Fixed issue: #3812 Insufficient validation of PHP version selector.

Till Brehm

2016-03-29 e1b4cacb8d66891ce11dd4203bd92aa265fffcde

 interface/web/sites/web_domain_edit.php

@@ -183,7 +183,7 @@
         unset($tmp);

         // Fill the client select field
         $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id']." ORDER BY sys_group.name";
         $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id']." ORDER BY client.company_name, client.contact_name, sys_group.name";
         $records = $app->db->queryAllRecords($sql);
         $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$app->functions->intval($client['client_id']));
         $client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
@@ -313,7 +313,7 @@
         unset($ips);

         // Fill the client select field
         $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY sys_group.name";
         $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
         $clients = $app->db->queryAllRecords($sql);
         $client_select = "<option value='0'></option>";
         //$tmp_data_record = $app->tform->getDataRecord($this->id);
@@ -406,8 +406,15 @@
      }

      $ssl_domain_select = '';
      $tmp = $app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ".$this->id);
      $ssl_domains = array($tmp["domain"], 'www.'.$tmp["domain"], '*.'.$tmp["domain"]);
      $ssl_domains = array();
      $tmpd = $app->db->queryAllRecords("SELECT domain, type FROM web_domain WHERE domain_id = ".$this->id." OR parent_domain_id = ".$this->id);
      foreach($tmpd as $tmp) {
         if($tmp['type'] == 'subdomain' || $tmp['type'] == 'vhostsubdomain') {
            $ssl_domains[] = $tmp["domain"];
         } else {
            $ssl_domains = array_merge($ssl_domains, array($tmp["domain"],'www.'.$tmp["domain"],'*.'.$tmp["domain"]));
         }
      }
      if(is_array($ssl_domains)) {
         foreach( $ssl_domains as $ssl_domain) {
            $selected = ($ssl_domain == $this->dataRecord['ssl_domain'])?'SELECTED':'';
@@ -607,9 +614,11 @@
         // When the record is updated
         if($this->id > 0) {
            // restore the server ID if the user is not admin and record is edited
            $tmp = $app->db->queryOneRecord("SELECT server_id, `cgi`, `ssi`, `perl`, `ruby`, `python`, `suexec`, `errordocs`, `subdomain`, `ssl` FROM web_domain WHERE domain_id = ".$app->functions->intval($this->id));
            $tmp = $app->db->queryOneRecord("SELECT server_id, `system_user`, `system_group`, `cgi`, `ssi`, `perl`, `ruby`, `python`, `suexec`, `errordocs`, `subdomain`, `ssl` FROM web_domain WHERE domain_id = ".$app->functions->intval($this->id));
            $this->dataRecord["server_id"] = $tmp["server_id"];

            $this->dataRecord['system_user'] = $tmp['system_user'];
            $this->dataRecord['system_group'] = $tmp['system_group'];
            // set the settings to current if not provided (or cleared due to limits)
            if($this->dataRecord['cgi'] == 'n') $this->dataRecord['cgi'] = $tmp['cgi'];
            if($this->dataRecord['ssi'] == 'n') $this->dataRecord['ssi'] = $tmp['ssi'];
@@ -691,6 +700,9 @@
               if(trim($rewrite_rule_line) == '') continue;
               // rewrite
               if(preg_match('@^\s*rewrite\s+(^/)?\S+(\$)?\s+\S+(\s+(last|break|redirect|permanent|))?\s*;\s*$@', $rewrite_rule_line)) continue;
               if(preg_match('@^\s*rewrite\s+(^/)?(\'[^\']+\'|"[^"]+")+(\$)?\s+(\'[^\']+\'|"[^"]+")+(\s+(last|break|redirect|permanent|))?\s*;\s*$@', $rewrite_rule_line)) continue;
               if(preg_match('@^\s*rewrite\s+(^/)?(\'[^\']+\'|"[^"]+")+(\$)?\s+\S+(\s+(last|break|redirect|permanent|))?\s*;\s*$@', $rewrite_rule_line)) continue;
               if(preg_match('@^\s*rewrite\s+(^/)?\S+(\$)?\s+(\'[^\']+\'|"[^"]+")+(\s+(last|break|redirect|permanent|))?\s*;\s*$@', $rewrite_rule_line)) continue;
               // if
               if(preg_match('@^\s*if\s+\(\s*\$\S+(\s+(\!?(=|~|~\*))\s+(\S+|\".+\"))?\s*\)\s*\{\s*$@', $rewrite_rule_line)){
                  $if_level += 1;
@@ -746,7 +758,7 @@
               // value inside ''
               if(preg_match('@^\s*;*\s*[a-zA-Z0-9._]*\s*=\s*\'.*\'\s*;*\s*$@', $custom_php_ini_settings_line)) continue;
               // everything else
               if(preg_match('@^\s*;*\s*[a-zA-Z0-9._]*\s*=\s*[-a-zA-Z0-9~&=_\@/,.#\s]*\s*;*\s*$@', $custom_php_ini_settings_line)) continue;
               if(preg_match('@^\s*;*\s*[a-zA-Z0-9._]*\s*=\s*[-a-zA-Z0-9~&=_\@/,.#\s|()]*\s*;*\s*$@', $custom_php_ini_settings_line)) continue;
               $custom_php_ini_settings_are_valid = false;
               break;
            }
@@ -755,6 +767,33 @@
            $app->tform->errorMessage .= $app->tform->lng("invalid_custom_php_ini_settings_txt").'<br>';
         }
      }
		
      // Check custom PHP version
      if(isset($this->dataRecord['fastcgi_php_version']) && $this->dataRecord['fastcgi_php_version'] != '') {
         // Check php-fpm mode
         if($this->dataRecord['php'] == 'php-fpm'){
            $tmp = $app->db->queryOneRecord("SELECT * FROM server_php WHERE CONCAT(name,':',php_fpm_init_script,':',php_fpm_ini_dir,':',php_fpm_pool_dir) = '".$app->db->quote($this->dataRecord['fastcgi_php_version'])."'");
            if(is_array($tmp)) {
               $this->dataRecord['fastcgi_php_version'] = $tmp['name'].':'.$tmp['php_fpm_init_script'].':'.$tmp['php_fpm_ini_dir'].':'.$tmp['php_fpm_pool_dir'];
            } else {
               $this->dataRecord['fastcgi_php_version'] = '';
            }
            unset($tmp);
         // Check fast-cgi mode
         } elseif($this->dataRecord['php'] == 'fast-cgi') {
            $tmp = $app->db->queryOneRecord("SELECT * FROM server_php WHERE CONCAT(name,':',php_fastcgi_binary,':',php_fastcgi_ini_dir) = '".$app->db->quote($this->dataRecord['fastcgi_php_version'])."'");
            if(is_array($tmp)) {
               $this->dataRecord['fastcgi_php_version'] = $tmp['name'].':'.$tmp['php_fastcgi_binary'].':'.$tmp['php_fastcgi_ini_dir'];
            } else {
               $this->dataRecord['fastcgi_php_version'] = '';
            }
            unset($tmp);
         } else {
            // Other PHP modes do not have custom versions, so we force the value to be empty
            $this->dataRecord['fastcgi_php_version'] = '';
         }
      }
		

      parent::onSubmit();
   }