Extended path checks for ftp and shell users.

bbb954fd · tbrehm · 217b8d78 · bbb954fd · bbb954fd · bbb954fd
Commit bbb954fd authored Apr 04, 2012 by tbrehm
6 changed files
--- a/interface/web/sites/ftp_user_edit.php
+++ b/interface/web/sites/ftp_user_edit.php
@@ -106,6 +106,8 @@ class page_action extends tform_actions {
 		
 		if(isset($this->dataRecord['username']) && trim($this->dataRecord['username']) == '') $app->tform->errorMessage .= $app->tform->lng('username_error_empty').'<br />';
 		if(isset($this->dataRecord['username']) && empty($this->dataRecord['parent_domain_id'])) $app->tform->errorMessage .= $app->tform->lng('parent_domain_id_error_empty').'<br />';
+		if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'..')) $app->tform->errorMessage .= $app->tform->lng('dir_dot_error').'<br />';
+		if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'./')) $app->tform->errorMessage .= $app->tform->lng('dir_slashdot_error').'<br />';
 		
 		parent::onSubmit();
 	}

--- a/interface/web/sites/lib/lang/en_ftp_user.lng
+++ b/interface/web/sites/lib/lang/en_ftp_user.lng
@@ -26,4 +26,6 @@ $wb["directory_error_empty"] = 'Directory empty.';
 $wb['directory_error_notinweb'] = 'Directory not inside of web root directory.';
 $wb["parent_domain_id_error_empty"] = 'No website selected.';
 $wb["quota_size_error_regex"] = 'Quota: enter a -1 for unlimited or a number > 0';
+$wb['dir_dot_error'] = 'No .. in path allowed.';
+$wb['dir_slashdot_error'] = 'No ./ in path allowed.';
 ?>
--- a/interface/web/sites/lib/lang/en_shell_user.lng
+++ b/interface/web/sites/lib/lang/en_shell_user.lng
@@ -21,4 +21,6 @@ $wb["directory_error_empty"] = 'Directory empty.';
 $wb["limit_shell_user_txt"] = 'The max number of shell users is reached.';
 $wb["parent_domain_id_error_empty"] = 'No website selected.';
 $wb["ssh_rsa_txt"] = 'SSH-RSA Public Key (for key-based logins)';
+$wb['dir_dot_error'] = 'No .. in path allowed.';
+$wb['dir_slashdot_error'] = 'No ./ in path allowed.';
 ?>
--- a/interface/web/sites/shell_user_edit.php
+++ b/interface/web/sites/shell_user_edit.php
@@ -111,6 +111,8 @@ class page_action extends tform_actions {
 		
 		if(isset($this->dataRecord['username']) && trim($this->dataRecord['username']) == '') $app->tform->errorMessage .= $app->tform->lng('username_error_empty').'<br />';
 		if(isset($this->dataRecord['username']) && empty($this->dataRecord['parent_domain_id'])) $app->tform->errorMessage .= $app->tform->lng('parent_domain_id_error_empty').'<br />';
+		if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'..')) $app->tform->errorMessage .= $app->tform->lng('dir_dot_error').'<br />';
+		if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'./')) $app->tform->errorMessage .= $app->tform->lng('dir_slashdot_error').'<br />';
 		
 		if(isset($this->dataRecord['ssh_rsa'])) $this->dataRecord['ssh_rsa'] = trim($this->dataRecord['ssh_rsa']);
 		

--- a/server/plugins-available/ftpuser_base_plugin.inc.php
+++ b/server/plugins-available/ftpuser_base_plugin.inc.php
@@ -74,6 +74,12 @@ class ftpuser_base_plugin {
      
      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
      
+	  //* Check if the resulting path is inside the docroot
+	  if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {
+		$app->log('User dir is outside of docroot.',LOGLEVEL_WARN);
+		return false;
+	  }
+	  
      exec('mkdir -p '.escapeshellcmd($data['new']['dir']));
      exec('chown '.escapeshellcmd($web["system_user"]).':'.escapeshellcmd($web['system_group']).' '.$data['new']['dir']);
      
@@ -90,6 +96,12 @@ class ftpuser_base_plugin {
      
      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
      
+	  //* Check if the resulting path is inside the docroot
+	  if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {
+		$app->log('User dir is outside of docroot.',LOGLEVEL_WARN);
+		return false;
+	  }
+	  
      exec('mkdir -p '.escapeshellcmd($data['new']['dir']));
      exec('chown '.escapeshellcmd($web["system_user"]).':'.escapeshellcmd($web['system_group']).' '.$data['new']['dir']);
      

--- a/server/plugins-available/shelluser_base_plugin.inc.php
+++ b/server/plugins-available/shelluser_base_plugin.inc.php
@@ -72,6 +72,13 @@ class shelluser_base_plugin {
 		
 		$app->uses('system');
 		
+		//* Check if the resulting path is inside the docroot
+		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
+		if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {
+			$app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);
+			return false;
+		}
+		
 		if($app->system->is_user($data['new']['puser'])) {
 			// Get the UID of the parent user
 			$uid = intval($app->system->getuid($data['new']['puser']));
@@ -121,6 +128,13 @@ class shelluser_base_plugin {
 		
 		$app->uses('system');
 		
+		//* Check if the resulting path is inside the docroot
+		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
+		if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {
+			$app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);
+			return false;
+		}
+		
 		if($app->system->is_user($data['new']['puser'])) {
 			// Get the UID of the parent user
 			$uid = intval($app->system->getuid($data['new']['puser']));