From f45cfd8e353b6203101afc8218f9c923d7f7c933 Mon Sep 17 00:00:00 2001 From: Till Brehm Date: Fri, 29 Dec 2017 19:18:09 +0100 Subject: [PATCH] Implemented #4872 Extend Apache and Nginx Excludes list --- interface/lib/classes/validate_domain.inc.php | 38 +++++++++++++++++++ .../web/sites/form/web_vhost_domain.tform.php | 7 ++++ .../web/sites/lib/lang/ar_web_domain.lng | 1 + .../web/sites/lib/lang/bg_web_domain.lng | 1 + .../web/sites/lib/lang/br_web_domain.lng | 1 + .../web/sites/lib/lang/ca_web_domain.lng | 1 + .../web/sites/lib/lang/cz_web_domain.lng | 1 + .../web/sites/lib/lang/de_web_domain.lng | 1 + .../web/sites/lib/lang/dk_web_domain.lng | 1 + .../web/sites/lib/lang/el_web_domain.lng | 1 + .../web/sites/lib/lang/en_web_domain.lng | 1 + .../web/sites/lib/lang/es_web_domain.lng | 1 + .../web/sites/lib/lang/fi_web_domain.lng | 1 + .../web/sites/lib/lang/fr_web_domain.lng | 1 + .../web/sites/lib/lang/hr_web_domain.lng | 1 + .../web/sites/lib/lang/hu_web_domain.lng | 1 + .../web/sites/lib/lang/id_web_domain.lng | 1 + .../web/sites/lib/lang/it_web_domain.lng | 1 + .../web/sites/lib/lang/ja_web_domain.lng | 1 + .../web/sites/lib/lang/nl_web_domain.lng | 1 + .../web/sites/lib/lang/pl_web_domain.lng | 1 + .../web/sites/lib/lang/pt_web_domain.lng | 1 + .../web/sites/lib/lang/ro_web_domain.lng | 1 + .../web/sites/lib/lang/ru_web_domain.lng | 1 + .../web/sites/lib/lang/se_web_domain.lng | 1 + .../web/sites/lib/lang/sk_web_domain.lng | 1 + .../web/sites/lib/lang/tr_web_domain.lng | 1 + security/apache_directives.blacklist | 2 +- security/nginx_directives.blacklist | 1 + security/security_settings.ini | 1 + 30 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 security/nginx_directives.blacklist diff --git a/interface/lib/classes/validate_domain.inc.php b/interface/lib/classes/validate_domain.inc.php index b572467fe0..415015b8ce 100644 --- a/interface/lib/classes/validate_domain.inc.php +++ b/interface/lib/classes/validate_domain.inc.php @@ -141,6 +141,44 @@ class validate_domain { } } + /* Check nginx directives */ + function web_nginx_directives($field_name, $field_value, $validator) { + global $app; + + if(trim($field_value) != '') { + $security_config = $app->getconf->get_security_config('ids'); + + if($security_config['nginx_directives_scan_enabled'] == 'yes') { + + // Get blacklist + $blacklist_path = '/usr/local/ispconfig/security/nginx_directives.blacklist'; + if(is_file('/usr/local/ispconfig/security/nginx_directives.blacklist.custom')) $blacklist_path = '/usr/local/ispconfig/security/nginx_directives.blacklist.custom'; + if(!is_file($blacklist_path)) $blacklist_path = realpath(ISPC_ROOT_PATH.'/../security/nginx_directives.blacklist'); + + $directives = explode("\n",$field_value); + $regex = explode("\n",file_get_contents($blacklist_path)); + $blocked = false; + $blocked_line = ''; + + if(is_array($directives) && is_array($regex)) { + foreach($directives as $directive) { + $directive = trim($directive); + foreach($regex as $r) { + if(preg_match(trim($r),$directive)) { + $blocked = true; + $blocked_line .= $directive.'
'; + }; + } + } + } + } + } + + if($blocked === true) { + return $this->get_error('nginx_directive_blocked_error').' '.$blocked_line; + } + } + /* internal validator function to match regexp */ function _regex_validate($domain_name, $allow_wildcard = false) { diff --git a/interface/web/sites/form/web_vhost_domain.tform.php b/interface/web/sites/form/web_vhost_domain.tform.php index 4b709eeda4..ebe5d7b1d5 100644 --- a/interface/web/sites/form/web_vhost_domain.tform.php +++ b/interface/web/sites/form/web_vhost_domain.tform.php @@ -859,6 +859,13 @@ if($_SESSION["s"]["user"]["typ"] == 'admin' 'nginx_directives' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXT', + 'validators' => array ( 0 => array( + 'type' => 'CUSTOM', + 'class' => 'validate_domain', + 'function' => 'web_nginx_directives', + 'errmsg' => 'nginx_directive_blockd_error' + ), + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/sites/lib/lang/ar_web_domain.lng