_decode(implode('', $output), true); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_search.html'); } else { - v_exec('v-search-user-object', [$user, $q, 'json'], false, $output); - $data = json_decode($output, true); + exec (VESTA_CMD."v-search-user-object ".$user." ".$q." json", $output, $return_var); + $data = json_decode(implode('', $output), true); include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_search.html'); } diff --git a/web/start/service/index.php b/web/start/service/index.php index d2f7230c5..943019c4f 100644 --- a/web/start/service/index.php +++ b/web/start/service/index.php @@ -8,17 +8,18 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if ($_SESSION['user'] == 'admin') { if (!empty($_GET['srv'])) { if ($_GET['srv'] == 'iptables') { - $return_var = v_exec('v-update-firewall', [], false, $output); + exec (VESTA_CMD."v-update-firewall", $output, $return_var); } else { - $v_service = $_GET['srv']; - $return_var = v_exec('v-start-service', [$v_service], false, $output); + $v_service = escapeshellarg($_GET['srv']); + exec (VESTA_CMD."v-start-service ".$v_service, $output, $return_var); } } if ($return_var != 0) { $error = implode('
', $output); - if (empty($error)) $error = __('SERVICE_ACTION_FAILED', __('start'), htmlentities($_GET['srv'])); - $_SESSION['error_srv'] = $error; + if (empty($error)) $error = __('SERVICE_ACTION_FAILED',__('start'),$v_service);; + $_SESSION['error_srv'] = $error; } + unset($output); } header("Location: /list/server/"); diff --git a/web/stop/service/index.php b/web/stop/service/index.php index 1221d4e5b..a151dc6d8 100644 --- a/web/stop/service/index.php +++ b/web/stop/service/index.php @@ -8,18 +8,18 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if ($_SESSION['user'] == 'admin') { if (!empty($_GET['srv'])) { if ($_GET['srv'] == 'iptables') { - $return_var = v_exec('v-stop-firewall', [], false, $output); + exec (VESTA_CMD."v-stop-firewall", $output, $return_var); } else { - $v_service = $_GET['srv']; - $return_var = v_exec('v-stop-service', [$v_service], false, $output); + $v_service = escapeshellarg($_GET['srv']); + exec (VESTA_CMD."v-stop-service ".$v_service, $output, $return_var); } } if ($return_var != 0) { $error = implode('
', $output); - if (empty($error)) $error = __('SERVICE_ACTION_FAILED', __('stop'), htmlentities($_GET['srv'])); - $_SESSION['error_srv'] = $error; + if (empty($error)) $error = __('SERVICE_ACTION_FAILED',__('stop'),$v_service); + $_SESSION['error_srv'] = $error; } - + unset($output); } header("Location: /list/server/"); diff --git a/web/suspend/cron/index.php b/web/suspend/cron/index.php index c1183fd7f..3bf40a615 100644 --- a/web/suspend/cron/index.php +++ b/web/suspend/cron/index.php @@ -8,7 +8,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -16,20 +16,20 @@ if ($_SESSION['user'] != 'admin') { header("Location: /list/user"); exit; } - if (!empty($_GET['user'])) { - $user = $_GET['user']; + $user=$_GET['user']; } - if (!empty($_GET['job'])) { - $v_username = $user; - $v_job = $_GET['job']; - v_exec('v-suspend-cron-job', [$v_username, $v_job]); + $v_username = escapeshellarg($user); + $v_job = escapeshellarg($_GET['job']); + exec (VESTA_CMD."v-suspend-cron-job ".$v_username." ".$v_job, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/suspend/db/index.php b/web/suspend/db/index.php index 07a007c83..a335a5b41 100644 --- a/web/suspend/db/index.php +++ b/web/suspend/db/index.php @@ -8,7 +8,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -22,14 +22,16 @@ if (!empty($_GET['user'])) { } if (!empty($_GET['database'])) { - $v_username = $user; - $v_database = $_GET['database']; - v_exec('v-suspend-database', [$v_username, $v_database]); + $v_username = escapeshellarg($user); + $v_database = escapeshellarg($_GET['database']); + exec (VESTA_CMD."v-suspend-database ".$v_username." ".