ISPConfig3 devel
parent: c16e77ca | patch | commit | ignore whitespace
ftimme
2012-11-14 8a14553700a42141e7271bf795e327432664619c 
- nginx: added security checks when deleting vhost subdomains, so no paths still used by other subdomains or the main web get deleted accidently
- added check for vhostsubdomains to remove beginning and trailing slashes from web path.
- removed check for duplicate folder usage.
2 files modified
63 ■■■■■ changed files
interface/web/sites/web_vhost_subdomain_edit.php 4 ●●●● patch | view | raw | blame | history
server/plugins-available/nginx_plugin.inc.php 59 ●●●●● patch | view | raw | blame | history 
 interface/web/sites/web_vhost_subdomain_edit.php


@@ -369,6 +369,8 @@


            


            


            $this->dataRecord['web_folder'] = strtolower($this->dataRecord['web_folder']);


            if(substr($this->dataRecord['web_folder'], 0, 1) === '/') $this->dataRecord['web_folder'] = substr($this->dataRecord['web_folder'], 1);


            if(substr($this->dataRecord['web_folder'], -1) === '/') $this->dataRecord['web_folder'] = substr($this->dataRecord['web_folder'], 0, -1);


            $forbidden_folders = array('', 'cgi-bin', 'log', 'private', 'ssl', 'tmp', 'webdav');


            $check_folder = strtolower($this->dataRecord['web_folder']);


            if(substr($check_folder, 0, 1) === '/') $check_folder = substr($check_folder, 1); // strip / at beginning to check against forbidden entries


@@ -377,10 +379,12 @@


                $app->tform->errorMessage .= $app->tform->lng("web_folder_invalid_txt")."<br>";


            }


            // check for duplicate folder usage


            /*


            $check = $app->db->queryOneRecord("SELECT COUNT(*) as `cnt` FROM `web_domain` WHERE `type` = 'vhostsubdomain' AND `parent_domain_id` = '" . $app->functions->intval($this->dataRecord['parent_domain_id']) . "' AND `web_folder` = '" . $app->db->quote($this->dataRecord['web_folder']) . "' AND `domain_id` != '" . $app->functions->intval($this->id) . "'");


            if($check && $check['cnt'] > 0) {


                $app->tform->errorMessage .= $app->tform->lng("web_folder_unique_txt")."<br>";


            }


            */


        } else {


            $this->dataRecord["domain"] = $this->dataRecord["domain"].'.'.$parent_domain["domain"];


        }




 server/plugins-available/nginx_plugin.inc.php


@@ -1619,8 +1619,63 @@


            if($data['old']['type'] == 'vhost' || $data['old']['type'] == 'vhostsubdomain') {


                $docroot = escapeshellcmd($data['old']['document_root']);


                if($docroot != '' && !stristr($docroot,'..')) {


                    if($data['old']['type'] == 'vhost') exec('rm -rf '.$docroot);


                    elseif(!stristr($data['old']['web_folder'], '..')) exec('rm -rf '.$docroot.'/'.$web_folder);


                    if($data['old']['type'] == 'vhost') {


                        // this is a vhost - we delete everything in here.


                        exec('rm -rf '.$docroot);


                    } elseif(!stristr($data['old']['web_folder'], '..')) {


                        // this is a vhost subdomain


                        // IMPORTANT: do some folder checks before we delete this!


                        $do_delete = true;


                        $delete_folder = preg_replace('/[\/]{2,}/', '/', $web_folder); // replace / occuring multiple times


                        if(substr($delete_folder, 0, 1) === '/') $delete_folder = substr($delete_folder, 1);


                        if(substr($delete_folder, -1) === '/') $delete_folder = substr($delete_folder, 0, -1);


                        


                        $path_elements = explode('/', $delete_folder);


                        


                        if($path_elements[0] == 'web' || $path_elements[0] === '') {


                            // paths beginning with /web should NEVER EVER be deleted, empty paths should NEVER occur - but for safety reasons we check it here!


                            // we use strict check as otherwise directories named '0' may not be deleted


                            $do_delete = false;


                        } else {


                            // read all vhost subdomains with same parent domain


                            $used_paths = array();


                            $tmp = $app->db->queryAllRecords("SELECT `web_folder` FROM web_domain WHERE type = 'vhostsubdomain' AND parent_domain_id = ".intval($data['old']['parent_domain_id'])." AND domain_id != ".intval($data['old']['domain_id']));


                            foreach($tmp as $tmprec) {


                                // we normalize the folder entries because we need to compare them


                                $tmp_folder = preg_replace('/[\/]{2,}/', '/', $tmprec['web_folder']); // replace / occuring multiple times


                                if(substr($tmp_folder, 0, 1) === '/') $tmp_folder = substr($tmp_folder, 1);


                                if(substr($tmp_folder, -1) === '/') $tmp_folder = substr($tmp_folder, 0, -1);


                                


                                // add this path and it's parent paths to used_paths array


                                while(strpos($tmp_folder, '/') !== false) {


                                    if(in_array($tmp_folder, $used_paths) == false) $used_paths[] = $tmp_folder;


                                    $tmp_folder = substr($tmp_folder, 0, strrpos($tmp_folder, '/'));


                                }


                                if(in_array($tmp_folder, $used_paths) == false) $used_paths[] = $tmp_folder;


                            }


                            unset($tmp);


                            


                            // loop and check if the path is still used and stop at first used one


                            // set do_delete to false so nothing gets deleted if the web_folder itself is still used


                            $do_delete = false;


                            while(count($path_elements) > 0) {


                                $tmp_folder = implode('/', $path_elements);


                                if(in_array($tmp_folder, $used_paths) == true) break;


                                


                                // this path is not used - set it as path to delete, strip the last element from the array and set do_delete to true


                                $delete_folder = $tmp_folder;


                                $do_delete = true;


                                array_pop($path_elements);


                            }


                            unset($tmp_folder);


                            unset($used_paths);


                        }


                        


                        if($do_delete === true && $delete_folder !== '') exec('rm -rf '.$docroot.'/'.$delete_folder);


                        


                        unset($delete_folder);


                        unset($path_elements);


                    }


                }


            


                //remove the php fastgi starter script if available