Commit e59dfdcb authored by Marius Burkard's avatar Marius Burkard

Merge branch 'stable-3.1'

parents 9fdafd14 41e1628b
......@@ -1076,6 +1076,8 @@ class installer_dist extends installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
......@@ -1149,6 +1151,11 @@ class installer_dist extends installer_base {
$command = "chmod +x $install_dir/server/scripts/*.sh";
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
$this->db->query($sql, $conf['interface_password']);
}
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
//* Copy the ISPConfig vhost for the controlpanel
// TODO: These are missing! should they be "vhost_dist_*_dir" ?
......
......@@ -996,7 +996,9 @@ class installer extends installer_base
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
......@@ -1076,6 +1078,11 @@ class installer extends installer_base
$command = "chmod +x $install_dir/server/scripts/*.sh";
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
$this->db->query($sql, $conf['interface_password']);
}
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
//* Copy the ISPConfig vhost for the controlpanel
$content = $this->get_template_file("apache_ispconfig.vhost", true);
......
......@@ -1094,7 +1094,9 @@ class installer_dist extends installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
......@@ -1170,6 +1172,11 @@ class installer_dist extends installer_base {
$command = "chmod +x $install_dir/server/scripts/*.sh";
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
$this->db->query($sql, $conf['interface_password']);
}
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
//* Copy the ISPConfig vhost for the controlpanel
// TODO: These are missing! should they be "vhost_dist_*_dir" ?
......
......@@ -2499,7 +2499,9 @@ class installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
......
......@@ -299,14 +299,14 @@ class app {
$this->tpl->setVar('phpsessid', session_id());
$this->tpl->setVar('theme', $_SESSION['s']['theme']);
$this->tpl->setVar('theme', $_SESSION['s']['theme'], true);
$this->tpl->setVar('html_content_encoding', $this->_conf['html_content_encoding']);
$this->tpl->setVar('delete_confirmation', $this->lng('delete_confirmation'));
//print_r($_SESSION);
if(isset($_SESSION['s']['module']['name'])) {
$this->tpl->setVar('app_module', $_SESSION['s']['module']['name']);
$this->tpl->setVar('session_module', $_SESSION['s']['module']['name']);
$this->tpl->setVar('app_module', $_SESSION['s']['module']['name'], true);
$this->tpl->setVar('session_module', $_SESSION['s']['module']['name'], true);
}
if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') {
$this->tpl->setVar('is_admin', 1);
......@@ -316,7 +316,7 @@ class app {
}
/* Show username */
if(isset($_SESSION['s']['user'])) {
$this->tpl->setVar('cpuser', $_SESSION['s']['user']['username']);
$this->tpl->setVar('cpuser', $_SESSION['s']['user']['username'], true);
$this->tpl->setVar('logout_txt', $this->lng('logout_txt'));
/* Show search field only for normal users, not mail users */
if(stristr($_SESSION['s']['user']['username'], '@')){
......@@ -343,7 +343,7 @@ $app = new app();
// load and enable PHP Intrusion Detection System (PHPIDS)
$ids_security_config = $app->getconf->get_security_config('ids');
if(is_dir(ISPC_CLASS_PATH.'/IDS') && $ids_security_config['ids_enabled'] == 'yes') {
if(is_dir(ISPC_CLASS_PATH.'/IDS') && !defined('REMOTE_API_CALL') && ($ids_security_config['ids_anon_enabled'] == 'yes' || $ids_security_config['ids_user_enabled'] == 'yes' || $ids_security_config['ids_admin_enabled'] == 'yes')) {
$app->uses('ids');
$app->ids->start();
}
......
......@@ -470,7 +470,7 @@ class db {
public function escape($sString) {
global $app;
if(!is_string($sString) && !is_numeric($sString)) {
$app->log('NON-String given in escape function! (' . gettype($sString) . ')', LOGLEVEL_INFO);
$app->log('NON-String given in escape function! (' . gettype($sString) . ')', LOGLEVEL_DEBUG);
//$sAddMsg = getDebugBacktrace();
$app->log($sAddMsg, LOGLEVEL_DEBUG);
$sString = '';
......@@ -479,7 +479,7 @@ class db {
$cur_encoding = mb_detect_encoding($sString);
if($cur_encoding != "UTF-8") {
if($cur_encoding != 'ASCII') {
if(is_object($app) && method_exists($app, 'log')) $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_INFO);
if(is_object($app) && method_exists($app, 'log')) $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_DEBUG);
if($cur_encoding) $sString = mb_convert_encoding($sString, 'UTF-8', $cur_encoding);
else $sString = mb_convert_encoding($sString, 'UTF-8');
}
......