$v_database, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/suspend/dns/index.php b/web/suspend/dns/index.php index 2c0c3a8b1..300672f51 100644 --- a/web/suspend/dns/index.php +++ b/web/suspend/dns/index.php @@ -8,7 +8,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -23,12 +23,14 @@ if (!empty($_GET['user'])) { // DNS domain if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) { - $v_username = $user; - $v_domain = $_GET['domain']; - v_exec('v-suspend-dns-domain', [$v_username, $v_domain]); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + exec (VESTA_CMD."v-suspend-dns-domain ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /list/dns/"); @@ -37,13 +39,15 @@ if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) { // DNS record if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) { - $v_username = $user; - $v_domain = $_GET['domain']; - $v_record_id = $_GET['record_id']; - v_exec('v-suspend-dns-record', [$v_username, $v_domain, $v_record_id]); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + $v_record_id = escapeshellarg($_GET['record_id']); + exec (VESTA_CMD."v-suspend-dns-record ".$v_username." ".$v_domain." ".$v_record_id, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /list/dns/?domain=".$_GET['domain']); @@ -52,7 +56,7 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) { $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/suspend/firewall/index.php b/web/suspend/firewall/index.php index 1a2bf7dd4..40f8adaf3 100644 --- a/web/suspend/firewall/index.php +++ b/web/suspend/firewall/index.php @@ -8,7 +8,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -18,13 +18,15 @@ if ($_SESSION['user'] != 'admin') { } if (!empty($_GET['rule'])) { - $v_rule = $_GET['rule']; - v_exec('v-suspend-firewall-rule', [$v_rule]); + $v_rule = escapeshellarg($_GET['rule']); + exec (VESTA_CMD."v-suspend-firewall-rule ".$v_rule, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); -$back = getenv('HTTP_REFERER'); +$back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/suspend/mail/index.php b/web/suspend/mail/index.php index 1686ff3bf..e96bde2e8 100644 --- a/web/suspend/mail/index.php +++ b/web/suspend/mail/index.php @@ -8,7 +8,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -18,17 +18,19 @@ if ($_SESSION['user'] != 'admin') { } if (!empty($_GET['user'])) { - $user = $_GET['user']; + $user=$_GET['user']; } // Mail domain if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { - $v_username = $user; - $v_domain = $_GET['domain']; - v_exec('v-suspend-mail-domain', [$v_username, $v_domain]); - $back = getenv('HTTP_REFERER'); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + exec (VESTA_CMD."v-suspend-mail-domain ".$v_username." ".$v_domain, $output, $return_var); + check_return_code($return_var,$output); + unset($output); + $back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /list/mail/"); @@ -37,13 +39,15 @@ if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { // Mail account if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { - $v_username = $user; - $v_domain = $_GET['domain']; - $v_account = $_GET['account']; - v_exec('v-suspend-mail-account', [$v_username, $v_domain, $v_account]); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + $v_account = escapeshellarg($_GET['account']); + exec (VESTA_CMD."v-suspend-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var); + check_return_code($return_var,$output); + unset($output); $back = $_SESSION['back']; - if (!empty($back)) { - header("Location: $back"); + if (!empty($back)) { + header("Location: ".$back); exit; } header("Location: /list/mail/?domain=".$_GET['domain']); @@ -52,7 +56,7 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/suspend/user/index.php b/web/suspend/user/index.php index 91137bbbc..8f355941f 100644 --- a/web/suspend/user/index.php +++ b/web/suspend/user/index.php @@ -8,7 +8,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -18,13 +18,15 @@ if ($_SESSION['user'] != 'admin') { } if (!empty($_GET['user'])) { - $v_username = $_GET['user']; - v_exec('v-suspend-user', [$v_username]); + $v_username = escapeshellarg($_GET['user']); + exec (VESTA_CMD."v-suspend-user ".$v_username, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/suspend/web/index.php b/web/suspend/web/index.php index cd9858cba..23ae3cda3 100644 --- a/web/suspend/web/index.php +++ b/web/suspend/web/index.php @@ -8,7 +8,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -18,19 +18,21 @@ if ($_SESSION['user'] != 'admin') { } if (!empty($_GET['user'])) { - $user = $_GET['user']; + $user=$_GET['user']; } if (!empty($_GET['domain'])) { - $v_username = $user; - $v_domain = $_GET['domain']; - v_exec('v-suspend-domain', [$v_username, $v_domain]); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + exec (VESTA_CMD."v-suspend-domain ".$v_username." ".$v_domain, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); $back = $_SESSION['back']; if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/templates/admin/edit_package.html b/web/templates/admin/edit_package.html index 110cf6d71..bbdcba301 100644 --- a/web/templates/admin/edit_package.html +++ b/web/templates/admin/edit_package.html @@ -22,7 +22,7 @@
', $output); + if (empty($error)) $error = __('Error: vesta did not return any output.'); + $_SESSION['error_msg'] = $error; + } + unset($output); + $back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /list/dns/"); @@ -37,22 +43,28 @@ if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) { // DNS record if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) { - $v_username = $user; - $v_domain = $_GET['domain']; - $v_record_id = $_GET['record_id']; - v_exec('v-unsuspend-dns-record', [$v_username, $v_domain, $v_record_id]); - $back = getenv('HTTP_REFERER'); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + $v_record_id = escapeshellarg($_GET['record_id']); + exec (VESTA_CMD."v-unsuspend-dns-record ".$v_username." ".$v_domain." ".$v_record_id, $output, $return_var); + if ($return_var != 0) { + $error = implode('
', $output); + if (empty($error)) $error = __('Error: vesta did not return any output.'); + $_SESSION['error_msg'] = $error; + } + unset($output); + $back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /list/dns/?domain=".$_GET['domain']); exit; } -$back = getenv('HTTP_REFERER'); +$back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/unsuspend/firewall/index.php b/web/unsuspend/firewall/index.php index 66191893e..ec3843e9f 100644 --- a/web/unsuspend/firewall/index.php +++ b/web/unsuspend/firewall/index.php @@ -8,7 +8,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -18,13 +18,15 @@ if ($_SESSION['user'] != 'admin') { } if (!empty($_GET['rule'])) { - $v_rule = $_GET['rule']; - v_exec('v-unsuspend-firewall-rule', [$v_rule]); + $v_rule = escapeshellarg($_GET['rule']); + exec (VESTA_CMD."v-unsuspend-firewall-rule ".$v_rule, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); -$back = getenv('HTTP_REFERER'); +$back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/unsuspend/mail/index.php b/web/unsuspend/mail/index.php index e4bc667f2..158cb73ca 100644 --- a/web/unsuspend/mail/index.php +++ b/web/unsuspend/mail/index.php @@ -8,7 +8,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -23,12 +23,18 @@ if (!empty($_GET['user'])) { // Mail domain if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { - $v_username = $user; - $v_domain = $_GET['domain']; - v_exec('v-unsuspend-mail-domain', [$v_username, $v_domain]); - $back = getenv('HTTP_REFERER'); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + exec (VESTA_CMD."v-unsuspend-mail-domain ".$v_username." ".$v_domain, $output, $return_var); + if ($return_var != 0) { + $error = implode('
', $output); + if (empty($error)) $error = __('Error: vesta did not return any output.'); + $_SESSION['error_msg'] = $error; + } + unset($output); + $back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /list/mail/"); @@ -37,22 +43,28 @@ if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { // Mail account if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { - $v_username = $user; - $v_domain = $_GET['domain']; - $v_account = $_GET['account']; - v_exec('v-unsuspend-mail-account', [$v_username, $v_domain, $v_account]); - $back = getenv('HTTP_REFERER'); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + $v_account = escapeshellarg($_GET['account']); + exec (VESTA_CMD."v-unsuspend-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var); + if ($return_var != 0) { + $error = implode('
