mirror of
https://github.com/serghey-rodin/vesta.git
synced 2025-08-14 18:49:17 -07:00
Revert "[SECURITY] Fix OS command injection."
This commit is contained in:
parent
9620bfbf35
commit
39e9b6397b
115 changed files with 1980 additions and 1340 deletions
|
@ -21,18 +21,19 @@ if (empty($_GET['domain'])) {
|
|||
|
||||
// Edit as someone else?
|
||||
if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) {
|
||||
$user = $_GET['user'];
|
||||
$user=escapeshellarg($_GET['user']);
|
||||
}
|
||||
$v_username = $user;
|
||||
|
||||
// List mail domain
|
||||
if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
|
||||
$v_domain = $_GET['domain'];
|
||||
|
||||
v_exec('v-list-mail-domain', [$user, $v_domain, 'json'], false, $output);
|
||||
$data = json_decode($output, true);
|
||||
$v_domain = escapeshellarg($_GET['domain']);
|
||||
exec (VESTA_CMD."v-list-mail-domain ".$user." ".$v_domain." json", $output, $return_var);
|
||||
$data = json_decode(implode('', $output), true);
|
||||
unset($output);
|
||||
|
||||
// Parse domain
|
||||
$v_domain = $_GET['domain'];
|
||||
$v_antispam = $data[$v_domain]['ANTISPAM'];
|
||||
$v_antivirus = $data[$v_domain]['ANTIVIRUS'];
|
||||
$v_dkim = $data[$v_domain]['DKIM'];
|
||||
|
@ -49,14 +50,17 @@ if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
|
|||
|
||||
// List mail account
|
||||
if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
|
||||
$v_domain = $_GET['domain'];
|
||||
$v_account = $_GET['account'];
|
||||
|
||||
v_exec('v-list-mail-account', [$user, $v_domain, $v_account, 'json'], false, $output);
|
||||
$data = json_decode($output, true);
|
||||
$v_domain = escapeshellarg($_GET['domain']);
|
||||
$v_account = escapeshellarg($_GET['account']);
|
||||
exec (VESTA_CMD."v-list-mail-account ".$user." ".$v_domain." ".$v_account." 'json'", $output, $return_var);
|
||||
$data = json_decode(implode('', $output), true);
|
||||
unset($output);
|
||||
|
||||
// Parse mail account
|
||||
$v_password = '';
|
||||
$v_username = $user;
|
||||
$v_domain = $_GET['domain'];
|
||||
$v_account = $_GET['account'];
|
||||
$v_password = "";
|
||||
$v_aliases = str_replace(',', "\n", $data[$v_account]['ALIAS']);
|
||||
$valiases = explode(",", $data[$v_account]['ALIAS']);
|
||||
$v_fwd = str_replace(',', "\n", $data[$v_account]['FWD']);
|
||||
|
@ -75,8 +79,9 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
|
|||
|
||||
// Parse autoreply
|
||||
if ( $v_autoreply == 'yes' ) {
|
||||
v_exec('v-list-mail-account-autoreply', [$user, $v_domain, $v_account, 'json'], false, $output);
|
||||
$autoreply_str = json_decode($output, true);
|
||||
exec (VESTA_CMD."v-list-mail-account-autoreply ".$user." '".$v_domain."' '".$v_account."' json", $output, $return_var);
|
||||
$autoreply_str = json_decode(implode('', $output), true);
|
||||
unset($output);
|
||||
$v_autoreply_message = $autoreply_str[$v_account]['MSG'];
|
||||
}
|
||||
}
|
||||
|
@ -84,68 +89,86 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
|
|||
|
||||
// Check POST request for mail domain
|
||||
if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (empty($_GET['account']))) {
|
||||
$v_domain = $_POST['v_domain'];
|
||||
$v_domain = escapeshellarg($_POST['v_domain']);
|
||||
|
||||
// Check token
|
||||
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
|
||||
header('location: /login/');
|
||||
exit;
|
||||
exit();
|
||||
}
|
||||
|
||||
// Delete antispam
|
||||
if (($v_antispam == 'yes') && (empty($_POST['v_antispam'])) && (empty($_SESSION['error_msg']))) {
|
||||
v_exec('v-delete-mail-domain-antispam', [$v_username, $v_domain]);
|
||||
exec (VESTA_CMD."v-delete-mail-domain-antispam ".$v_username." ".$v_domain, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
$v_antispam = 'no';
|
||||
unset($output);
|
||||
}
|
||||
|
||||
// Add antispam
|
||||
if (($v_antispam == 'no') && (!empty($_POST['v_antispam'])) && (empty($_SESSION['error_msg']))) {
|
||||
v_exec('v-add-mail-domain-antispam', [$v_username, $v_domain]);
|
||||
exec (VESTA_CMD."v-add-mail-domain-antispam ".$v_username." ".$v_domain, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
$v_antispam = 'yes';
