From 08cc7f673c377bf88897743e340097e93f1e95f4 Mon Sep 17 00:00:00 2001
From: ftimme <ft@falkotimme.com>
Date: Wed, 16 Jan 2013 09:30:05 -0500
Subject: [PATCH] - Changed regex for redirect path (Web sites, subdomains, vhost subdomains, alias domains) and web folder (vhost subdomains) so that ".." is not allowed (in order to prevent path traversals). - nginx: don't allow folders for proxy redirects (subdomains and alias domains); URL is required. - nginx: modified rewriting.
---
interface/web/sites/web_subdomain_edit.php | 35 ++++++++++++++++++++++-------------
1 files changed, 22 insertions(+), 13 deletions(-)
diff --git a/interface/web/sites/web_subdomain_edit.php b/interface/web/sites/web_subdomain_edit.php
index 577078b..ae9ee07 100644
--- a/interface/web/sites/web_subdomain_edit.php
+++ b/interface/web/sites/web_subdomain_edit.php
@@ -45,7 +45,7 @@
$app->auth->check_module_permissions('sites');
// Loading classes
-$app->uses('tpl,tform,tform_actions');
+$app->uses('tpl,tform,tform_actions,tools_sites');
$app->load('tform_actions');
class page_action extends tform_actions {
@@ -77,16 +77,7 @@
/*
* The domain-module is in use.
*/
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
- /*
- * The admin can select ALL domains, the user only the domains assigned to him
- */
- $sql = "SELECT domain_id, domain FROM domain ";
- if ($_SESSION["s"]["user"]["typ"] != 'admin') {
- $sql .= "WHERE sys_groupid =" . $client_group_id;
- }
- $sql .= " ORDER BY domain";
- $domains = $app->db->queryAllRecords($sql);
+ $domains = $app->tools_sites->getDomainModuleDomains();
$domain_select = '';
$selected_domain = '';
if(is_array($domains) && sizeof($domains) > 0) {
@@ -120,6 +111,19 @@
}
$app->tpl->setVar("domain",$this->dataRecord["domain"]);
+ if($_SESSION["s"]["user"]["typ"] == 'admin') {
+ // Directive Snippets
+ $proxy_directive_snippets = $app->db->queryAllRecords("SELECT * FROM directive_snippets WHERE type = 'proxy' AND active = 'y'");
+ $proxy_directive_snippets_txt = '';
+ if(is_array($proxy_directive_snippets) && !empty($proxy_directive_snippets)){
+ foreach($proxy_directive_snippets as $proxy_directive_snippet){
+ $proxy_directive_snippets_txt .= '<a href="javascript:void(0);" class="addPlaceholderContent">['.$proxy_directive_snippet['name'].']<pre class="addPlaceholderContent" style="display:none;">'.$proxy_directive_snippet['snippet'].'</pre></a> ';
+ }
+ }
+ if($proxy_directive_snippets_txt == '') $proxy_directive_snippets_txt = '------';
+ $app->tpl->setVar("proxy_directive_snippets_txt",$proxy_directive_snippets_txt);
+ }
+
parent::onShowEnd();
}
@@ -134,15 +138,20 @@
$settings = $app->getconf->get_global_config('domains');
if ($settings['use_domain_module'] == 'y') {
// get the record of the domain module domain
- $domain = $app->db->queryOneRecord("SELECT * FROM domain WHERE domain_id = ".$app->functions->intval($this->dataRecord["sel_domain"]));
+ $domain = $app->tools_sites->checkDomainModuleDomain($this->dataRecord['sel_domain']);
if(!$domain) {
$app->tform->errorMessage .= $app->tform->lng("domain_error_empty")."<br />";
} else {
- $this->dataRecord['domain'] = $this->dataRecord['domain'] . '.' . $domain['domain'];
+ $this->dataRecord['domain'] = $this->dataRecord['domain'] . '.' . $domain;
}
} else {
$this->dataRecord["domain"] = $this->dataRecord["domain"].'.'.$parent_domain["domain"];
}
+
+ // nginx: if redirect type is proxy and redirect path is no URL, display error
+ if($this->dataRecord["redirect_type"] == 'proxy' && substr($this->dataRecord['redirect_path'],0,1) == '/'){
+ $app->tform->errorMessage .= $app->tform->lng("error_proxy_requires_url")."<br />";
+ }
// Set a few fixed values
$this->dataRecord["type"] = 'subdomain';
--
Gitblit v1.9.1