Merge branch 'develop' into 6202-support-for-borg-archive-in-backups

.gitlab-ci.yml

@@ -17,7 +17,7 @@ syntax:lint:
     - schedules
     - web
     - merge_requests
-    - /^\d+\.\d+\.\d+$/
+    - /^\d+\.\d+\.\d+(p\d+)?$/
 
   script:
     - echo "Syntax checking PHP files"
@@ -37,7 +37,7 @@ syntax_diff:lint:
     - schedules
     - web
     - merge_requests
-    - /^\d+\.\d+\.\d+$/
+    - /^\d+\.\d+\.\d+(p\d+)?$/
 
   script:
     - echo "Syntax checking PHP files"
@@ -81,7 +81,7 @@ build:package:
     image: edbizarro/gitlab-ci-pipeline-php:7.2
     only:
         refs:
-            - /^\d+\.\d+\.\d+$/
+            - /^\d+\.\d+\.\d+(p\d+)?$/
             - web
 
     script:
@@ -96,7 +96,7 @@ build:package:
         - tar -tvf ISPConfig-${VER}.tar.gz
         - echo "Uploading file to download server"
         - curl -u "${DEPLOY_FTP_USER}:${DEPLOY_FTP_PASSWORD}" -T ISPConfig-${VER}.tar.gz ftp://${DEPLOY_FTP_SERVER}/web/
-        - if [[ "$VER" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] ; then echo "Stable release ${VER}" ; curl -u "${DEPLOY_FTP_USER}:${DEPLOY_FTP_PASSWORD}" -T ISPConfig-${VER}.tar.gz ftp://${DEPLOY_FTP_SERVER}/web/ISPConfig-3-stable.tar.gz ; echo -n "${VER}" > ispconfig3_version.txt ; curl -u "${DEPLOY_FTP_USER}:${DEPLOY_FTP_PASSWORD}" -T ispconfig3_version.txt ftp://${DEPLOY_FTP_SERVER}/web/ ; else echo "Dev release ${VER}" ; fi
+        - if [[ "$VER" =~ ^[0-9]+\.[0-9]+\.[0-9]+(p[0-9]+)?$ ]] ; then echo "Stable release ${VER}" ; curl -u "${DEPLOY_FTP_USER}:${DEPLOY_FTP_PASSWORD}" -T ISPConfig-${VER}.tar.gz ftp://${DEPLOY_FTP_SERVER}/web/ISPConfig-3-stable.tar.gz ; echo -n "${VER}" > ispconfig3_version.txt ; curl -u "${DEPLOY_FTP_USER}:${DEPLOY_FTP_PASSWORD}" -T ispconfig3_version.txt ftp://${DEPLOY_FTP_SERVER}/web/ ; else echo "Dev release ${VER}" ; fi
         - rm ISPConfig-${VER}.tar.gz
         - echo "Download url is https://download.ispconfig.org/ISPConfig-${VER}.tar.gz"
         

README.md

@@ -26,7 +26,7 @@ Development branch: [![pipeline status](https://git.ispconfig.org/ispconfig/ispc
 [^1]: not actively tested
 
 ## Supported operating systems
-- Debian 9, 10, and testing
+- Debian 9 - 11, and testing
 - Ubuntu 16.04 - 20.04
 - CentOS 7 and 8
 

install/lib/installer_base.lib.php

@@ -52,7 +52,7 @@ class installer_base {
 	}
 
 	public function update_acme() {
-		$acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
+		$acme = explode("\n", shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
 		$acme = reset($acme);
 		$val = 0;
 
@@ -1659,6 +1659,7 @@ class installer_base {
 		$content = str_replace('{mysql_server_ip}', $conf['mysql']['ip'], $content);
 		wf($conf['amavis']['config_dir'].'/conf.d/50-user', $content);
 		chmod($conf['amavis']['config_dir'].'/conf.d/50-user', 0640);
+		chgrp($conf['amavis']['config_dir'].'/conf.d/50-user', 'amavis');
 
 		// TODO: chmod and chown on the config file
 
@@ -2965,7 +2966,7 @@ class installer_base {
 			$le_client = reset($le_client);
 
 			// Check for Neilpang acme.sh as well
-			$acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
+			$acme = explode("\n", shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
 			$acme = reset($acme);
 
 			if((!$acme || !is_executable($acme)) && (!$le_client || !is_executable($le_client))) {
@@ -2973,7 +2974,7 @@ class installer_base {
 				if(!$success) {
 					swriteln('Failed installing acme.sh. Will not be able to issue certificate during install.');
 				} else {
-					$acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
+					$acme = explode("\n", shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
 					$acme = reset($acme);
 					if($acme && is_executable($acme)) {
 						swriteln('Installed acme.sh and using it for certificate creation during install.');
@@ -3016,14 +3017,30 @@ class installer_base {
 			$issued_successfully = false;
 
 			// Backup existing ispserver ssl files
-			if(file_exists($ssl_crt_file) || is_link($ssl_crt_file)) {
-				copy($ssl_crt_file, $ssl_crt_file . '-temporary.bak');
-			}
-			if(file_exists($ssl_key_file) || is_link($ssl_key_file)) {
-				copy($ssl_key_file, $ssl_key_file . '-temporary.bak');
-			}
-			if(file_exists($ssl_pem_file) || is_link($ssl_pem_file)) {
-				copy($ssl_pem_file, $ssl_pem_file . '-temporary.bak');
+			//
+			// We may find valid or broken symlinks or actual files here.
+			//
+			// - dangling links are broken and get perm renamed (should just delete?).
+			//   possibly web server can't start because vhost file points to non-existing cert files,
+			//   we're not trying to catch or fix that (and not making it worse)
+			//
+			// - link to valid file is tmp renamed, and file copied to original name.
+			//   if cert request is successful, remove the old symlink;
+			//   if cert request fails, remove file copy and rename symlink to original name
+			//
+			// - actual file copied to tmp name.
+			//   if cert request is successful, rename tmp copy to perm rename;
+			//   if cert request fails, delete tmp copy
+			$cert_files = array( $ssl_crt_file, $ssl_key_file, $ssl_pem_file );
+			foreach ($cert_files as $f) {
+				if (is_link($f) && ! file_exists($f)) {
+					rename($f, $f.'-'.$date->format('YmdHis').'.bak');
+				} elseif (is_link($f)) {
+					rename($f, $f.'-temporary.bak');
+					copy($f.'-temporary.bak', $f);
+				} elseif(file_exists($f)) {
+					copy($f, $f.'-temporary.bak');
+				}
 			}
 
 			// Attempt to use Neilpang acme.sh first, as it is now the preferred LE client
@@ -3062,26 +3079,28 @@ class installer_base {
 					umask($old_umask);
 
 					// Make temporary backup of self-signed certs permanent
-					if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
-						rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file.'-'.$date->format('YmdHis').'.bak');
-					if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
-						rename($ssl_key_file.'-temporary.bak', $ssl_key_file.'-'.$date->format('YmdHis').'.bak');
-					if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
-						rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file.'-'.$date->format('YmdHis').'.bak');
+					foreach ($cert_files as $f) {
+						if (is_link($f.'-temporary.bak')) {
+							unlink($f.'-temporary.bak');
+						} elseif(file_exists($f.'-temporary.bak')) {
+							rename($f.'-temporary.bak', $f.'-'.$date->format('YmdHis').'.bak');
+						}
+					}
 
 				} else {
 					swriteln('Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt');
 
 					umask($old_umask);
 
