From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 06 Aug 2015 03:18:44 -0400
Subject: [PATCH] - don't set password via remoting if field is empty
---
interface/web/tools/import_ispconfig.php | 174 ++++++++++++++++++++++++++++++++-------------------------
1 files changed, 98 insertions(+), 76 deletions(-)
diff --git a/interface/web/tools/import_ispconfig.php b/interface/web/tools/import_ispconfig.php
index eb0a2f3..efcf022 100644
--- a/interface/web/tools/import_ispconfig.php
+++ b/interface/web/tools/import_ispconfig.php
@@ -27,8 +27,8 @@
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-require_once('../../lib/config.inc.php');
-require_once('../../lib/app.inc.php');
+require_once '../../lib/config.inc.php';
+require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
@@ -45,11 +45,15 @@
//* load language file
$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_import_ispconfig.lng';
-include($lng_file);
+include $lng_file;
$app->tpl->setVar($wb);
if(isset($_POST['connected'])) {
- $connected = intval($_POST['connected']);
+
+ //* CSRF Check
+ $app->auth->csrf_token_check();
+
+ $connected = $app->functions->intval($_POST['connected']);
if($connected == 0) {
//* Try to connect to remote server
@@ -60,11 +64,11 @@
if($error == '') {
try {
$client = new SoapClient(null, array('location' => $_POST['remote_server'],
- 'uri' => $_POST['remote_server'].'/index.php',
- 'trace' => 1,
- 'exceptions' => 1));
-
- if($remote_session_id = $client->login($_POST['remote_user'],$_POST['remote_password'])) {
+ 'uri' => $_POST['remote_server'].'/index.php',
+ 'trace' => 1,
+ 'exceptions' => 1));
+
+ if($remote_session_id = $client->login($_POST['remote_user'], $_POST['remote_password'])) {
$connected = 1;
$msg .= 'Successfully connected to remote server.';
}
@@ -75,9 +79,9 @@
}
}
}
-
+
if($connected == 1) {
-
+
//* Fill the client select field
$sql = "SELECT groupid, name FROM sys_group WHERE client_id > 0 ORDER BY name";
$clients = $app->db->queryAllRecords($sql);
@@ -88,80 +92,92 @@
$client_select .= "<option value='$client[groupid]' $selected>$client[name]</option>\r\n";
}
}
- $app->tpl->setVar("client_group_id",$client_select);
-
-
+ $app->tpl->setVar("client_group_id", $client_select);
+
+
try {
$client = new SoapClient(null, array('location' => $_POST['remote_server'],
- 'uri' => $_POST['remote_server'].'/index.php',
- 'trace' => 1,
- 'exceptions' => 1));
-
- if(!isset($remote_session_id)) $remote_session_id = $_POST['remote_session_id'];
-
- //* Get all email domains
- $mail_domains = $client->mail_domain_get($remote_session_id, array('active' => 'y'));
- $mail_domain_select = '<option value="">-- select domain --</option>';
- if(is_array($mail_domains)) {
- foreach( $mail_domains as $mail_domain) {
- $selected = @($mail_domain['domain'] == $_POST['mail_domain'])?'SELECTED':'';
- $mail_domain_select .= "<option value='$mail_domain[domain]' $selected>$mail_domain[domain]</option>\r\n";
+ 'uri' => $_POST['remote_server'].'/index.php',
+ 'trace' => 1,
+ 'exceptions' => 1));
+
+ if(!isset($remote_session_id)) $remote_session_id = $_POST['remote_session_id'];
+
+ //* Get all email domains
+ $mail_domains = $client->mail_domain_get($remote_session_id, array('active' => 'y'));
+ $mail_domain_select = '<option value="">-- select domain --</option>';
+ if(is_array($mail_domains)) {
+ foreach( $mail_domains as $mail_domain) {
+ $selected = @($mail_domain['domain'] == $_POST['mail_domain'])?'SELECTED':'';