......@@ -118,7 +118,25 @@ class ids {
$impact = $ids_result->getImpact();
if($impact >= $security_config['ids_log_level']) {
// Choose level from security config
if($app->auth->is_admin()) {
// User is admin
$ids_log_level = $security_config['ids_admin_log_level'];
$ids_warn_level = $security_config['ids_admin_warn_level'];
$ids_block_level = $security_config['ids_admin_block_level'];
} elseif(is_array($_SESSION['s']['user']) && $_SESSION['s']['user']['userid'] > 0) {
// User is Client or Reseller
$ids_log_level = $security_config['ids_user_log_level'];
$ids_warn_level = $security_config['ids_user_warn_level'];
$ids_block_level = $security_config['ids_user_block_level'];
} else {
// Not logged in
$ids_log_level = $security_config['ids_anon_log_level'];
$ids_warn_level = $security_config['ids_anon_warn_level'];
$ids_block_level = $security_config['ids_anon_block_level'];
}
if($impact >= $ids_log_level) {
$ids_log = ISPC_ROOT_PATH.'/temp/ids.log';
if(!is_file($ids_log)) touch($ids_log);
......@@ -132,11 +150,11 @@ class ids {
}
if($impact >= $security_config['ids_warn_level']) {
if($impact >= $ids_warn_level) {
$app->log("PHP IDS Alert.".$ids_result, 2);
}
if($impact >= $security_config['ids_block_level']) {
if($impact >= $ids_block_level) {
$app->error("Possible attack detected. This action has been logged.",'', true, 2);
}
......
......@@ -56,7 +56,7 @@ class plugin_listview extends plugin_base {
// $app->listform->listDef["page_params"] = "&id=".$app->tform_actions->id."&next_tab=".$_SESSION["s"]["form"]["tab"];
$app->listform->listDef["page_params"] = "&id=".$this->form->id."&next_tab=".$_SESSION["s"]["form"]["tab"];
$listTpl->setVar('parent_id', $this->form->id);
$listTpl->setVar('theme', $_SESSION['s']['theme']);
$listTpl->setVar('theme', $_SESSION['s']['theme'], true);
// Generate the SQL for searching
$sql_where = "";
......@@ -193,13 +193,13 @@ class plugin_listview extends plugin_base {
$listTpl->setVar('phpsessid', session_id());
$listTpl->setVar('theme', $_SESSION['s']['theme']);
$listTpl->setVar('theme', $_SESSION['s']['theme'], true);
$listTpl->setVar('html_content_encoding', $app->_conf['html_content_encoding']);
$listTpl->setVar('delete_confirmation', $app->lng('delete_confirmation'));
//print_r($_SESSION);
if(isset($_SESSION['s']['module']['name'])) {
$listTpl->setVar('app_module', $_SESSION['s']['module']['name']);
$listTpl->setVar('app_module', $_SESSION['s']['module']['name'], true);
}
if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') {
$listTpl->setVar('is_admin', 1);
......@@ -209,7 +209,7 @@ class plugin_listview extends plugin_base {
}
/* Show username */
if(isset($_SESSION['s']['user'])) {
$listTpl->setVar('cpuser', $_SESSION['s']['user']['username']);
$listTpl->setVar('cpuser', $_SESSION['s']['user']['username'], true);
$listTpl->setVar('logout_txt', $app->lng('logout_txt'));
/* Show search field only for normal users, not mail users */
if(stristr($_SESSION['s']['user']['username'], '@')){
......
......@@ -115,11 +115,18 @@ class tform extends tform_base {
// Show the same tab again in case of an error
$active_tab = $_SESSION["s"]["form"]["tab"];
}
if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$active_tab)) {
die('Invalid next tab name.');
}
return $active_tab;
}
function getCurrentTab() {
if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$_SESSION["s"]["form"]["tab"])) {
die('Invalid current tab name.');
}
return $_SESSION["s"]["form"]["tab"];
}
......
......@@ -287,7 +287,7 @@ class tform_actions {
global $app, $conf;
$app->tpl->setVar("error", "<li>".$app->tform->errorMessage."</li>");
$app->tpl->setVar($this->dataRecord);
$app->tpl->setVar($this->dataRecord, null, true);
$this->onShow();
}
......
......@@ -245,7 +245,7 @@ class tform_base {
*/
function decode($record, $tab) {
global $conf, $app;
if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab does not exist or the tab is empty (TAB: $tab).");
if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab does not exist or the tab is empty (TAB: ".$app->functions->htmlentities($tab).").");
return $this->_decode($record, $tab, false);
}
......@@ -416,7 +416,7 @@ class tform_base {
$this->action = $action;
if(!is_array($this->formDef)) $app->error("No form definition found.");
if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: $tab).");
if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).").");
/* CSRF PROTECTION */
// generate csrf protection id and key
......@@ -868,7 +868,7 @@ class tform_base {
function encode($record, $tab, $dbencode = true) {
global $app;
if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab is empty or does not exist (TAB: $tab).");
if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).").");
return $this->_encode($record, $tab, $dbencode, false);
}
......@@ -1446,7 +1446,7 @@ class tform_base {
}
if(!is_array($this->formDef)) $app->error("Form definition not found.");
if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: $tab).");
if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).").");
return $this->_getSQL($record, $tab, $action, $primary_id, $sql_ext_where, false);
}
......
......@@ -226,21 +226,26 @@ if (!defined('vlibTemplateClassLoaded')) {
* using the keys as variable names and the values as variable values.
* @param mixed $k key to define variable name
* @param mixed $v variable to assign to $k
* @param bool $encode if set to true use htmlentities on values
* @return boolean true/false
* @access public
*/
public function setVar($k, $v = null)
public function setVar($k, $v = null, $encode = false)
{
global $app;
if (is_array($k)) {
foreach($k as $key => $value){
$key = ($this->OPTIONS['CASELESS']) ? strtolower(trim($key)) : trim($key);
if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $key) && $value !== null ) {
if($encode == true) $value = $app->functions->htmlentities($value);
$this->_vars[$key] = $value;
}
}
} else {
if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $k) && $v !== null) {
if ($this->OPTIONS['CASELESS']) $k = strtolower($k);
if($encode == true) $v = $app->functions->htmlentities($v);
$this->_vars[trim($k)] = $v;
} else {
return false;
......
......@@ -52,7 +52,7 @@ class validate_cron {
if($parsed["scheme"] != "http" && $parsed["scheme"] != "https") return $this->get_error($validator['errmsg']);
if(preg_match("'^([a-z0-9][a-z0-9\-]{0,62}\.)+([A-Za-z0-9\-]{2,30})$'i", $parsed["host"]) == false) return $this->get_error($validator['errmsg']);
if(preg_match("'^([a-z0-9][a-z0-9_\-]{0,62}\.)+([A-Za-z0-9\-]{2,30})$'i", $parsed["host"]) == false) return $this->get_error($validator['errmsg']);
}
if(strpos($field_value, "\n") !== false || strpos($field_value, "\r") !== false || strpos($field_value, chr(0)) !== false) {
return $this->get_error($validator['errmsg']);
......
