Skip to content

GitLab

I
ISPConfig 3
Commit bbb954fd authored by tbrehm's avatar tbrehm
Browse files
Options

Extended path checks for ftp and shell users.

parent 217b8d78
Hide whitespace changes
Inline Side-by-side
Showing with 34 additions and 0 deletions
interface/web/sites/ftp_user_edit.php
View file @ bbb954fd
......@@ -106,6 +106,8 @@ class page_action extends tform_actions {
if(isset($this->dataRecord['username']) && trim($this->dataRecord['username']) == '') $app->tform->errorMessage .= $app->tform->lng('username_error_empty').'<br />';
if(isset($this->dataRecord['username']) && empty($this->dataRecord['parent_domain_id'])) $app->tform->errorMessage .= $app->tform->lng('parent_domain_id_error_empty').'<br />';
if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'..')) $app->tform->errorMessage .= $app->tform->lng('dir_dot_error').'<br />';
if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'./')) $app->tform->errorMessage .= $app->tform->lng('dir_slashdot_error').'<br />';
parent::onSubmit();
}
......
interface/web/sites/lib/lang/en_ftp_user.lng
View file @ bbb954fd
......@@ -26,4 +26,6 @@ $wb["directory_error_empty"] = 'Directory empty.';
$wb['directory_error_notinweb'] = 'Directory not inside of web root directory.';
$wb["parent_domain_id_error_empty"] = 'No website selected.';
$wb["quota_size_error_regex"] = 'Quota: enter a -1 for unlimited or a number > 0';
$wb['dir_dot_error'] = 'No .. in path allowed.';
$wb['dir_slashdot_error'] = 'No ./ in path allowed.';
?>
interface/web/sites/lib/lang/en_shell_user.lng
View file @ bbb954fd
......@@ -21,4 +21,6 @@ $wb["directory_error_empty"] = 'Directory empty.';
$wb["limit_shell_user_txt"] = 'The max number of shell users is reached.';
$wb["parent_domain_id_error_empty"] = 'No website selected.';
$wb["ssh_rsa_txt"] = 'SSH-RSA Public Key (for key-based logins)';
$wb['dir_dot_error'] = 'No .. in path allowed.';
$wb['dir_slashdot_error'] = 'No ./ in path allowed.';
?>
interface/web/sites/shell_user_edit.php
View file @ bbb954fd
......@@ -111,6 +111,8 @@ class page_action extends tform_actions {
if(isset($this->dataRecord['username']) && trim($this->dataRecord['username']) == '') $app->tform->errorMessage .= $app->tform->lng('username_error_empty').'<br />';
if(isset($this->dataRecord['username']) && empty($this->dataRecord['parent_domain_id'])) $app->tform->errorMessage .= $app->tform->lng('parent_domain_id_error_empty').'<br />';
if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'..')) $app->tform->errorMessage .= $app->tform->lng('dir_dot_error').'<br />';
if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'./')) $app->tform->errorMessage .= $app->tform->lng('dir_slashdot_error').'<br />';
if(isset($this->dataRecord['ssh_rsa'])) $this->dataRecord['ssh_rsa'] = trim($this->dataRecord['ssh_rsa']);
......
server/plugins-available/ftpuser_base_plugin.inc.php
View file @ bbb954fd
......@@ -74,6 +74,12 @@ class ftpuser_base_plugin {
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
//* Check if the resulting path is inside the docroot
if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {
$app->log('User dir is outside of docroot.',LOGLEVEL_WARN);
return false;
}
exec('mkdir -p '.escapeshellcmd($data['new']['dir']));
exec('chown '.escapeshellcmd($web["system_user"]).':'.escapeshellcmd($web['system_group']).' '.$data['new']['dir']);
......@@ -90,6 +96,12 @@ class ftpuser_base_plugin {
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
//* Check if the resulting path is inside the docroot
if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {
$app->log('User dir is outside of docroot.',LOGLEVEL_WARN);
return false;
}
exec('mkdir -p '.escapeshellcmd($data['new']['dir']));
exec('chown '.escapeshellcmd($web["system_user"]).':'.escapeshellcmd($web['system_group']).' '.$data['new']['dir']);
......
server/plugins-available/shelluser_base_plugin.inc.php
View file @ bbb954fd
......@@ -72,6 +72,13 @@ class shelluser_base_plugin {
$app->uses('system');
//* Check if the resulting path is inside the docroot
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {
$app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);
return false;
}
if($app->system->is_user($data['new']['puser'])) {
// Get the UID of the parent user
$uid = intval($app->system->getuid($data['new']['puser']));
......@@ -121,6 +128,13 @@ class shelluser_base_plugin {
$app->uses('system');
//* Check if the resulting path is inside the docroot
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {
$app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);
return false;
}
if($app->system->is_user($data['new']['puser'])) {
// Get the UID of the parent user
$uid = intval($app->system->getuid($data['new']['puser']));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment