From 8133de09d462f8221deefa29ef67877c6676d84d Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Wed, 22 Jan 2014 11:42:29 +0100
Subject: [PATCH] Added: apache version check in system library Changed: apps
 vhost is now a template (for apache version) Changed: template if tags can
 now be of format 'version' to make version comparisons (e.g. 2.12 > 2.2 !)
 Changed: New apache 2.4 syntax for deny from all (-> Require all denied) etc.

---
 server/conf/apache_apps.vhost.master          | 44 ++++++++-----
 server/conf/apache_ispconfig.conf.master      | 65 +++++++++++++++----
 server/conf/vhost.conf.master                 | 54 +++++++++++++--
 server/lib/classes/system.inc.php             | 25 +++++++
 server/lib/classes/tpl.inc.php                | 21 ++++--
 .../plugins-available/apache2_plugin.inc.php  |  7 +-
 .../apps_vhost_plugin.inc.php                 | 39 ++++++-----
 7 files changed, 195 insertions(+), 60 deletions(-)

diff --git a/server/conf/apache_apps.vhost.master b/server/conf/apache_apps.vhost.master
index ff6d4da05..49f829a6d 100644
--- a/server/conf/apache_apps.vhost.master
+++ b/server/conf/apache_apps.vhost.master
@@ -4,38 +4,46 @@
 # for the ISPConfig apps vhost
 ######################################################
 
-{vhost_port_listen} Listen {apps_vhost_port}
-# NameVirtualHost *:{apps_vhost_port}
+{tmpl_var name='vhost_port_listen'} Listen {tmpl_var name='apps_vhost_port'}
+# NameVirtualHost *:{tmpl_var name='apps_vhost_port'}
 
-<VirtualHost {apps_vhost_ip}:{apps_vhost_port}>
+<VirtualHost {tmpl_var name='apps_vhost_ip'}:{tmpl_var name='apps_vhost_port'}>
   ServerAdmin webmaster@localhost
-  {apps_vhost_servername}
+  {tmpl_var name='apps_vhost_servername'}
   
   <FilesMatch "\.ph(p3?|tml)$">
     SetHandler None
   </FilesMatch>
   
   <IfModule mod_php5.c>
-    DocumentRoot {apps_vhost_dir}
+    DocumentRoot {tmpl_var name='apps_vhost_dir'}
     AddType application/x-httpd-php .php
-    <Directory {apps_vhost_dir}>
-      Options FollowSymLinks
-      AllowOverride None
-      Order allow,deny
-      Allow from all
+    <Directory {tmpl_var name='apps_vhost_dir'}>
+		Options FollowSymLinks
+		AllowOverride None
+		{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+		Require all granted
+		{tmpl_else}
+		Order allow,deny
+		Allow from all
+		{/tmpl_if}
     </Directory>
   </IfModule>
   
   <IfModule mod_fcgid.c>
-    DocumentRoot {apps_vhost_dir}
+    DocumentRoot {tmpl_var name='apps_vhost_dir'}
     SuexecUserGroup ispapps ispapps
-    <Directory {apps_vhost_dir}>
-      Options Indexes FollowSymLinks MultiViews +ExecCGI
-      AllowOverride AuthConfig Indexes Limit Options FileInfo
-      AddHandler fcgid-script .php
-      FCGIWrapper {apps_vhost_basedir}/php-fcgi-scripts/apps/.php-fcgi-starter .php
-      Order allow,deny
-      Allow from all
+    <Directory {tmpl_var name='apps_vhost_dir'}>
+		Options Indexes FollowSymLinks MultiViews +ExecCGI
+		AllowOverride AuthConfig Indexes Limit Options FileInfo
+		AddHandler fcgid-script .php
+		FCGIWrapper {tmpl_var name='apps_vhost_basedir'}/php-fcgi-scripts/apps/.php-fcgi-starter .php
+		{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+		Require all granted
+		{tmpl_else}
+		Order allow,deny
+		Allow from all
+		{/tmpl_if}
     </Directory>
   </IfModule>
 
diff --git a/server/conf/apache_ispconfig.conf.master b/server/conf/apache_ispconfig.conf.master
index 5fb0f2c11..a61519880 100644
--- a/server/conf/apache_ispconfig.conf.master
+++ b/server/conf/apache_ispconfig.conf.master
@@ -8,61 +8,100 @@ CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -s access.log -t \"%Y%m
 
 <Directory /var/www/clients>
     AllowOverride None
-    Order Deny,Allow
-    Deny from all
+	{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+	Require all deny
+	{tmpl_else}
+	Order Deny,Allow
+	Deny from all
+	{/tmpl_if}
 </Directory>
 
 # Do not allow access to the root file system of the server for security reasons
 <Directory />
     AllowOverride None
-    Order Deny,Allow
-    Deny from all
+	{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+	Require all deny
+	{tmpl_else}
+	Order Deny,Allow
+	Deny from all
+	{/tmpl_if}
 </Directory>
 
 <Directory /var/www/conf>
     AllowOverride None
-    Order Deny,Allow
-    Deny from all
+	{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+	Require all deny
+	{tmpl_else}
+	Order Deny,Allow
+	Deny from all
+	{/tmpl_if}
 </Directory>
 
 # Except of the following directories that contain website scripts
 <Directory /usr/share/phpmyadmin>
+		{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+		Require all granted
+		{tmpl_else}
         Order allow,deny
         Allow from all
+		{/tmpl_if}
 </Directory>
 
 <Directory /usr/share/phpMyAdmin>
+		{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+		Require all granted
+		{tmpl_else}
         Order allow,deny
         Allow from all
+		{/tmpl_if}
 </Directory>
 
 <Directory /usr/share/squirrelmail>
+		{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+		Require all granted
+		{tmpl_else}
         Order allow,deny
         Allow from all
+		{/tmpl_if}
 </Directory>
 
 # Allow access to mailman on OpenSuSE
 <Directory /usr/lib/mailman/cgi-bin>
-        AllowOverride All
-		order allow,deny
-        allow from all
+		{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+		Require all granted
+		{tmpl_else}
+        Order allow,deny
+        Allow from all
+		{/tmpl_if}
 </Directory>
 
 <Directory /usr/lib/mailman/icons>
-        order allow,deny
-        allow from all
+		{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+		Require all granted
+		{tmpl_else}
+        Order allow,deny
+        Allow from all
+		{/tmpl_if}
 </Directory>
 
 <Directory /var/lib/mailman/archives/>
         Options +FollowSymLinks
-        order allow,deny
-        allow from all
+		{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+		Require all granted
+		{tmpl_else}
+        Order allow,deny
+        Allow from all
+		{/tmpl_if}
 </Directory>
 
 # allow path to awstats and alias for awstats icons
 <Directory /usr/share/awstats>
+		{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+		Require all granted
+		{tmpl_else}
         Order allow,deny
         Allow from all
+		{/tmpl_if}
 </Directory>
 
 Alias /awstats-icon "/usr/share/awstats/icon"
diff --git a/server/conf/vhost.conf.master b/server/conf/vhost.conf.master
index 5d74512cc..0f8a79ad6 100644
--- a/server/conf/vhost.conf.master
+++ b/server/conf/vhost.conf.master
@@ -1,8 +1,12 @@
 
 <Directory {tmpl_var name='web_basedir'}/{tmpl_var name='domain'}>
 		AllowOverride None
+		{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+		Require all deny
+		{tmpl_else}
 		Order Deny,Allow
 		Deny from all
+		{/tmpl_if}
 </Directory>
 
 <tmpl_loop name="vhosts">
@@ -55,8 +59,12 @@
 		<Directory {tmpl_var name='web_document_root_www'}>
 				Options FollowSymLinks
 				AllowOverride <tmpl_var name='allow_override'>
+				{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+				Require all granted
+				{tmpl_else}
 				Order allow,deny
 				Allow from all
+				{/tmpl_if}
 <tmpl_if name='ssi' op='==' value='y'>
 
 				# ssi enabled
@@ -66,17 +74,25 @@
 </tmpl_if>
 <tmpl_if name='php' op='==' value='no'>
 				<Files ~ '.php[s3-6]{0,1}$'>
+						{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+						Require all denied
+						{tmpl_else}
 						Order allow,deny
 						Deny from all
 						Allow from none
+						{/tmpl_if}
 				</Files>
 </tmpl_if>
 		</Directory>
 		<Directory {tmpl_var name='web_document_root'}>
 				Options FollowSymLinks
 				AllowOverride <tmpl_var name='allow_override'>
+				{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+				Require all granted
+				{tmpl_else}
 				Order allow,deny
 				Allow from all
+				{/tmpl_if}
 <tmpl_if name='ssi' op='==' value='y'>
 