', $output); + if (empty($error)) $error = __('Error: vesta did not return any output.'); + $_SESSION['error_msg'] = $error; + } + unset($output); + $back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } header("Location: /list/mail/?domain=".$_GET['domain']); exit; } -$back = getenv('HTTP_REFERER'); +$back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/unsuspend/user/index.php b/web/unsuspend/user/index.php index 61b525994..7aff155e6 100644 --- a/web/unsuspend/user/index.php +++ b/web/unsuspend/user/index.php @@ -9,7 +9,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -19,13 +19,15 @@ if ($_SESSION['user'] != 'admin') { } if (!empty($_GET['user'])) { - $v_username = $_GET['user']; - v_exec('v-unsuspend-user', [$v_username]); + $v_username = escapeshellarg($_GET['user']); + exec (VESTA_CMD."v-unsuspend-user ".$v_username, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); -$back = getenv('HTTP_REFERER'); +$back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/unsuspend/web/index.php b/web/unsuspend/web/index.php index 3bee314dc..760cc169e 100644 --- a/web/unsuspend/web/index.php +++ b/web/unsuspend/web/index.php @@ -8,7 +8,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check token if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { header('location: /login/'); - exit; + exit(); } // Check user @@ -17,18 +17,19 @@ if ($_SESSION['user'] != 'admin') { exit; } if (!empty($_GET['user'])) { - $user = $_GET['user']; + $user=$_GET['user']; } - if (!empty($_GET['domain'])) { - $v_username = $user; - $v_domain = $_GET['domain']; - v_exec('v-unsuspend-domain', [$v_username, $v_domain]); + $v_username = escapeshellarg($user); + $v_domain = escapeshellarg($_GET['domain']); + exec (VESTA_CMD."v-unsuspend-domain ".$v_username." ".$v_domain, $output, $return_var); } +check_return_code($return_var,$output); +unset($output); -$back = getenv('HTTP_REFERER'); +$back=getenv("HTTP_REFERER"); if (!empty($back)) { - header("Location: $back"); + header("Location: ".$back); exit; } diff --git a/web/update/vesta/index.php b/web/update/vesta/index.php index 0120ccaa8..a025c7bf0 100644 --- a/web/update/vesta/index.php +++ b/web/update/vesta/index.php @@ -7,9 +7,16 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if ($_SESSION['user'] == 'admin') { if (!empty($_GET['pkg'])) { - $v_pkg = $_GET['pkg']; - v_exec('v-update-sys-vesta', [$v_pkg]); + $v_pkg = escapeshellarg($_GET['pkg']); + exec (VESTA_CMD."v-update-sys-vesta ".$v_pkg, $output, $return_var); } + + if ($return_var != 0) { + $error = implode('
', $output); + if (empty($error)) $error = 'Error: '.$v_pkg.' update failed'; + $_SESSION['error_msg'] = $error; + } + unset($output); } header("Location: /list/updates/"); diff --git a/web/upload/UploadHandler.php b/web/upload/UploadHandler.php index c9328be75..7db8bc414 100755 --- a/web/upload/UploadHandler.php +++ b/web/upload/UploadHandler.php @@ -2,7 +2,6 @@ //session_start(); -require_once(__DIR__.'/../inc/exec.php'); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); // Check login_as feature @@ -1105,7 +1104,9 @@ class UploadHandler } else { chmod($uploaded_file, 0644); //move_uploaded_file($uploaded_file, $file_path); - $return_var = v_exec('v-copy-fs-file', [USERNAME, $uploaded_file, $file_path]); + exec (VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} {$file_path}", $output, $return_var); + + $error = check_return_code($return_var, $output); if ($return_var != 0) { //var_dump(VESTA_CMD . "v-copy-fs-file {$user} {$fn} {$path}"); //var_dump($path); diff --git a/web/view/file/index.php b/web/view/file/index.php index 375b9a6b7..6605607c6 100644 --- a/web/view/file/index.php +++ b/web/view/file/index.php @@ -1,4 +1,4 @@ -