b/interface/web/sites/lib/lang/ar_web_domain.lng index 0b8161e097..1ab9c55d3d 100644 --- a/interface/web/sites/lib/lang/ar_web_domain.lng +++ b/interface/web/sites/lib/lang/ar_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/bg_web_domain.lng b/interface/web/sites/lib/lang/bg_web_domain.lng index cce4822143..901c34a6ec 100644 --- a/interface/web/sites/lib/lang/bg_web_domain.lng +++ b/interface/web/sites/lib/lang/bg_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/br_web_domain.lng b/interface/web/sites/lib/lang/br_web_domain.lng index 33ea9f3565..a199f3273c 100644 --- a/interface/web/sites/lib/lang/br_web_domain.lng +++ b/interface/web/sites/lib/lang/br_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'Porta HTTP'; $wb['https_port_txt'] = 'Porta HTTPS'; $wb['http_port_error_regex'] = 'Porta HTTP inválida.'; $wb['https_port_error_regex'] = 'Porta HTTPS inválida.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/ca_web_domain.lng b/interface/web/sites/lib/lang/ca_web_domain.lng index fc680dfd1a..a3475c43c2 100644 --- a/interface/web/sites/lib/lang/ca_web_domain.lng +++ b/interface/web/sites/lib/lang/ca_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/cz_web_domain.lng b/interface/web/sites/lib/lang/cz_web_domain.lng index 585c2c94ff..0998cb1264 100644 --- a/interface/web/sites/lib/lang/cz_web_domain.lng +++ b/interface/web/sites/lib/lang/cz_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/de_web_domain.lng b/interface/web/sites/lib/lang/de_web_domain.lng index 75a4f14669..7232d8fa5f 100644 --- a/interface/web/sites/lib/lang/de_web_domain.lng +++ b/interface/web/sites/lib/lang/de_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/dk_web_domain.lng b/interface/web/sites/lib/lang/dk_web_domain.lng index 6124ee0676..7b61835543 100644 --- a/interface/web/sites/lib/lang/dk_web_domain.lng +++ b/interface/web/sites/lib/lang/dk_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/el_web_domain.lng b/interface/web/sites/lib/lang/el_web_domain.lng index 1ae8ca208b..1787aa0e33 100644 --- a/interface/web/sites/lib/lang/el_web_domain.lng +++ b/interface/web/sites/lib/lang/el_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/en_web_domain.lng b/interface/web/sites/lib/lang/en_web_domain.lng index 940053bc70..28c7c3e4e1 100644 --- a/interface/web/sites/lib/lang/en_web_domain.lng +++ b/interface/web/sites/lib/lang/en_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> \ No newline at end of file diff --git a/interface/web/sites/lib/lang/es_web_domain.lng b/interface/web/sites/lib/lang/es_web_domain.lng index 8ba5d93c17..889d29bd95 100644 --- a/interface/web/sites/lib/lang/es_web_domain.lng +++ b/interface/web/sites/lib/lang/es_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/fi_web_domain.lng b/interface/web/sites/lib/lang/fi_web_domain.lng index 5d78fa7961..1cc2a2024d 100644 --- a/interface/web/sites/lib/lang/fi_web_domain.lng +++ b/interface/web/sites/lib/lang/fi_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/fr_web_domain.lng b/interface/web/sites/lib/lang/fr_web_domain.lng index 5cbce08e60..421693a0e6 100644 --- a/interface/web/sites/lib/lang/fr_web_domain.lng +++ b/interface/web/sites/lib/lang/fr_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/hr_web_domain.lng b/interface/web/sites/lib/lang/hr_web_domain.lng index b6f589ead0..8a089e6ba5 100644 --- a/interface/web/sites/lib/lang/hr_web_domain.lng +++ b/interface/web/sites/lib/lang/hr_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/hu_web_domain.lng b/interface/web/sites/lib/lang/hu_web_domain.lng index b240456538..5ddf06593d 100644 --- a/interface/web/sites/lib/lang/hu_web_domain.lng +++ b/interface/web/sites/lib/lang/hu_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/id_web_domain.lng b/interface/web/sites/lib/lang/id_web_domain.lng index a96b4cc2ce..785d7fc0da 100644 --- a/interface/web/sites/lib/lang/id_web_domain.lng +++ b/interface/web/sites/lib/lang/id_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/it_web_domain.lng b/interface/web/sites/lib/lang/it_web_domain.lng index 