 				# ssi enabled
@@ -86,9 +102,13 @@
 </tmpl_if>
 <tmpl_if name='php' op='==' value='no'>
 				<Files ~ '.php[s3-6]{0,1}$'>
-						Order allow,deny
-						Deny from all
-						Allow from none
+					{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+					Require all denied
+					{tmpl_else}
+					Order allow,deny
+					Deny from all
+					Allow from none
+					{/tmpl_if}
 				</Files>
 </tmpl_if>
 		</Directory>
@@ -141,8 +161,12 @@
 <tmpl_if name='cgi' op='==' value='y'>
 		# cgi enabled
 	<Directory {tmpl_var name='document_root'}/cgi-bin>
+			{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+			Require all granted
+			{tmpl_else}
 			Order allow,deny
 			Allow from all
+			{/tmpl_if}
 		</Directory>
 		ScriptAlias  /cgi-bin/ <tmpl_var name='document_root'>/cgi-bin/
 		AddHandler cgi-script .cgi
@@ -189,8 +213,12 @@
 		Action php5-cgi /php5-cgi
 		AddHandler php5-cgi .php .php3 .php4 .php5
 		<Directory {tmpl_var name='cgi_starter_path'}>
-				Order allow,deny
-				Allow from all
+			{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+			Require all granted
+			{tmpl_else}
+			Order allow,deny
+			Allow from all
+			{/tmpl_if}
 		</Directory>
 </tmpl_if>
 <tmpl_if name='php' op='==' value='fast-cgi'>
@@ -224,23 +252,35 @@
 				FCGIWrapper <tmpl_var name='fastcgi_starter_path'><tmpl_var name='fastcgi_starter_script'> .php
 				Options +ExecCGI
 				AllowOverride <tmpl_var name='allow_override'>
+				{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+				Require all granted
+				{tmpl_else}
 				Order allow,deny
 				Allow from all
+				{/tmpl_if}
 		</Directory>
 		<Directory {tmpl_var name='web_document_root'}>
 				AddHandler fcgid-script .php .php3 .php4 .php5
 				FCGIWrapper <tmpl_var name='fastcgi_starter_path'><tmpl_var name='fastcgi_starter_script'> .php
 				Options +ExecCGI
 				AllowOverride <tmpl_var name='allow_override'>
+				{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+				Require all granted
+				{tmpl_else}
 				Order allow,deny
 				Allow from all
+				{/tmpl_if}
 		</Directory>
 </tmpl_if>
 <tmpl_if name='php' op='==' value='php-fpm'>
 		<IfModule mod_fastcgi.c>
 				<Directory {tmpl_var name='document_root'}/cgi-bin>
-						Order allow,deny
-						Allow from all
+					{tmpl_if name='apache_version' op='>' value='2.2' format='version'}
+					Require all granted
+					{tmpl_else}
+					Order allow,deny
+					Allow from all
+					{/tmpl_if}
 			    </Directory>
                 AddHandler php5-fcgi .php
                 Action php5-fcgi /php5-fcgi
diff --git a/server/lib/classes/system.inc.php b/server/lib/classes/system.inc.php
index a393384c9..a05f4f4d5 100644
--- a/server/lib/classes/system.inc.php
+++ b/server/lib/classes/system.inc.php
@@ -1724,6 +1724,31 @@ class system{
 		if(substr($init_script_directory, -1) === '/') $init_script_directory = substr($init_script_directory, 0, -1);
 		return $init_script_directory.'/'.$servicename.' '.$action;
 	}
+	
+	function getapacheversion($get_minor = false) {
+		global $app;
+		
+		$cmd = '';
+		if($this->is_installed('apache2ctl')) $cmd = 'apache2ctl -v';
+		elseif($this->is_installed('apachectl')) $cmd = 'apachectl -v';
+		else {
+			$app->log("Could not check apache version, apachectl not found.", LOGLEVEL_WARN);
+			return '2.2';
+		}
+		
+		exec($cmd, $output, $return_var);
+		if($return_var != 0 || !$output[0]) {
+			$app->log("Could not check apache version, apachectl did not return any data.", LOGLEVEL_WARN);
+			return '2.2';
+		}
+		
+		if(preg_match('/version:\s*Apache\/(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) {
+			return $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) && $get_minor == true ? '.' . $matches[5] : '');
+		} else {
+			$app->log("Could not check apache version, did not find version string in apachectl output.", LOGLEVEL_WARN);
+			return '2.2';
+		}
+	}
 