......@@ -51,6 +51,9 @@ class validate_domain {
$result = $this->_check_unique($field_value);
if(!$result) return $this->get_error('domain_error_unique');
$pattern = '/\.acme\.invalid$/';
if(preg_match($pattern, $field_value)) return $this->get_error('domain_error_acme_invalid');
}
/* Validator function for sub domain */
......@@ -65,6 +68,9 @@ class validate_domain {
$result = $this->_check_unique($field_value);
if(!$result) return $this->get_error('domain_error_unique');
$pattern = '/\.acme\.invalid$/';
if(preg_match($pattern, $field_value)) return $this->get_error('domain_error_acme_invalid');
}
/* Validator function for alias domain */
......@@ -77,6 +83,9 @@ class validate_domain {
$result = $this->_check_unique($field_value);
if(!$result) return $this->get_error('domain_error_unique');
$pattern = '/\.acme\.invalid$/';
if(preg_match($pattern, $field_value)) return $this->get_error('domain_error_acme_invalid');
}
/* Validator function for checking the auto subdomain of a web/aliasdomain */
......@@ -141,6 +150,44 @@ class validate_domain {
}
}
/* Check nginx directives */
function web_nginx_directives($field_name, $field_value, $validator) {
global $app;
if(trim($field_value) != '') {
$security_config = $app->getconf->get_security_config('ids');
if($security_config['nginx_directives_scan_enabled'] == 'yes') {
// Get blacklist
$blacklist_path = '/usr/local/ispconfig/security/nginx_directives.blacklist';
if(is_file('/usr/local/ispconfig/security/nginx_directives.blacklist.custom')) $blacklist_path = '/usr/local/ispconfig/security/nginx_directives.blacklist.custom';
if(!is_file($blacklist_path)) $blacklist_path = realpath(ISPC_ROOT_PATH.'/../security/nginx_directives.blacklist');
$directives = explode("\n",$field_value);
$regex = explode("\n",file_get_contents($blacklist_path));
$blocked = false;
$blocked_line = '';
if(is_array($directives) && is_array($regex)) {
foreach($directives as $directive) {
$directive = trim($directive);
foreach($regex as $r) {
if(preg_match(trim($r),$directive)) {
$blocked = true;
$blocked_line .= $directive.'<br />';
};
}
}
}
}
}
if($blocked === true) {
return $this->get_error('nginx_directive_blocked_error').' '.$blocked_line;
}
}
/* internal validator function to match regexp */
function _regex_validate($domain_name, $allow_wildcard = false) {
......
......@@ -70,9 +70,9 @@ class page_action extends tform_actions {
if($this->id > 0){
if($this->dataRecord['master_directive_snippets_id'] > 0){
$is_master = true;
$app->tpl->setVar("name", $this->dataRecord['name']);
$app->tpl->setVar("type", $this->dataRecord['type']);
$app->tpl->setVar("snippet", $this->dataRecord['snippet']);
$app->tpl->setVar("name", $this->dataRecord['name'], true);
$app->tpl->setVar("type", $this->dataRecord['type'], true);
$app->tpl->setVar("snippet", $this->dataRecord['snippet'], true);
}
}
$app->tpl->setVar("is_master", $is_master);
......
......@@ -57,7 +57,7 @@ class page_action extends tform_actions {
if($this->id ==0) { //* new record
$server_list = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE server_id NOT IN (SELECT server_id FROM firewall) ORDER BY server_name");
if(is_array($server_list)) {
foreach( $server_list as $server) $server_select .= "<option value='$server[server_id]' >$server[server_name]</option>\r\n";
foreach( $server_list as $server) $server_select .= "<option value='$server[server_id]' >" . $app->functions->htmlentities($server['server_name']) . "</option>\r\n";
}
$app->tpl->setVar('server_id', $server_select);
}
......
......@@ -61,7 +61,7 @@ class page_action extends tform_actions {
if(is_array($mirror_servers)) {
foreach( $mirror_servers as $mirror_server) {
$selected = ($mirror_server["server_id"] == $this->dataRecord['mirror_server_id'])?'SELECTED':'';
$mirror_server_select .= "<option value='$mirror_server[server_id]' $selected>$mirror_server[server_name]</option>\r\n";
$mirror_server_select .= "<option value='$mirror_server[server_id]' $selected>" . $app->functions->htmlentities($mirror_server['server_name']) . "</option>\r\n";
}
}
$app->tpl->setVar("mirror_server_id", $mirror_server_select);
......
......@@ -52,7 +52,7 @@ class page_action extends tform_actions {
if(is_array($servers)) {
foreach($servers as $server) {
$selected = ($server['server_id'] == $this->dataRecord['server_id'])?'SELECTED':'';
$server_select .= "<option value='$server[server_id]' $selected>$server[server_name]</option>\r\n";
$server_select .= "<option value='$server[server_id]' $selected>" . $app->functions->htmlentities($server['server_name']) . "</option>\r\n";
}
}
unset($servers);
......@@ -65,7 +65,7 @@ class page_action extends tform_actions {
if(is_array($ips)) {
foreach( $ips as $ip) {
$selected = ($ip['ip_address'] == $this->dataRecord['source_ip'])?'SELECTED':'';
$ip_select .= "<option value='$ip[ip_address]' $selected>$ip[source]</option>\r\n";
$ip_select .= "<option value='" . $app->functions->htmlentities($ip['ip_address']) . "' $selected>" . $app->functions->htmlentities($ip['source']) . "</option>\r\n";
}
}
unset($ips);
......