+ $mail_domain_select .= "<option value='$mail_domain[domain]' $selected>$mail_domain[domain]</option>\r\n";
+ }
}
- }
- $app->tpl->setVar("mail_domain",$mail_domain_select);
-
- //* Do the import
- if($_POST['mail_domain'] != '') start_domain_import($_POST['mail_domain']);
-
-
-
+ $app->tpl->setVar("mail_domain", $mail_domain_select);
+
+ //* Do the import
+ if($_POST['mail_domain'] != '') start_domain_import($_POST['mail_domain']);
+
+
+
} catch (SoapFault $e) {
//echo $client->__getLastResponse();
$error .= $e->getMessage();
$connected = 0;
}
-
+
}
-
+
}
-$app->tpl->setVar('remote_server',$_POST['remote_server']);
-$app->tpl->setVar('remote_user',$_POST['remote_user']);
-$app->tpl->setVar('remote_password',$_POST['remote_password']);
-$app->tpl->setVar('connected',$connected);
-$app->tpl->setVar('remote_session_id',$remote_session_id);
-$app->tpl->setVar('msg',$msg);
-$app->tpl->setVar('error',$error);
+$app->tpl->setVar('remote_server', $_POST['remote_server']);
+$app->tpl->setVar('remote_user', $_POST['remote_user']);
+$app->tpl->setVar('remote_password', $_POST['remote_password']);
+$app->tpl->setVar('connected', $connected);
+$app->tpl->setVar('remote_session_id', $remote_session_id);
+$app->tpl->setVar('msg', $msg);
+$app->tpl->setVar('error', $error);
+
+//* SET csrf token
+$csrf_token = $app->auth->csrf_token_get('ispconfig_import');
+$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
+$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
$app->tpl_defaults();
$app->tpl->pparse();
-###########################################################
+//##########################################################
function start_domain_import($mail_domain) {
global $app, $conf, $client, $msg, $error, $remote_session_id;
-
+
//* Get the user and groupid for the new records
- $sys_groupid = intval($_POST['client_group_id']);
- $tmp = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE default_group = $sys_groupid");
- $sys_userid = intval($tmp['userid']);
+ $sys_groupid = $app->functions->intval($_POST['client_group_id']);
+ $tmp = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE default_group = ?", $sys_groupid);
+ $sys_userid = $app->functions->intval($tmp['userid']);
unset($tmp);
if($sys_groupid == 0) $error .= 'Inavlid groupid<br />';
if($sys_userid == 0) $error .= 'Inavlid Userid<br />';
-
+
+ //* Get the mail server ID
+ $tmp = $app->db->queryOneRecord("SELECT server_id FROM server WHERE mail_server = 1 and mirror_server_id = 0 LIMIT 0,1");
+ $server_id = intval($tmp['server_id']);
+ unset($tmp);
+ if($server_id == 0) $server_id = 1;
+
//* get the mail domain record
$mail_domain_rec = $client->mail_domain_get($remote_session_id, array('domain' => $mail_domain));
if(is_array($mail_domain_rec)) {
$mail_domain_rec = $mail_domain_rec[0];
- $tmp = $app->db->queryOneRecord("SELECT count(domain_id) as number FROM mail_domain WHERE domain = '".$app->db->quote($mail_domain)."'");
+ $tmp = $app->db->queryOneRecord("SELECT count(domain_id) as number FROM mail_domain WHERE domain = ?", $mail_domain);
if($tmp['number'] > 0) $error .= 'Domain '.$mail_domain.' exists already in local database.<br />';
unset($tmp);
-
+
//* Change the record owner and remove the index field
$mail_domain_rec['sys_userid'] = $sys_userid;
$mail_domain_rec['sys_groupid'] = $sys_groupid;
+ $mail_domain_rec['server_id'] = $server_id;
unset($mail_domain_rec['domain_id']);
-
+
