From 37614a24f5add6d6753c9418cf6b2f08b8425ff3 Mon Sep 17 00:00:00 2001
From: ftimme <ft@falkotimme.com>
Date: Wed, 07 Aug 2013 10:39:00 -0400
Subject: [PATCH] - nginx: improved rewrite rule checks. - Added rewrite rule checks to nginx plugin.

---
 interface/web/sites/web_domain_edit.php               |    5 ++
 interface/web/sites/templates/web_domain_redirect.htm |    2 
 server/plugins-available/nginx_plugin.inc.php         |   80 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 85 insertions(+), 2 deletions(-)

diff --git a/interface/web/sites/templates/web_domain_redirect.htm b/interface/web/sites/templates/web_domain_redirect.htm
index faff044..35d3bdc 100644
--- a/interface/web/sites/templates/web_domain_redirect.htm
+++ b/interface/web/sites/templates/web_domain_redirect.htm
@@ -23,7 +23,7 @@
             </div>
 			<div class="ctrlHolder nginx">
                 <label for="rewrite_rules">{tmpl_var name='rewrite_rules_txt'}</label>
-                <textarea name="rewrite_rules" id="rewrite_rules" rows='10' cols='50' style="width:400px;">{tmpl_var name='rewrite_rules'}</textarea>&nbsp;<b>{tmpl_var name="allowed_rewrite_rule_directives_txt"}</b><br><br>&nbsp;break<br>&nbsp;if<br>&nbsp;return<br>&nbsp;rewrite<br>&nbsp;set
+                <textarea name="rewrite_rules" id="rewrite_rules" rows='10' cols='50' style="width:400px;">{tmpl_var name='rewrite_rules'}</textarea>&nbsp;<b>{tmpl_var name="allowed_rewrite_rule_directives_txt"}</b><br><br>&nbsp;break<br>&nbsp;if<br>&nbsp;return<br>&nbsp;rewrite<br>&nbsp;set<br><br>&nbsp;<a href="http://wiki.nginx.org/HttpRewriteModule" target="_blank">http://wiki.nginx.org/HttpRewriteModule</a>
             </div>
         </fieldset>
 
diff --git a/interface/web/sites/web_domain_edit.php b/interface/web/sites/web_domain_edit.php
index b4ccb73..2a83485 100644
--- a/interface/web/sites/web_domain_edit.php
+++ b/interface/web/sites/web_domain_edit.php
@@ -653,6 +653,10 @@
 			$rewrite_rule_lines = explode("\n", $rewrite_rules);
 			if(is_array($rewrite_rule_lines) && !empty($rewrite_rule_lines)){
 				foreach($rewrite_rule_lines as $rewrite_rule_line){
+					// ignore comments
+					if(substr(ltrim($rewrite_rule_line),0,1) == '#') continue;
+					// empty lines
+					if(trim($rewrite_rule_line) == '') continue;
 					// rewrite
 					if(preg_match('@^\s*rewrite\s+(^/)?\S+(\$)?\s+\S+(\s+(last|break|redirect|permanent|))?\s*;\s*$@', $rewrite_rule_line)) continue;
 					// if
@@ -667,7 +671,6 @@
 					}
 					// break
 					if(preg_match('@^\s*break\s*;\s*$@', $rewrite_rule_line)){
-						$if_level += 1;
 						continue;
 					}
 					// return code [ text ]
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index 8fc016d..dc3c4df 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -940,6 +940,7 @@
 		if($vhost_data['php'] == 'fast-cgi') $vhost_data['php'] = 'php-fpm';
 		
 		// Custom rewrite rules
+		/*
 		$final_rewrite_rules = array();
 		$custom_rewrite_rules = $data['new']['rewrite_rules'];
 		// Make sure we only have Unix linebreaks
@@ -952,6 +953,85 @@
 			}
 		}
 		$tpl->setLoop('rewrite_rules', $final_rewrite_rules);
+		*/
+		
+		// Custom rewrite rules
+		$final_rewrite_rules = array();
+		
+		if(isset($data['new']['rewrite_rules']) && trim($data['new']['rewrite_rules']) != '') {
+			$custom_rewrite_rules = trim($data['new']['rewrite_rules']);
+			$custom_rewrites_are_valid = true;
+			// use this counter to make sure all curly brackets are properly closed
+			$if_level = 0;
+			// Make sure we only have Unix linebreaks
+			$custom_rewrite_rules = str_replace("\r\n", "\n", $custom_rewrite_rules);
+			$custom_rewrite_rules = str_replace("\r", "\n", $custom_rewrite_rules);
+			$custom_rewrite_rule_lines = explode("\n", $custom_rewrite_rules);
+			if(is_array($custom_rewrite_rule_lines) && !empty($custom_rewrite_rule_lines)){
+				foreach($custom_rewrite_rule_lines as $custom_rewrite_rule_line){
+					// ignore comments
+					if(substr(ltrim($custom_rewrite_rule_line),0,1) == '#'){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// empty lines
+					if(trim($custom_rewrite_rule_line) == ''){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// rewrite
+					if(preg_match('@^\s*rewrite\s+(^/)?\S+(\$)?\s+\S+(\s+(last|break|redirect|permanent|))?\s*;\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// if
+					if(preg_match('@^\s*if\s+\(\s*\$\S+(\s+(\!?(=|~|~\*))\s+(\S+|\".+\"))?\s*\)\s*\{\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						$if_level += 1;
+						continue;
+					}
+					// if - check for files, directories, etc.
+					if(preg_match('@^\s*if\s+\(\s*\!?-(f|d|e|x)\s+\S+\s*\)\s*\{\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						$if_level += 1;
+						continue;
+					}
+					// break
+					if(preg_match('@^\s*break\s*;\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// return code [ text ]
+					if(preg_match('@^\s*return\s+\d\d\d.*;\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// return code URL
+					// return URL
+					if(preg_match('@^\s*return(\s+\d\d\d)?\s+(http|https|ftp)\://([a-zA-Z0-9\.\-]+(\:[a-zA-Z0-9\.&%\$\-]+)*\@)*((25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])|localhost|([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9\-]+\.(com|edu|gov|int|mil|net|org|biz|arpa|info|name|pro|aero|coop|museum|[a-zA-Z]{2}))(\:[0-9]+)*(/($|[a-zA-Z0-9\.\,\?\'\\\+&%\$#\=~_\-]+))*\s*;\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// set
+					if(preg_match('@^\s*set\s+\$\S+\s+\S+\s*;\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// closing curly bracket
+					if(trim($custom_rewrite_rule_line) == '}'){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						$if_level -= 1;
+						continue;
+					}
+					$custom_rewrites_are_valid = false;
+					break;
+				}
+			}
+			if(!$custom_rewrites_are_valid || $if_level != 0){
+				$final_rewrite_rules = array();
+			}
+		}
+		$tpl->setLoop('rewrite_rules', $final_rewrite_rules);
 		
 		// Custom nginx directives
 		$final_nginx_directives = array();

--
Gitblit v1.9.1