From 08cc7f673c377bf88897743e340097e93f1e95f4 Mon Sep 17 00:00:00 2001
From: ftimme <ft@falkotimme.com>
Date: Wed, 16 Jan 2013 09:30:05 -0500
Subject: [PATCH] - Changed regex for redirect path (Web sites, subdomains, vhost subdomains, alias domains) and web folder (vhost subdomains) so that ".." is not allowed (in order to prevent path traversals). - nginx: don't allow folders for proxy redirects (subdomains and alias domains); URL is required. - nginx: modified rewriting.
---
interface/lib/classes/client_templates.inc.php | 47 ++++++++++++++++++++++++++++++++++-------------
1 files changed, 34 insertions(+), 13 deletions(-)
diff --git a/interface/lib/classes/client_templates.inc.php b/interface/lib/classes/client_templates.inc.php
index 7c86fcf..c2ef0bb 100644
--- a/interface/lib/classes/client_templates.inc.php
+++ b/interface/lib/classes/client_templates.inc.php
@@ -12,10 +12,12 @@
function apply_client_templates($clientId) {
global $app;
+ include('../client/form/client.tform.php');
+
/*
* Get the master-template for the client
*/
- $sql = "SELECT template_master, template_additional FROM client WHERE client_id = " . intval($clientId);
+ $sql = "SELECT template_master, template_additional FROM client WHERE client_id = " . $app->functions->intval($clientId);
$record = $app->db->queryOneRecord($sql);
$masterTemplateId = $record['template_master'];
$additionalTemplateStr = $record['template_additional'];
@@ -24,7 +26,7 @@
* if the master-Template is custom there is NO changing
*/
if ($masterTemplateId > 0){
- $sql = "SELECT * FROM client_template WHERE template_id = " . intval($masterTemplateId);
+ $sql = "SELECT * FROM client_template WHERE template_id = " . $app->functions->intval($masterTemplateId);
$limits = $app->db->queryOneRecord($sql);
} else {
// if there is no master template it makes NO SENSE adding sub templates.
@@ -40,13 +42,16 @@
$addTpl = explode('/', $additionalTemplateStr);
foreach ($addTpl as $item){
if (trim($item) != ''){
- $sql = "SELECT * FROM client_template WHERE template_id = " . intval($item);
+ $sql = "SELECT * FROM client_template WHERE template_id = " . $app->functions->intval($item);
$addLimits = $app->db->queryOneRecord($sql);
+ $app->log('Template processing subtemplate ' . $item . ' for client ' . $clientId, LOGLEVEL_DEBUG);
/* maybe the template is deleted in the meantime */
if (is_array($addLimits)){
foreach($addLimits as $k => $v){
/* we can remove this condition, but it is easier to debug with it (don't add ids and other non-limit values) */
- if (strpos($k, 'limit') !== false){
+ if (strpos($k, 'limit') !== false or $k == 'ssh_chroot' or $k == 'web_php_options' or $k == 'force_suexec'){
+ $app->log('Template processing key ' . $k . ' for client ' . $clientId, LOGLEVEL_DEBUG);
+
/* process the numerical limits */
if (is_numeric($v)){
/* switch for special cases */
@@ -71,7 +76,7 @@
}
/* process the string limits (CHECKBOXARRAY, SELECT etc.) */
elseif (is_string($v)){
- switch ($app->tform->formDef["tabs"]["limits"]["fields"][$k]['formtype']){
+ switch ($form["tabs"]["limits"]["fields"][$k]['formtype']){
case 'CHECKBOXARRAY':
if (!isset($limits[$k])){
$limits[$k] = array();
@@ -79,20 +84,34 @@
$limits_values = $limits[$k];
if (is_string($limits[$k])){
- $limits_values = explode($app->tform->formDef["tabs"]["limits"]["fields"][$k]["separator"],$limits[$k]);
+ $limits_values = explode($form["tabs"]["limits"]["fields"][$k]["separator"],$limits[$k]);
}
- $additional_values = explode($app->tform->formDef["tabs"]["limits"]["fields"][$k]["separator"],$v);
-
+ $additional_values = explode($form["tabs"]["limits"]["fields"][$k]["separator"],$v);
+ $app->log('Template processing key ' . $k . ' type CHECKBOXARRAY, lim / add: ' . implode(',', $limits_values) . ' / ' . implode(',', $additional_values) . ' for client ' . $clientId, LOGLEVEL_DEBUG);
/* unification of limits_values (master template) and additional_values (additional template) */
$limits_unified = array();
- foreach($app->tform->formDef["tabs"]["limits"]["fields"][$k]["value"] as $key => $val){
+ foreach($form["tabs"]["limits"]["fields"][$k]["value"] as $key => $val){
if (in_array($key,$limits_values) || in_array($key,$additional_values)) $limits_unified[] = $key;
}
- $limits[$k] = implode($app->tform->formDef["tabs"]["limits"]["fields"][$k]["separator"],$limits_unified);
+ $limits[$k] = implode($form["tabs"]["limits"]["fields"][$k]["separator"],$limits_unified);
break;
-
+ case 'CHECKBOX':
+ if($k == 'force_suexec') {
+ // 'n' is less limited than y
+ if (!isset($limits[$k])){
+ $limits[$k] = 'y';
+ }
+ if($limits[$k] == 'n' || $v == 'n') $limits[$k] = 'n';
+ } else {
+ // 'y' is less limited than n
+ if (!isset($limits[$k])){
+ $limits[$k] = 'n';
+ }
+ if($limits[$k] == 'y' || $v == 'y') $limits[$k] = 'y';
+ }
+ break;
case 'SELECT':
- $limit_values = array_keys($app->tform->formDef["tabs"]["limits"]["fields"][$k]["value"]);
+ $limit_values = array_keys($form["tabs"]["limits"]["fields"][$k]["value"]);
/* choose the lower index of the two SELECT items */
$limits[$k] = $limit_values[min(array_search($limits[$k], $limit_values), array_search($v, $limit_values))];
break;
@@ -114,9 +133,11 @@
$update .= '`' . $k . "`='" . $v . "'";
}
}
+ $app->log('Template processed for client ' . $clientId . ', update string: ' . $update, LOGLEVEL_DEBUG);
if($update != '') {
- $sql = 'UPDATE client SET ' . $update . " WHERE client_id = " . intval($clientId);
+ $sql = 'UPDATE client SET ' . $update . " WHERE client_id = " . $app->functions->intval($clientId);
$app->db->query($sql);
}
+ unset($form);
}
}
\ No newline at end of file
--
Gitblit v1.9.1