0f46e2a3ef..68eae554fc 100644 --- a/interface/web/sites/lib/lang/it_web_domain.lng +++ b/interface/web/sites/lib/lang/it_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/ja_web_domain.lng b/interface/web/sites/lib/lang/ja_web_domain.lng index 95e1f7de52..2dbf65d2e5 100644 --- a/interface/web/sites/lib/lang/ja_web_domain.lng +++ b/interface/web/sites/lib/lang/ja_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/nl_web_domain.lng b/interface/web/sites/lib/lang/nl_web_domain.lng index 60a06c266a..8b4f6ff855 100644 --- a/interface/web/sites/lib/lang/nl_web_domain.lng +++ b/interface/web/sites/lib/lang/nl_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/pl_web_domain.lng b/interface/web/sites/lib/lang/pl_web_domain.lng index 8afd4b50c7..2521f17406 100644 --- a/interface/web/sites/lib/lang/pl_web_domain.lng +++ b/interface/web/sites/lib/lang/pl_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/pt_web_domain.lng b/interface/web/sites/lib/lang/pt_web_domain.lng index 475544e16d..fc7add5d89 100644 --- a/interface/web/sites/lib/lang/pt_web_domain.lng +++ b/interface/web/sites/lib/lang/pt_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/ro_web_domain.lng b/interface/web/sites/lib/lang/ro_web_domain.lng index 185155ad81..7e98b45d02 100644 --- a/interface/web/sites/lib/lang/ro_web_domain.lng +++ b/interface/web/sites/lib/lang/ro_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/ru_web_domain.lng b/interface/web/sites/lib/lang/ru_web_domain.lng index a4be337fb4..6cba45f1b7 100644 --- a/interface/web/sites/lib/lang/ru_web_domain.lng +++ b/interface/web/sites/lib/lang/ru_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'Порт HTTP'; $wb['https_port_txt'] = 'Порт HTTPS'; $wb['http_port_error_regex'] = 'Некорректный порт HTTP.'; $wb['https_port_error_regex'] = 'Некорректный порт HTTPS.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/se_web_domain.lng b/interface/web/sites/lib/lang/se_web_domain.lng index b4f58b827e..91fa8c4db5 100644 --- a/interface/web/sites/lib/lang/se_web_domain.lng +++ b/interface/web/sites/lib/lang/se_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/sk_web_domain.lng b/interface/web/sites/lib/lang/sk_web_domain.lng index 8e39ca8afa..f8f2f79b96 100644 --- a/interface/web/sites/lib/lang/sk_web_domain.lng +++ b/interface/web/sites/lib/lang/sk_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/tr_web_domain.lng b/interface/web/sites/lib/lang/tr_web_domain.lng index da3625df37..c97ce73778 100644 --- a/interface/web/sites/lib/lang/tr_web_domain.lng +++ b/interface/web/sites/lib/lang/tr_web_domain.lng @@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port'; $wb['https_port_txt'] = 'HTTPS Port'; $wb['http_port_error_regex'] = 'HTTP Port invalid.'; $wb['https_port_error_regex'] = 'HTTPS Port invalid.'; +$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:'; ?> diff --git a/security/apache_directives.blacklist b/security/apache_directives.blacklist index edb4b503d3..6dd376d643 100644 --- a/security/apache_directives.blacklist +++ b/security/apache_directives.blacklist @@ -1,3 +1,3 @@ -/^\s*(LoadModule|LoadFile|Include)(\s+|[\\\\])/mi +/^\s*(LoadModule|LoadFile|Include|IncludeOptional)(\s+|[\\\\])/mi /^\s*(SuexecUserGroup|suPHP_UserGroup|suPHP_PHPPath|suPHP_ConfigPath)(\s+|[\\\\])/mi /^\s*(FCGIWrapper|FastCgiExternalServer)(\s+|[\\\\])/mi \ No newline at end of file diff --git a/security/nginx_directives.blacklist b/security/nginx_directives.blacklist new file mode 100644 index 0000000000..2f7122a148 --- /dev/null +++ b/security/nginx_directives.blacklist @@ -0,0 +1 @@ +/^\s*(load_module)(\s+|[\\\\])/mi \ No newline at end of file diff --git a/security/security_settings.ini b/security/security_settings.ini index 5cc381e3cd..eb78e24d53 100644 --- a/security/security_settings.ini +++ b/security/security_settings.ini @@ -26,6 +26,7 @@ ids_block_level=100 sql_scan_enabled=yes sql_scan_action=warn apache_directives_scan_enabled=yes +nginx_directives_scan_enabled=yes [systemcheck] security_admin_email=root@localhost -- GitLab