 }
 
diff --git a/server/lib/classes/tpl.inc.php b/server/lib/classes/tpl.inc.php
index deb9ca1c5..b4d8ca2aa 100644
--- a/server/lib/classes/tpl.inc.php
+++ b/server/lib/classes/tpl.inc.php
@@ -1109,7 +1109,7 @@ if (!defined('vlibTemplateClassLoaded')) {
 		 * @access private
 		 * @return string used for eval'ing
 		 */
-		function _parseIf ($varname, $value=null, $op=null, $namespace=null) {
+		function _parseIf ($varname, $value=null, $op=null, $namespace=null, $format=null) {
 			if (isset($namespace)) $namespace = substr($namespace, 0, -1);
 			$comp_str = ''; // used for extended if statements
 
@@ -1151,10 +1151,19 @@ if (!defined('vlibTemplateClassLoaded')) {
 				}
 			}
 			if ($this->OPTIONS['GLOBAL_VARS'] && empty($namespace)) {
-				return '(('.$retstr.'[\''.$varname.'\'] !== null) ? '.$retstr.'[\''.$varname.'\'] : $this->_vars[\''.$varname.'\'])'.$comp_str;
+				$retstr = '(('.$retstr.'[\''.$varname.'\'] !== null) ? '.$retstr.'[\''.$varname.'\'] : $this->_vars[\''.$varname.'\'])';
+				if(isset($format) && isset($value) && $format == 'version') {
+					return 'version_compare(' . $retstr . ', \'' . $value . '\', ' . (!empty($op) ? $op : '==') . ')';
+				} else {
+					return $retstr.$comp_str;
+				}
 			}
 			else {
-				return $retstr."['".$varname."']".$comp_str;
+				if(isset($format) && isset($value) && $format == 'version') {
+					return 'version_compare(' . $retstr."['".$varname."']" . ', \'' . $value . '\', ' . (!empty($op) ? $op : '==') . ')';
+				} else {
+					return $retstr."['".$varname."']".$comp_str;
+				}
 			}
 		}
 
@@ -1330,15 +1339,15 @@ if (!defined('vlibTemplateClassLoaded')) {
 				break;
 
 			case 'if':
-				return '<?php if ('. $this->_parseIf($var, @$value, @$op, @$namespace) .') { ?>'.$newline;
+				return '<?php if ('. $this->_parseIf($var, @$value, @$op, @$namespace, @$format) .') { ?>'.$newline;
 				break;
 
 			case 'unless':
-				return '<?php if (!'. $this->_parseIf($var, @$value, @$op, @$namespace) .') { ?>'.$newline;
+				return '<?php if (!'. $this->_parseIf($var, @$value, @$op, @$namespace, @$format) .') { ?>'.$newline;
 				break;
 
 			case 'elseif':
-				return '<?php } elseif ('. $this->_parseIf($var, @$value, @$op, @$namespace) .') { ?>'.$newline;
+				return '<?php } elseif ('. $this->_parseIf($var, @$value, @$op, @$namespace, @$format) .') { ?>'.$newline;
 				break;
 
 			case 'loop':
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 4007a7d8f..0901c2368 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -930,6 +930,7 @@ class apache2_plugin {
 		}
 
 		$tpl->setVar($vhost_data);
+		$tpl->setVar('apache_version', $app->system->getapacheversion());
 
 		// Rewrite rules
 		$rewrite_rules = array();
@@ -1136,6 +1137,7 @@ class apache2_plugin {
 
 			$fcgi_tpl = new tpl();
 			$fcgi_tpl->newTemplate('php-fcgi-starter.master');
+			$fcgi_tpl->setVar('apache_version', $app->system->getapacheversion());
 
 			// Support for multiple PHP versions (FastCGI)
 			if(trim($data['new']['fastcgi_php_version']) != ''){
@@ -1275,6 +1277,7 @@ class apache2_plugin {
 
 			$cgi_tpl = new tpl();
 			$cgi_tpl->newTemplate('php-cgi-starter.master');
+			$cgi_tpl->setVar('apache_version', $app->system->getapacheversion());
 
 			// This works because PHP "rewrites" a symlink to the physical path
 			$php_open_basedir = ($data['new']['php_open_basedir'] == '')?$data['new']['document_root']:$data['new']['php_open_basedir'];
@@ -1909,6 +1912,7 @@ class apache2_plugin {
 