-					// Restore temporary backup of self-signed certs
-					if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
-						rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file);
-					if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
-						rename($ssl_key_file.'-temporary.bak', $ssl_key_file);
-					if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
-						rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file);
-
+					// Restore/cleanup temporary backup of self-signed certs
+					foreach ($cert_files as $f) {
+						if (is_link($f.'-temporary.bak')) {
+							@unlink($f);
+							rename($f.'-temporary.bak', $f);
+						} elseif(file_exists($f.'-temporary.bak')) {
+							unlink($f.'-temporary.bak');
+						}
+					}
 				}
 			// Else, we attempt to use the official LE certbot client certbot
 			} else {
@@ -3120,23 +3139,26 @@ class installer_base {
 						$issued_successfully = true;
 
 						// Make temporary backup of self-signed certs permanent
-						if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
-							rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file.'-'.$date->format('YmdHis').'.bak');
-						if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
-							rename($ssl_key_file.'-temporary.bak', $ssl_key_file.'-'.$date->format('YmdHis').'.bak');
-						if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
-							rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file.'-'.$date->format('YmdHis').'.bak');
+						foreach ($cert_files as $f) {
+							if (is_link($f.'-temporary.bak')) {
+								unlink($f.'-temporary.bak');
+							} elseif(file_exists($f.'-temporary.bak')) {
+								rename($f.'-temporary.bak', $f.'-'.$date->format('YmdHis').'.bak');
+							}
+						}
 
 					} else {
 						swriteln('Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt');
 
-						// Restore temporary backup of self-signed certs
-						if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
-							rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file);
-						if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
-							rename($ssl_key_file.'-temporary.bak', $ssl_key_file);
-						if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
-							rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file);
+						// Restore/cleanup temporary backup of self-signed certs
+						foreach ($cert_files as $f) {
+							if (is_link($f.'-temporary.bak')) {
+								@unlink($f);
+								rename($f.'-temporary.bak', $f);
+							} elseif(file_exists($f.'-temporary.bak')) {
+								unlink($f.'-temporary.bak');
+							}
+						}
 
 					}
 				} else {

install/sql/incremental/upd_0095.sql

+ALTER TABLE `remote_session` ADD `remote_ip` VARCHAR(39) NOT NULL DEFAULT '' AFTER `tstamp`;
\ No newline at end of file

install/sql/ispconfig3.sql

@@ -1317,6 +1317,7 @@ CREATE TABLE `remote_session` (
   `remote_functions` text,
   `client_login` tinyint(1) unsigned NOT NULL default '0',
   `tstamp` int(10) unsigned NOT NULL DEFAULT '0',
+  `remote_ip` varchar(39) NOT NULL DEFAULT '',
   PRIMARY KEY  (`remote_session`)
 ) DEFAULT CHARSET=utf8 ;
 

interface/lib/classes/remoting.inc.php

@@ -85,10 +85,20 @@ class remoting {
 		//* Delete old remoting sessions
 		$sql = "DELETE FROM remote_session WHERE tstamp < UNIX_TIMESTAMP()";
 		$app->db->query($sql);
+		
+		//* Check for max. login attempts
+		$ip_md5 = md5($_SERVER['REMOTE_ADDR']);
+		$sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND  `login_time` > (NOW() - INTERVAL 5 MINUTE) LIMIT 1";
+		$alreadyfailed = $app->db->queryOneRecord($sql, $ip_md5);
+
+		if($alreadyfailed['times'] >= 10) {
+			throw new SoapFault('login_failure_limit', 'The login failure limit has been reached.');
+			return false;
+		}
 
 		if($client_login == true) {
 			$sql = "SELECT * FROM sys_user WHERE USERNAME = ?";
-			$user = $app->db->queryOneRecord($sql, $username);
+			$user = $app->db->queryOneRecord($sql, (string)$username);
 			if($user) {
 				$saved_password = stripslashes($user['passwort']);
 