......@@ -128,13 +128,12 @@ class page_action extends tform_actions {
$app->db->query("DELETE FROM sys_user WHERE client_id = ?", $client_id);
// Delete all records (sub-clients, mail, web, etc....) of this client.
$tables = 'client,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_domain,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,support_message,web_database,web_database_user,web_domain,web_folder,web_folder_user,domain,mail_mailinglist';
$tables = 'client,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_domain,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,support_message,web_database,web_database_user,web_domain,web_folder,web_folder_user,domain,mail_mailinglist,spamfilter_wblist';
$tables_array = explode(',', $tables);
$client_group_id = $app->functions->intval($client_group['groupid']);
if($client_group_id > 1) {
foreach($tables_array as $table) {
if($table != '') {
$records = $app->db->queryAllRecords("SELECT * FROM ?? WHERE sys_groupid = ?", $table, $client_group_id);
//* find the primary ID of the table
$table_info = $app->db->tableInfo($table);
$index_field = '';
......@@ -143,6 +142,7 @@ class page_action extends tform_actions {
}
//* Delete the records
if($index_field != '') {
$records = $app->db->queryAllRecords("SELECT * FROM ?? WHERE sys_groupid = ? ORDER BY ?? DESC", $table, $client_group_id, $index_field);
if(is_array($records)) {
foreach($records as $rec) {
$app->db->datalogDelete($table, $index_field, $rec[$index_field]);
......
......@@ -114,9 +114,9 @@ if(isset($_POST) && count($_POST) > 1) {
}
} else {
$app->tpl->setVar('sender', $_POST['sender']);
$app->tpl->setVar('subject', $_POST['subject']);
$app->tpl->setVar('message', $_POST['message']);
$app->tpl->setVar('sender', $_POST['sender'], true);
$app->tpl->setVar('subject', $_POST['subject'], true);
$app->tpl->setVar('message', $_POST['message'], true);
}
} else {
// pre-fill Sender field with reseller's email address
......
......@@ -80,7 +80,7 @@ class page_action extends tform_actions {
if($field_name['Field'] == 'gender'){
$message_variables .= '<a href="javascript:void(0);" class="addPlaceholder">{salutation}</a> ';
} else {
$message_variables .= '<a href="javascript:void(0);" class="addPlaceholder">{'.$field_name['Field'].'}</a> ';
$message_variables .= '<a href="javascript:void(0);" class="addPlaceholder">{'.$app->functions->htmlentities($field_name['Field']).'}</a> ';
}
}
}
......
......@@ -76,8 +76,8 @@ class page_action extends tform_actions {
if(isset($sql['domain']) && $sql['domain'] != '') {
if($sql['dkim'] == 'y') {
$public_key=str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$sql['dkim_public']);
$app->tpl->setVar('public_key', $public_key);
$app->tpl->setVar('selector', $sql['dkim_selector']);
$app->tpl->setVar('public_key', $public_key, true);
$app->tpl->setVar('selector', $sql['dkim_selector'], true);
} else {
//TODO: show warning - use mail_domain for dkim and enabled dkim
}
......@@ -85,7 +85,7 @@ class page_action extends tform_actions {
} else {
$app->tpl->setVar('edit_disabled', 0);
}
$app->tpl->setVar('name', $soa['origin']);
$app->tpl->setVar('name', $soa['origin'], true);
}
......
......@@ -93,7 +93,7 @@ class page_action extends tform_actions {
if ( isset($rec) && !empty($rec) ) {
$this->id = 1;
$old_data = strtolower($rec['data']);
$app->tpl->setVar("data", $old_data);
$app->tpl->setVar("data", $old_data, true);
if ($rec['active'] == 'Y') $app->tpl->setVar("active", "CHECKED"); else $app->tpl->setVar("active", "UNCHECKED");
$dmarc_rua = '';
$dmarc_ruf = '';
......@@ -123,7 +123,7 @@ class page_action extends tform_actions {
}
//set html-values
$app->tpl->setVar('domain', $domain_name);
$app->tpl->setVar('domain', $domain_name, true);
//create dmarc-policy-list
$dmarc_policy_value = array(
......@@ -138,9 +138,9 @@ class page_action extends tform_actions {
}
$app->tpl->setVar('dmarc_policy', $dmarc_policy_list);
if (!empty($dmarc_rua)) $app->tpl->setVar("dmarc_rua", $dmarc_rua);
if (!empty($dmarc_rua)) $app->tpl->setVar("dmarc_rua", $dmarc_rua, true);
if (!empty($dmarc_ruf)) $app->tpl->setVar("dmarc_ruf", $dmarc_ruf);
if (!empty($dmarc_ruf)) $app->tpl->setVar("dmarc_ruf", $dmarc_ruf, true);
//set dmarc-fo-options
if (isset($dmarc_fo)) {
......@@ -178,9 +178,9 @@ class page_action extends tform_actions {
if ( strpos($dmarc_rf, 'afrf') !== false ) $app->tpl->setVar("dmarc_rf_afrf", 'CHECKED');
if ( strpos($dmarc_rf, 'iodef') !== false ) $app->tpl->setVar("dmarc_rf_iodef", 'CHECKED');
$app->tpl->setVar("dmarc_pct", $dmarc_pct);
$app->tpl->setVar("dmarc_pct", $dmarc_pct, true);
$app->tpl->setVar("dmarc_ri", $dmarc_ri);
$app->tpl->setVar("dmarc_ri", $dmarc_ri, true);
//create dmarc-sp-list
$dmarc_sp_value = array(
......
......@@ -587,6 +587,15 @@ if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'
if($dns_rr[$r]['type'] == 'NS' && $dns_rr[$r]['name'] == $soa['name']){
unset($dns_rr[$r]);
}
$valid = true;
$dns_rr[$r]['ttl'] = $app->functions->intval($dns_rr[$r]['ttl']);
$dns_rr[$r]['aux'] = $app->functions->intval($dns_rr[$r]['aux']);
$dns_rr[$r]['data'] = strip_tags($dns_rr[$r]['data']);
if(!preg_match('/^[a-zA-Z0-9\.\-\*]{0,64}$/',$dns_rr[$r]['name'])) $valid == false;
if(!in_array(strtoupper($dns_rr[$r]['type']),array('A','AAAA','ALIAS','CNAME','DS','HINFO','LOC','MX','NAPTR','NS','PTR','RP','SRV','TXT','TLSA','DNSKEY'))) $valid == false;
if($valid == false) unset($dns_rr[$r]);
$r++;
}
$i++;
......
......@@ -132,7 +132,7 @@ class page_action extends tform_actions {
if ($domain['domain'].'.' == $this->dataRecord["origin"]) {
$domain_select .= " selected";
}
$domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".</option>\r\n";
$domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".</option>\r\n";
}
}
else {
......@@ -149,7 +149,7 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
......
......@@ -179,7 +179,7 @@ class page_action extends tform_actions {
$options_dns_servers = "";
foreach ($dns_servers as $dns_server) {
$options_dns_servers .= '<option value="'.$dns_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $dns_server['server_id'] ? ' selected="selected"' : '').'>'.$dns_server['server_name'].'</option>';
$options_dns_servers .= '<option value="'.$dns_server['server_id'].'"'.($this->id > 0 && $this->dataRecord["server_id"] == $dns_server['server_id'] ? ' selected="selected"' : '').'>'.$app->functions->htmlentities($dns_server['server_name']).'</option>';
}
$app->tpl->setVar("client_server_id", $options_dns_servers);
......@@ -200,7 +200,7 @@ class page_action extends tform_actions {
if ($domain['domain'].'.' == $this->dataRecord["origin"]) {
$domain_select .= " selected";
}
$domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".</option>\r\n";
$domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".</option>\r\n";
}
}
else {
......@@ -217,12 +217,12 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);