//* Insert domain if no error occurred
if($error == '') {
$app->db->datalogInsert('mail_domain', $mail_domain_rec, 'domain_id');
@@ -169,38 +185,40 @@
} else {
return false;
}
-
+
//* Import mailboxes
if(isset($_POST['import_mailbox']) && $_POST['import_mailbox'] == 1) {
$mail_users = $client->mail_user_get($remote_session_id, array('email' => '%@'.$mail_domain));
if(is_array($mail_users)) {
foreach($mail_users as $mail_user) {
- $tmp = $app->db->queryOneRecord("SELECT count(mailuser_id) as number FROM mail_user WHERE email = '".$app->db->quote($mail_user['email'])."'");
+ $tmp = $app->db->queryOneRecord("SELECT count(mailuser_id) as number FROM mail_user WHERE email = ?", $mail_user['email']);
if($tmp['number'] == 0) {
-
+
//* Prepare record
$mail_user['sys_userid'] = $sys_userid;
$mail_user['sys_groupid'] = $sys_groupid;
+ $mail_user['server_id'] = $server_id;
$remote_mailuser_id = $mail_user['mailuser_id'];
unset($mail_user['mailuser_id']);
if(!isset($_POST['import_user_filter'])) $mail_user['custom_mailfilter'] = '';
-
+
//* Insert record in DB
$local_mailuser_id = $app->db->datalogInsert('mail_user', $mail_user, 'mailuser_id');
$msg .= "Imported mailbox ".$mail_user['email']."<br />";
-
+
//* Import mail user filters
if(isset($_POST['import_user_filter']) && $_POST['import_user_filter'] == 1 && $local_mailuser_id > 0) {
-
+
$mail_user_filters = $client->mail_user_filter_get($remote_session_id, array('mailuser_id' => $remote_mailuser_id));
-
+
if(is_array($mail_user_filters)) {
foreach($mail_user_filters as $mail_user_filter) {
$mail_user_filter['sys_userid'] = $sys_userid;
$mail_user_filter['sys_groupid'] = $sys_groupid;
$mail_user_filter['mailuser_id'] = $local_mailuser_id;
+ $mail_user_filter['server_id'] = $server_id;
unset($mail_user_filter['filter_id']);
-
+
//* Insert record in DB
$app->db->datalogInsert('mail_user_filter', $mail_user_filter, 'filter_id');
$msg .= "Imported mailbox filter ".$mail_user['email'].": ".$mail_user_filter['rulename']."<br />";
@@ -210,94 +228,98 @@
} else {
$error .= "Mailbox ".$mail_user['email']." exists in local database. Skipped import of mailbox<br />";
}
-
+
}
}
}
-
+
//* Import email aliases
if(isset($_POST['import_alias']) && $_POST['import_alias'] == 1) {
$mail_aliases = $client->mail_alias_get($remote_session_id, array('type' => 'alias', 'destination' => '%@'.$mail_domain));
if(is_array($mail_aliases)) {
foreach($mail_aliases as $mail_alias) {
- $tmp = $app->db->queryOneRecord("SELECT count(forwarding_id) as number FROM mail_forwarding WHERE `type` = 'alias' AND source = '".$app->db->quote($mail_alias['source'])."' AND destination = '".$app->db->quote($mail_alias['destination'])."'");
+ $tmp = $app->db->queryOneRecord("SELECT count(forwarding_id) as number FROM mail_forwarding WHERE `type` = 'alias' AND source = ? AND destination = ?", $mail_alias['source'], $mail_alias['destination']);
if($tmp['number'] == 0) {
$mail_alias['sys_userid'] = $sys_userid;
$mail_alias['sys_groupid'] = $sys_groupid;
+ $mail_alias['server_id'] = $server_id;
unset($mail_alias['forwarding_id']);
$app->db->datalogInsert('mail_forwarding', $mail_alias, 'forwarding_id');
$msg .= "Imported email alias ".$mail_alias['source']."<br />";
} else {
$error .= "Email alias ".$mail_alias['source']." exists in local database. Skipped import.<br />";
}
-
+
}
}
}
-
+
//* Import domain aliases
if(isset($_POST['import_aliasdomain']) && $_POST['import_aliasdomain'] == 1) {