@@ -104,6 +114,16 @@ class remoting {
 					}
 				}
 			} else {
+				if(!$alreadyfailed['times'] )
+				{
+					//* user login the first time wrong
+					$sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES (?, 1, NOW())";
+					$app->db->query($sql, $ip_md5);
+				} elseif($alreadyfailed['times'] >= 1) {
+					//* update times wrong
+					$sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `ip` = ? ORDER BY `login_time` DESC LIMIT 1";
+					$app->db->query($sql, $ip_md5);
+				}
 				throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.');
 			}
 			if($user['active'] != 1) {
@@ -119,17 +139,23 @@ class remoting {
 
 			//* Create a remote user session
 			//srand ((double)microtime()*1000000);
-			$remote_session = md5(mt_rand().uniqid('ispco'));
+			$remote_session = substr(str_shuffle('abcdefghijklmnopqrstuvwxyz'),0,1).sha1(mt_rand().uniqid('ispco',true));
 			$remote_userid = $user['userid'];
 			$remote_functions = '';
 			$tstamp = time() + $this->session_timeout;
-			$sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,client_login,tstamp'
-				.') VALUES (?, ?, ?, 1, ?)';
-			$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp);
+			$ip = $_SERVER['REMOTE_ADDR'];
+			$sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,client_login,tstamp,remote_ip'
+				.') VALUES (?, ?, ?, 1, ?, ?)';
+			$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp,$ip);
+			
+			//* Delete login attempts after successful login
+			$sql = "DELETE FROM `attempts_login` WHERE `ip`=?";
+			$app->db->query($sql, $ip_md5);
+			
 			return $remote_session;
 		} else {
 			$sql = "SELECT * FROM remote_user WHERE remote_username = ?";
-			$remote_user = $app->db->queryOneRecord($sql, $username);
+			$remote_user = $app->db->queryOneRecord($sql, (string)$username);
 			if($remote_user) {
 				if(substr($remote_user['remote_password'], 0, 1) === '$') {
 					if(crypt(stripslashes($password), $remote_user['remote_password']) != $remote_user['remote_password']) {
@@ -138,7 +164,7 @@ class remoting {
 				} elseif(md5($password) == $remote_user['remote_password']) {
 					// update hash algo
 					$sql = 'UPDATE `remote_user` SET `remote_password` = ? WHERE `remote_username` = ?';
-					$app->db->query($sql, $app->auth->crypt_password($password), $username);
+					$app->db->query($sql, $app->auth->crypt_password($password), (string)$username);
 				} else {
 					$remote_user = null;
 				}
@@ -170,9 +196,9 @@ class remoting {
 					if(trim($remote_user['remote_ips']) == '') {
 						$remote_allowed=true;
 					} else {
-						$ip = inet_pton($_SERVER['REMOTE_ADDR']);
+						$ip_bin = inet_pton($ip);
 						foreach($allowed_ips as $allowed) {
-							if($ip == inet_pton(trim($allowed))) {
+							if($ip_bin == inet_pton(trim($allowed))) {
 								$remote_allowed=true;
 								break;
 							}
@@ -185,15 +211,32 @@ class remoting {
 				}
 				//* Create a remote user session
 				//srand ((double)microtime()*1000000);
-				$remote_session = md5(mt_rand().uniqid('ispco'));
+				$remote_session = substr(str_shuffle('abcdefghijklmnopqrstuvwxyz'),0,1).sha1(mt_rand().uniqid('ispco',true));
 				$remote_userid = $remote_user['remote_userid'];
 				$remote_functions = $remote_user['remote_functions'];
 				$tstamp = time() + $this->session_timeout;
-				$sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,tstamp'
-					.') VALUES (?, ?, ?, ?)';
-				$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp);
+				$sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,tstamp,remote_ip'
+					.') VALUES (?, ?, ?, ?, ?)';
+				$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp, $ip);
+				
+				//* Delete login attempts after successful login
+				$sql = "DELETE FROM `attempts_login` WHERE `ip`=?";
+				$app->db->query($sql, $ip_md5);
+				
 				return $remote_session;
 			} else {
+				
+				if(!$alreadyfailed['times'] )
+				{
+					//* user login the first time wrong
+					$sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES (?, 1, NOW())";
+					$app->db->query($sql, $ip_md5);
+				} elseif($alreadyfailed['times'] >= 1) {
+					//* update times wrong
+					$sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `ip` = ? ORDER BY `login_time` DESC LIMIT 1";
+					$app->db->query($sql, $ip_md5);
+				}
+				
 				throw new SoapFault('login_failed', 'The login failed. Username or password wrong.');
 				return false;
 			}
@@ -212,7 +255,7 @@ class remoting {
 		}
 
 		$sql = "DELETE FROM remote_session WHERE remote_session = ?";
-		if($app->db->query($sql, $session_id) != false) {
+		if($app->db->query($sql, (string)$session_id) != false) {
 			return true;
 		} else {
 			return false;
@@ -522,12 +565,61 @@ class remoting {
 			throw new SoapFault('session_id_empty', 'The SessionID is empty.');
 			return false;
 		}
+		
+		if(!is_string($session_id)) {
+			throw new SoapFault('session_id_nostring', 'Wrong SessionID datatype.');
+			return false;
+		}
+		
+		$ip_md5 = md5($_SERVER['REMOTE_ADDR']);
+		$sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND  `login_time` > (NOW() - INTERVAL 5 MINUTE) LIMIT 1";
+		$alreadyfailed = $app->db->queryOneRecord($sql, $ip_md5);
+
+		if($alreadyfailed['times'] >= 10) {
+			throw new SoapFault('session_failure_limit', 'The Session failure limit has been reached.');
+			return false;
+		}
 
 		$sql = "SELECT * FROM remote_session WHERE remote_session = ? AND tstamp >= UNIX_TIMESTAMP()";
-		$session = $app->db->queryOneRecord($sql, $session_id);
+		$session = $app->db->queryOneRecord($sql, (string)$session_id);
+		
+		if(!is_array($session)) {
+			if(!$alreadyfailed['times'] )
+				{
+					//* user login the first time wrong
+					$sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES (?, 1, NOW())";
+					$app->db->query($sql, $ip_md5);
+				} elseif($alreadyfailed['times'] >= 1) {
+					//* update times wrong
+					$sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `ip` = ? ORDER BY `login_time` DESC LIMIT 1";
+					$app->db->query($sql, $ip_md5);
+				}
+			
+			throw new SoapFault('session_does_not_exist', 'The Session is expired or does not exist.');
+			return false;
+		}
+		
+		$ip = $_SERVER['REMOTE_ADDR'];
+		if($session['remote_ip'] != $ip) {
+			throw new SoapFault('session_ip_mismatch', 'Session IP mismatch.');
+			return false;
+		}
+		
 		if($session['remote_userid'] > 0) {
 			return $session;
 		} else {
+			
+			if(!$alreadyfailed['times'] )
+				{
+					//* user login the first time wrong
+					$sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES (?, 1, NOW())";
+					$app->db->query($sql, $ip_md5);
+				} elseif($alreadyfailed['times'] >= 1) {
+					//* update times wrong
+					$sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `ip` = ? AND `login_time` < NOW() ORDER BY `login_time` DESC LIMIT 1";
+					$app->db->query($sql, $ip_md5);
+				}
+			
 			throw new SoapFault('session_does_not_exist', 'The Session is expired or does not exist.');
 			return false;
 		}

interface/lib/classes/remoting_lib.inc.php

@@ -232,7 +232,7 @@ class remoting_lib extends tform_base {
 		if(@is_numeric($primary_id)) {
 			if($primary_id > 0) {
 				// Return a single record
-				return parent::getDataRecord($primary_id);
+				return parent::getDataRecord(intval($primary_id));
 			} elseif($primary_id == -1) {
 				// Return a array with all records
 				$sql = "SELECT * FROM ??";
@@ -255,8 +255,8 @@ class remoting_lib extends tform_base {
 				} else {
 					$sql_where .= "?? = ? AND ";
 				}
-				$params[] = $key;
-				$params[] = $val;
+				$params[] = (string)$key;
+				$params[] = (string)$val;
 			}
 			$sql_where = substr($sql_where, 0, -5);
 			if($sql_where == '') $sql_where = '1';

interface/lib/classes/session.inc.php

@@ -70,9 +70,9 @@ class session {
 	function read ($session_id) {
 		
 		if($this->timeout > 0) {
-			$rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = ? AND (`permanent` = 'y' OR last_updated >= DATE_SUB(NOW(), INTERVAL ? MINUTE))", $session_id, $this->timeout);
+			$rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = ? AND (`permanent` = 'y' OR last_updated >= DATE_SUB(NOW(), INTERVAL ? MINUTE))", (string)$session_id, $this->timeout);
 		} else {
-			$rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = ?", $session_id);
+			$rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = ?", (string)$session_id);
 		}
 
 		if (is_array($rec)) {
@@ -91,18 +91,18 @@ class session {
 
 		// Dont write session_data to DB if session data has not been changed after reading it.
 		if(isset($this->session_array['session_data']) && $this->session_array['session_data'] != '' && $this->session_array['session_data'] == $session_data) {
-			$this->db->query("UPDATE sys_session SET last_updated = NOW() WHERE session_id = ?", $session_id);
+			$this->db->query("UPDATE sys_session SET last_updated = NOW() WHERE session_id = ?", (string)$session_id);
 			return true;
 		}
 
 
 		if (@$this->session_array['session_id'] == '') {
 			$sql = "REPLACE INTO sys_session (session_id,date_created,last_updated,session_data,permanent) VALUES (?,NOW(),NOW(),?,?)";
-			$this->db->query($sql, $session_id, $session_data, ($this->permanent ? 'y' : 'n'));
+			$this->db->query($sql, (string)$session_id, $session_data, ($this->permanent ? 'y' : 'n'));
 
 		} else {
 			$sql = "UPDATE sys_session SET last_updated = NOW(), session_data = ?" . ($this->permanent ? ", `permanent` = 'y'" : "") . " WHERE session_id = ?";
-			$this->db->query($sql, $session_data, $session_id);
+			$this->db->query($sql, $session_data, (string)$session_id);
 
 		}
 
@@ -112,7 +112,7 @@ class session {
 	function destroy ($session_id) {
 
 		$sql = "DELETE FROM sys_session WHERE session_id = ?";
-		$this->db->query($sql, $session_id);
+		$this->db->query($sql, (string)$session_id);
 
 		return true;
 	}

interface/web/login/index.php

@@ -96,7 +96,7 @@ if(count($_POST) > 0) {
 
 						/* this is the reseller, that shall be re-logged in */
 						$sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?";
-						$tmp = $app->db->queryOneRecord($sql, $username, $password);
+						$tmp = $app->db->queryOneRecord($sql, (string)$username, (string)$password);
 						$client_group_id = $app->functions->intval($tmp['default_group']);
 						$tmp_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
 
@@ -118,7 +118,7 @@ if(count($_POST) > 0) {
 
 				/* this is the user the reseller wants to 'login as' */
 				$sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?";
-				$tmp = $app->db->queryOneRecord($sql, $username, $password);
+				$tmp = $app->db->queryOneRecord($sql, (string)$username, (string)$password);
 				$tmp_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $tmp["default_group"]);
 
 				if(!$tmp || $tmp_client["parent_client_id"] != $res_client["client_id"]) {
@@ -146,13 +146,13 @@ if(count($_POST) > 0) {
 
 			if ($loginAs){
 				$sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?";
-				$user = $app->db->queryOneRecord($sql, $username, $password);
+				$user = $app->db->queryOneRecord($sql, (string)$username, (string)$password);
 			} else {
 
 				if(stristr($username, '@')) {
 					//* mailuser login
 					$sql = "SELECT * FROM mail_user WHERE login = ? or email = ?";
-					$mailuser = $app->db->queryOneRecord($sql, $username, $app->functions->idn_encode($username));
+					$mailuser = $app->db->queryOneRecord($sql, (string)$username, $app->functions->idn_encode($username));
 					$user = false;
 					if($mailuser) {
 						$saved_password = stripslashes($mailuser['password']);
@@ -184,7 +184,7 @@ if(count($_POST) > 0) {
 				} else {
 					//* normal cp user login
 					$sql = "SELECT * FROM sys_user WHERE USERNAME = ?";
-					$user = $app->db->queryOneRecord($sql, $username);
+					$user = $app->db->queryOneRecord($sql, (string)$username);
 					if($user) {
 						$saved_password = stripslashes($user['passwort']);
 						if(substr($saved_password, 0, 1) == '$') {
@@ -199,7 +199,7 @@ if(count($_POST) > 0) {
 							} else {
 								// update password with secure algo
 								$sql = 'UPDATE `sys_user` SET `passwort` = ? WHERE `username` = ?';
-								$app->db->query($sql, $app->auth->crypt_password($password), $username);
+								$app->db->query($sql, $app->auth->crypt_password($password), (string)$username);
 							}
 						}
 					} else {

interface/web/mail/lib/module.conf.php

@@ -61,7 +61,7 @@ if($app->auth->get_client_limit($userid, 'mailcatchall') != 0)
 		'html_id' => 'mail_domain_catchall_list');
 }
 
-if(! $app->auth->is_admin())
+if(! $app->auth->is_admin() && $app->auth->get_client_limit($userid, 'mail_wblist') != 0)
 {
 	$items[] = array(   'title'  => 'Email Whitelist',
 		'target'  => 'content',

server/lib/classes/letsencrypt.inc.php

@@ -44,7 +44,7 @@ class letsencrypt {
 	}
 
 	public function get_acme_script() {
-		$acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
+		$acme = explode("\n", shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
 		$acme = reset($acme);
 		if(is_executable($acme)) {
 			return $acme;

server/lib/classes/system.inc.php

@@ -1371,6 +1371,7 @@ class system{
 	 * Control services to restart etc
 	 *
 	 */
+	 /*
 	function daemon_init($daemon, $action){
 		//* $action = start|stop|restart|reload
 		global $app;
@@ -1409,7 +1410,7 @@ class system{
 				}
 			}
 		}
-	}
+	} */
 
 	function netmask($netmask){
 		list($f1, $f2, $f3, $f4) = explode('.', trim($netmask));
@@ -2064,36 +2065,103 @@ class system{
 	}
 
 	function _getinitcommand($servicename, $action, $init_script_directory = '', $check_service) {
-		global $conf;
+		global $conf, $app;
+		
 		// upstart
+		/* removed upstart support - deprecated
 		if(is_executable('/sbin/initctl')){
 			exec('/sbin/initctl version 2>/dev/null | /bin/grep -q upstart', $retval['output'], $retval['retval']);
 			if(intval($retval['retval']) == 0) return 'service '.$servicename.' '.$action;
 		}
+		*/
+		
+		if(!in_array($action,array('restart','reload','force-reload'))) {
+			$app->log('Invalid init command action '.$action,LOGLEVEL_WARN);
+			return false;
+		}
 
-		// systemd
+		//* systemd (now default in all supported OS)
 		if(is_executable('/bin/systemd') || is_executable('/usr/bin/systemctl')){
-			if ($check_service) {
-				$this->exec_safe("systemctl is-enabled ? 2>&1", $servicename);
-				$ret_val = $this->last_exec_retcode();
-			}
-			if ($ret_val == 0 || !$check_service) {
-				return 'systemctl '.$action.' '.$servicename.'.service';
+			$app->log('Trying to use Systemd to restart service',LOGLEVEL_DEBUG);
+			
+			//* Test service name via regex
+			if(preg_match('/[a-zA-Z0-9\.\-\_]/',$servicename)) {
+