|
||||
unset($output);
|
||||
}
|
||||
|
||||
// Delete antivirus
|
||||
if (($v_antivirus == 'yes') && (empty($_POST['v_antivirus'])) && (empty($_SESSION['error_msg']))) {
|
||||
v_exec('v-delete-mail-domain-antivirus', [$v_username, $v_domain]);
|
||||
exec (VESTA_CMD."v-delete-mail-domain-antivirus ".$v_username." ".$v_domain, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
$v_antivirus = 'no';
|
||||
unset($output);
|
||||
}
|
||||
|
||||
// Add antivirs
|
||||
if (($v_antivirus == 'no') && (!empty($_POST['v_antivirus'])) && (empty($_SESSION['error_msg']))) {
|
||||
v_exec('v-add-mail-domain-antivirus', [$v_username, $v_domain]);
|
||||
exec (VESTA_CMD."v-add-mail-domain-antivirus ".$v_username." ".$v_domain, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
$v_antivirus = 'yes';
|
||||
unset($output);
|
||||
}
|
||||
|
||||
// Delete DKIM
|
||||
if (($v_dkim == 'yes') && (empty($_POST['v_dkim'])) && (empty($_SESSION['error_msg']))) {
|
||||
v_exec('v-delete-mail-domain-dkim', [$v_username, $v_domain]);
|
||||
exec (VESTA_CMD."v-delete-mail-domain-dkim ".$v_username." ".$v_domain, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
$v_dkim = 'no';
|
||||
unset($output);
|
||||
}
|
||||
|
||||
// Add DKIM
|
||||
if (($v_dkim == 'no') && (!empty($_POST['v_dkim'])) && (empty($_SESSION['error_msg']))) {
|
||||
v_exec('v-add-mail-domain-dkim', [$v_username, $v_domain]);
|
||||
exec (VESTA_CMD."v-add-mail-domain-dkim ".$v_username." ".$v_domain, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
$v_dkim = 'yes';
|
||||
unset($output);
|
||||
}
|
||||
|
||||
// Delete catchall
|
||||
if ((!empty($v_catchall)) && (empty($_POST['v_catchall'])) && (empty($_SESSION['error_msg']))) {
|
||||
v_exec('v-delete-mail-domain-catchall', [$v_username, $v_domain]);
|
||||
exec (VESTA_CMD."v-delete-mail-domain-catchall ".$v_username." ".$v_domain, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
$v_catchall = '';
|
||||
unset($output);
|
||||
}
|
||||
|
||||
// Change catchall address
|
||||
if ((!empty($v_catchall)) && (!empty($_POST['v_catchall'])) && (empty($_SESSION['error_msg']))) {
|
||||
if ($v_catchall != $_POST['v_catchall']) {
|
||||
$v_catchall = $_POST['v_catchall'];
|
||||
v_exec('v-change-mail-domain-catchall', [$v_username, $v_domain, $v_catchall]);
|
||||
$v_catchall = escapeshellarg($_POST['v_catchall']);
|
||||
exec (VESTA_CMD."v-change-mail-domain-catchall ".$v_username." ".$v_domain." ".$v_catchall, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
}
|
||||
}
|
||||
|
||||
// Add catchall
|
||||
if ((empty($v_catchall)) && (!empty($_POST['v_catchall'])) && (empty($_SESSION['error_msg']))) {
|
||||
$v_catchall = $_POST['v_catchall'];
|
||||
v_exec('v-add-mail-domain-catchall', [$v_username, $v_domain, $v_catchall]);
|
||||
$v_catchall = escapeshellarg($_POST['v_catchall']);
|
||||
exec (VESTA_CMD."v-add-mail-domain-catchall ".$v_username." ".$v_domain." ".$v_catchall, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
}
|
||||
|
||||
// Set success message
|
||||
|
@ -160,11 +183,11 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|||
// Check token
|
||||
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
|
||||
header('location: /login/');
|
||||
exit;
|
||||
exit();
|
||||
}
|
||||
|
||||
$v_domain = $_POST['v_domain'];
|
||||
$v_account = $_POST['v_account'];
|
||||
$v_domain = escapeshellarg($_POST['v_domain']);
|
||||
$v_account = escapeshellarg($_POST['v_account']);
|
||||
|
||||
// Change password
|
||||
if ((!empty($_POST['v_password'])) && (empty($_SESSION['error_msg']))) {
|
||||
|
@ -172,19 +195,23 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|||
$fp = fopen($v_password, "w");
|
||||
fwrite($fp, $_POST['v_password']."\n");
|
||||
fclose($fp);
|
||||
v_exec('v-change-mail-account-password', [$v_username, $v_domain, $v_account, $v_password]);
|
||||
exec (VESTA_CMD."v-change-mail-account-password ".$v_username." ".$v_domain." ".$v_account." ".$v_password, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
unlink($v_password);
|
||||
$v_password = $_POST['v_password'];
|
||||
$v_password = escapeshellarg($_POST['v_password']);;