$mail_aliases = $client->mail_alias_get($remote_session_id, array('type' => 'aliasdomain', 'destination' => '@'.$mail_domain));
if(is_array($mail_aliases)) {
foreach($mail_aliases as $mail_alias) {
- $tmp = $app->db->queryOneRecord("SELECT count(forwarding_id) as number FROM mail_forwarding WHERE `type` = 'aliasdomain' AND source = '".$app->db->quote($mail_alias['source'])."' AND destination = '".$app->db->quote($mail_alias['destination'])."'");
+ $tmp = $app->db->queryOneRecord("SELECT count(forwarding_id) as number FROM mail_forwarding WHERE `type` = 'aliasdomain' AND source = ? AND destination = ?", $mail_alias['source'], $mail_alias['destination']);
if($tmp['number'] == 0) {
$mail_alias['sys_userid'] = $sys_userid;
$mail_alias['sys_groupid'] = $sys_groupid;
+ $mail_alias['server_id'] = $server_id;
unset($mail_alias['forwarding_id']);
$app->db->datalogInsert('mail_forwarding', $mail_alias, 'forwarding_id');
$msg .= "Imported email aliasdomain ".$mail_alias['source']."<br />";
} else {
$error .= "Email aliasdomain ".$mail_alias['source']." exists in local database. Skipped import.<br />";
}
-
+
}
}
}
-
+
//* Import email forward
if(isset($_POST['import_forward']) && $_POST['import_forward'] == 1) {
$mail_forwards = $client->mail_forward_get($remote_session_id, array('type' => 'forward', 'source' => '%@'.$mail_domain));
if(is_array($mail_forwards)) {
foreach($mail_forwards as $mail_forward) {
- $tmp = $app->db->queryOneRecord("SELECT count(forwarding_id) as number FROM mail_forwarding WHERE `type` = 'forward' AND source = '".$app->db->quote($mail_forward['source'])."' AND destination = '".$app->db->quote($mail_forward['destination'])."'");
+ $tmp = $app->db->queryOneRecord("SELECT count(forwarding_id) as number FROM mail_forwarding WHERE `type` = 'forward' AND source = ? AND destination = ?", $mail_forward['source'], $mail_forward['destination']);
if($tmp['number'] == 0) {
$mail_forward['sys_userid'] = $sys_userid;
$mail_forward['sys_groupid'] = $sys_groupid;
+ $mail_forward['server_id'] = $server_id;
unset($mail_forward['forwarding_id']);
$app->db->datalogInsert('mail_forwarding', $mail_forward, 'forwarding_id');
$msg .= "Imported email forward ".$mail_forward['source']."<br />";
} else {
$error .= "Email forward ".$mail_forward['source']." exists in local database. Skipped import.<br />";
}
-
+
}
}
}
-
+
//* Import spamfilter
if(isset($_POST['import_spamfilter']) && $_POST['import_spamfilter'] == 1) {
$mail_spamfilters = $client->mail_spamfilter_user_get($remote_session_id, array('email' => '%@'.$mail_domain));
if(is_array($mail_spamfilters)) {
foreach($mail_spamfilters as $mail_spamfilter) {
- $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM spamfilter_users WHERE email = '".$app->db->quote($mail_spamfilter['email'])."'");
+ $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM spamfilter_users WHERE email = ?", $mail_spamfilter['email']);
if($tmp['number'] == 0) {
$mail_spamfilter['sys_userid'] = $sys_userid;
$mail_spamfilter['sys_groupid'] = $sys_groupid;
+ $mail_spamfilter['server_id'] = $server_id;
unset($mail_spamfilter['id']);
$app->db->datalogInsert('spamfilter_users', $mail_spamfilter, 'id');
$msg .= "Imported spamfilter user ".$mail_spamfilter['email']."<br />";
} else {
$error .= "Spamfilter user ".$mail_spamfilter['email']." exists in local database. Skipped import.<br />";
}
-
+
}
}
}
}
-
+
}
-?>
\ No newline at end of file
+?>
--
Gitblit v1.9.1