 		$tpl = new tpl();
 		$tpl->newTemplate('apache_ispconfig.conf.master');
+		$tpl->setVar('apache_version', $app->system->getapacheversion());
 		$records = $app->db->queryAllRecords('SELECT * FROM server_ip WHERE server_id = '.$conf['server_id']." AND virtualhost = 'y'");
 
 		$records_out= array();
@@ -2609,7 +2613,8 @@ class apache2_plugin {
 		$app->load('tpl');
 		$tpl = new tpl();
 		$tpl->newTemplate('php_fpm_pool.conf.master');
-
+		$tpl->setVar('apache_version', $app->system->getapacheversion());
+		
 		if($data['new']['php_fpm_use_socket'] == 'y'){
 			$use_tcp = 0;
 			$use_socket = 1;
diff --git a/server/plugins-available/apps_vhost_plugin.inc.php b/server/plugins-available/apps_vhost_plugin.inc.php
index 825186399..320f3d024 100644
--- a/server/plugins-available/apps_vhost_plugin.inc.php
+++ b/server/plugins-available/apps_vhost_plugin.inc.php
@@ -80,13 +80,12 @@ class apps_vhost_plugin {
 		$web_config = $app->getconf->get_server_config($conf["server_id"], 'web');
 
 		if($web_config['server_type'] == 'apache'){
-			// Dont just copy over the virtualhost template but add some custom settings
-			if(file_exists($conf["rootpath"]."/conf-custom/apache_apps.vhost.master")) {
-				$content = file_get_contents($conf["rootpath"]."/conf-custom/apache_apps.vhost.master");
-			} else {
-				$content = file_get_contents($conf["rootpath"]."/conf/apache_apps.vhost.master");
-			}
+			$app->load('tpl');
 
+			$tpl = new tpl();
+			$tpl->newTemplate('apache_apps.vhost.master');
+
+			$tpl->setVar('apache_version', $app->system->getapacheversion());
 
 			$vhost_conf_dir = $web_config['vhost_conf_dir'];
 			$vhost_conf_enabled_dir = $web_config['vhost_conf_enabled_dir'];
@@ -95,21 +94,31 @@ class apps_vhost_plugin {
 			$web_config['apps_vhost_port'] = (empty($web_config['apps_vhost_port']))?8081:$web_config['apps_vhost_port'];
 			$web_config['apps_vhost_ip'] = (empty($web_config['apps_vhost_ip']))?'_default_':$web_config['apps_vhost_ip'];
 
+			$tpl->setVar('apps_vhost_ip', $web_config['apps_vhost_ip']);
+			$tpl->setVar('apps_vhost_port', $web_config['apps_vhost_port']);
+			$tpl->setVar('apps_vhost_dir', $web_config['website_basedir'].'/apps');
+			$tpl->setVar('apps_vhost_servername', $apps_vhost_servername);
+			$tpl->setVar('apps_vhost_basedir', $web_config['website_basedir']);
+
+			$vhost_port_listen = '';
+			// comment out the listen directive if port is 80 or 443
+			if($web_config['apps_vhost_port'] == 80 or $web_config['apps_vhost_port'] == 443) {
+				$vhost_port_listen = '#';
+			}
+			$tpl->setVar('vhost_port_listen', $vhost_port_listen);
+
+			$content = $tpl->grab();
+
+			/* for backwards compatibility we replace the old syntax by hand now */
 			$content = str_replace('{apps_vhost_ip}', $web_config['apps_vhost_ip'], $content);
 			$content = str_replace('{apps_vhost_port}', $web_config['apps_vhost_port'], $content);
 			$content = str_replace('{apps_vhost_dir}', $web_config['website_basedir'].'/apps', $content);
 			$content = str_replace('{apps_vhost_servername}', $apps_vhost_servername, $content);
 			$content = str_replace('{apps_vhost_basedir}', $web_config['website_basedir'], $content);
+			$content = str_replace('{vhost_port_listen}', $vhost_port_listen, $content);
+			/* end of backwards compatibility section */
 
-
-			// comment out the listen directive if port is 80 or 443
-			if($web_config['apps_vhost_port'] == 80 or $web_config['apps_vhost_port'] == 443) {
-				$content = str_replace('{vhost_port_listen}', '#', $content);
-			} else {
-				$content = str_replace('{vhost_port_listen}', '', $content);
-			}
-
-			file_put_contents("$vhost_conf_dir/apps.vhost", $content);
+			$app->system->file_put_contents("$vhost_conf_dir/apps.vhost", $content);
 			$app->services->restartServiceDelayed('httpd', 'restart');
 		}
 
-- 
GitLab