|
||||
}
|
||||
|
||||
// Change quota
|
||||
if (($v_quota != $_POST['v_quota']) && (empty($_SESSION['error_msg']))) {
|
||||
if (empty($_POST['v_quota'])) {
|
||||
$v_quota = '0';
|
||||
$v_quota = 0;
|
||||
} else {
|
||||
$v_quota = $_POST['v_quota'];
|
||||
$v_quota = escapeshellarg($_POST['v_quota']);
|
||||
}
|
||||
v_exec('v-change-mail-account-quota', [$v_username, $v_domain, $v_account, $v_quota]);
|
||||
exec (VESTA_CMD."v-change-mail-account-quota ".$v_username." ".$v_domain." ".$v_account." ".$v_quota, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
}
|
||||
|
||||
// Change account aliases
|
||||
|
@ -198,13 +225,17 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|||
$result = array_diff($valiases, $aliases);
|
||||
foreach ($result as $alias) {
|
||||
if ((empty($_SESSION['error_msg'])) && (!empty($alias))) {
|
||||
v_exec('v-delete-mail-account-alias', [$v_username, $v_domain, $v_account, $alias]);
|
||||
exec (VESTA_CMD."v-delete-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
}
|
||||
}
|
||||
$result = array_diff($aliases, $valiases);
|
||||
foreach ($result as $alias) {
|
||||
if ((empty($_SESSION['error_msg'])) && (!empty($alias))) {
|
||||
v_exec('v-add-mail-account-alias', [$v_username, $v_domain, $v_account, $alias]);
|
||||
exec (VESTA_CMD."v-add-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -220,42 +251,56 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
|
|||
$result = array_diff($vfwd, $fwd);
|
||||
foreach ($result as $forward) {
|
||||
if ((empty($_SESSION['error_msg'])) && (!empty($forward))) {
|
||||
v_exec('v-delete-mail-account-forward', [$v_username, $v_domain, $v_account, $forward]);
|
||||
exec (VESTA_CMD."v-delete-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
}
|
||||
}
|
||||
$result = array_diff($fwd, $vfwd);
|
||||
foreach ($result as $forward) {
|
||||
if ((empty($_SESSION['error_msg'])) && (!empty($forward))) {
|
||||
v_exec('v-add-mail-account-forward', [$v_username, $v_domain, $v_account, $forward]);
|
||||
exec (VESTA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Delete FWD_ONLY flag
|
||||
if (($v_fwd_only == 'yes') && (empty($_POST['v_fwd_only'])) && (empty($_SESSION['error_msg']))) {
|
||||
v_exec('v-delete-mail-account-fwd-only', [$v_username, $v_domain, $v_account]);
|
||||
exec (VESTA_CMD."v-delete-mail-account-fwd-only ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
$v_fwd_only = '';
|
||||
}
|
||||
|
||||
// Add FWD_ONLY flag
|
||||
if (($v_fwd_only != 'yes') && (!empty($_POST['v_fwd_only'])) && (empty($_SESSION['error_msg']))) {
|
||||
v_exec('v-add-mail-account-fwd-only', [$v_username, $v_domain, $v_account]);
|
||||
exec (VESTA_CMD."v-add-mail-account-fwd-only ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
$v_fwd_only = 'yes';
|
||||
}
|
||||
|
||||
// Delete autoreply
|
||||
if (($v_autoreply == 'yes') && (empty($_POST['v_autoreply'])) && (empty($_SESSION['error_msg']))) {
|
||||
v_exec('v-delete-mail-account-autoreply', [$v_username, $v_domain, $v_account]);
|
||||
exec (VESTA_CMD."v-delete-mail-account-autoreply ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
$v_autoreply = 'no';
|
||||
$v_autoreply_message = '';
|
||||
}
|
||||
|
||||
// Add autoreply
|
||||
if ((!empty($_POST['v_autoreply'])) && (empty($_SESSION['error_msg']))) {
|
||||
if ($v_autoreply_message != str_replace("\r\n", "\n", $_POST['v_autoreply_message'])) {
|
||||
if ( $v_autoreply_message != str_replace("\r\n", "\n", $_POST['v_autoreply_message'])) {
|
||||
$v_autoreply_message = str_replace("\r\n", "\n", $_POST['v_autoreply_message']);
|
||||
v_exec('v-add-mail-account-autoreply', [$v_username, $v_domain, $v_account, $v_autoreply_message]);
|
||||
$v_autoreply_message = escapeshellarg($v_autoreply_message);
|
||||
exec (VESTA_CMD."v-add-mail-account-autoreply ".$v_username." ".$v_domain." ".$v_account." ".$v_autoreply_message, $output, $return_var);
|
||||
check_return_code($return_var,$output);
|
||||
unset($output);
|
||||
$v_autoreply = 'yes';
|
||||
$v_autoreply_message = $_POST['v_autoreply_message'];
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue