From 614b23b18053c58c3f85db5ceaa982484175d276 Mon Sep 17 00:00:00 2001 From: Till Brehm Date: Mon, 25 Aug 2014 16:35:53 +0200 Subject: [PATCH] Added apache directives check agains regex blacklist in security settings. --- interface/lib/classes/IDS/Monitor.php | 4 +- interface/lib/classes/validate_domain.inc.php | 40 +++++++++++++++++++ interface/web/sites/form/web_domain.tform.php | 7 ++++ .../sites/form/web_vhost_subdomain.tform.php | 7 ++++ .../web/sites/lib/lang/ar_web_domain.lng | 1 + .../web/sites/lib/lang/bg_web_domain.lng | 1 + .../web/sites/lib/lang/br_web_domain.lng | 1 + .../web/sites/lib/lang/cz_web_domain.lng | 1 + .../web/sites/lib/lang/de_web_domain.lng | 1 + .../web/sites/lib/lang/el_web_domain.lng | 1 + .../web/sites/lib/lang/en_web_domain.lng | 1 + .../web/sites/lib/lang/es_web_domain.lng | 1 + .../web/sites/lib/lang/fi_web_domain.lng | 1 + .../web/sites/lib/lang/fr_web_domain.lng | 1 + .../web/sites/lib/lang/hr_web_domain.lng | 1 + .../web/sites/lib/lang/hu_web_domain.lng | 1 + .../web/sites/lib/lang/id_web_domain.lng | 1 + .../web/sites/lib/lang/it_web_domain.lng | 1 + .../web/sites/lib/lang/ja_web_domain.lng | 1 + .../web/sites/lib/lang/nl_web_domain.lng | 1 + .../web/sites/lib/lang/pl_web_domain.lng | 1 + .../web/sites/lib/lang/pt_web_domain.lng | 1 + .../web/sites/lib/lang/ro_web_domain.lng | 1 + .../web/sites/lib/lang/ru_web_domain.lng | 1 + .../web/sites/lib/lang/se_web_domain.lng | 1 + .../web/sites/lib/lang/sk_web_domain.lng | 1 + .../web/sites/lib/lang/tr_web_domain.lng | 1 + 27 files changed, 79 insertions(+), 2 deletions(-) diff --git a/interface/lib/classes/IDS/Monitor.php b/interface/lib/classes/IDS/Monitor.php index f93e748e4..90c89589d 100644 --- a/interface/lib/classes/IDS/Monitor.php +++ b/interface/lib/classes/IDS/Monitor.php @@ -250,7 +250,7 @@ class Monitor $filterSet = $this->storage->getFilterSet(); if ($tags = $this->tags) { - $filterSet = array_filter( + $filterSet = @array_filter( $filterSet, function (Filter $filter) use ($tags) { return (bool) array_intersect($tags, $filter->getTags()); @@ -259,7 +259,7 @@ class Monitor } $scanKeys = $this->scanKeys; - $filterSet = array_filter( + $filterSet = @array_filter( $filterSet, function (Filter $filter) use ($key, $value, $scanKeys) { return $filter->match($value) || $scanKeys && $filter->match($key); diff --git a/interface/lib/classes/validate_domain.inc.php b/interface/lib/classes/validate_domain.inc.php index d92de9b94..8df0d2f1a 100644 --- a/interface/lib/classes/validate_domain.inc.php +++ b/interface/lib/classes/validate_domain.inc.php @@ -97,6 +97,45 @@ class validate_domain { $result = $this->_check_unique($field_value . '.' . $check_domain, true); if(!$result) return $this->get_error('domain_error_autosub'); } + + /* Check apache directives */ + function web_apache_directives($field_name, $field_value, $validator) { + global $app; + + if(trim($field_value) != '') { + $security_config = $app->getconf->get_security_config('ids'); + + if($security_config['apache_directives_scan_enabled'] == 'yes') { + + // Get blacklist + $blacklist_path = '/usr/local/ispconfig/security/apache_directives.blacklist'; + if(is_file('/usr/local/ispconfig/security/apache_directives.blacklist.custom')) $blacklist_path = '/usr/local/ispconfig/security/apache_directives.blacklist.custom'; + if(!is_file($blacklist_path)) $blacklist_path = realpath(ISPC_ROOT_PATH.'/../security/apache_directives.blacklist'); + + $directives = explode("\n",$field_value); + $regex = explode("\n",file_get_contents($blacklist_path)); + $blocked = false; + $blocked_line = ''; + + if(is_array($directives) && is_array($regex)) { + foreach($directives as $directive) { + $directive = trim($directive); + foreach($regex as $r) { + if(preg_match(trim($r),$directive)) { + $blocked = true; + $blocked_line = $directive; + }; + } + } + } + } + } + + if($blocked === true) { + return $this->get_error('apache_directive_blocked_error').' '.$blocked_line; + } + } + /* internal validator function to match regexp */ function _regex_validate($domain_name, $allow_wildcard = false) { @@ -175,5 +214,6 @@ class validate_domain { } return true; // admin may always add wildcard domain } + } diff --git a/interface/web/sites/form/web_domain.tform.php b/interface/web/sites/form/web_domain.tform.php index efaea89cf..16a0c856c 100644 --- a/interface/web/sites/form/web_domain.tform.php +++ b/interface/web/sites/form/web_domain.tform.php @@ -730,6 +730,13 @@ if($_SESSION["s"]["user"]["typ"] == 'admin') { 'apache_directives' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXT', + 'validators' => array ( 0 => array( + 'type' => 'CUSTOM', + 'class' => 'validate_domain', + 'function' => 'web_apache_directives', + 'errmsg' => 'apache_directive_blockd_error' + ), + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/sites/form/web_vhost_subdomain.tform.php b/interface/web/sites/form/web_vhost_subdomain.tform.php index 3aa2276fc..55dd261df 100644 --- a/interface/web/sites/form/web_vhost_subdomain.tform.php +++ b/interface/web/sites/form/web_vhost_subdomain.tform.php @@ -706,6 +706,13 @@ if($_SESSION["s"]["user"]["typ"] == 'admin') { 'apache_directives' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXT', + 'validators' => array ( 0 => array( + 'type' => 'CUSTOM', + 'class' => 'validate_domain', + 'function' => 'web_apache_directives', + 'errmsg' => 'apache_directive_blockd_error' + ), + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/sites/lib/lang/ar_web_domain.lng b/interface/web/sites/lib/lang/ar_web_domain.lng index 539d3b712..1714b6417 100644 --- a/interface/web/sites/lib/lang/ar_web_domain.lng +++ b/interface/web/sites/lib/lang/ar_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/bg_web_domain.lng b/interface/web/sites/lib/lang/bg_web_domain.lng index 3af58cd1f..594b6f2c7 100644 --- a/interface/web/sites/lib/lang/bg_web_domain.lng +++ b/interface/web/sites/lib/lang/bg_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/br_web_domain.lng b/interface/web/sites/lib/lang/br_web_domain.lng index 8b4484eb7..21525c5d9 100644 --- a/interface/web/sites/lib/lang/br_web_domain.lng +++ b/interface/web/sites/lib/lang/br_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/cz_web_domain.lng b/interface/web/sites/lib/lang/cz_web_domain.lng index 99c9e1054..db8f37f9d 100644 --- a/interface/web/sites/lib/lang/cz_web_domain.lng +++ b/interface/web/sites/lib/lang/cz_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Oddělte více adresářů čárkami. Vzor: $wb['backup_excludes_error_regex'] = 'Vyloučené adresáře obsahují neplatné znaky.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Neplatné nastavení php.ini'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/de_web_domain.lng b/interface/web/sites/lib/lang/de_web_domain.lng index c005f90c2..b90ff9a53 100644 --- a/interface/web/sites/lib/lang/de_web_domain.lng +++ b/interface/web/sites/lib/lang/de_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Mehrere Verzeichnisse mit Kommas trennen. Be $wb['backup_excludes_error_regex'] = 'Die auszuschließenden Verzeichnisse enthalten ungültige Zeichen.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Unzulässige php.ini-Einstellungen'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Die Apache Direktive wurde durch die Sicherheitsrichtline blockiert:'; ?> diff --git a/interface/web/sites/lib/lang/el_web_domain.lng b/interface/web/sites/lib/lang/el_web_domain.lng index bc9a8359b..b2792cefb 100644 --- a/interface/web/sites/lib/lang/el_web_domain.lng +++ b/interface/web/sites/lib/lang/el_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/en_web_domain.lng b/interface/web/sites/lib/lang/en_web_domain.lng index 0478e9972..14b3d526f 100644 --- a/interface/web/sites/lib/lang/en_web_domain.lng +++ b/interface/web/sites/lib/lang/en_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> \ No newline at end of file diff --git a/interface/web/sites/lib/lang/es_web_domain.lng b/interface/web/sites/lib/lang/es_web_domain.lng index f56e895dc..48c37ffd8 100644 --- a/interface/web/sites/lib/lang/es_web_domain.lng +++ b/interface/web/sites/lib/lang/es_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/fi_web_domain.lng b/interface/web/sites/lib/lang/fi_web_domain.lng index e5323b21c..e13fb8f54 100755 --- a/interface/web/sites/lib/lang/fi_web_domain.lng +++ b/interface/web/sites/lib/lang/fi_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/fr_web_domain.lng b/interface/web/sites/lib/lang/fr_web_domain.lng index 00c2dcf15..7c01ca3f9 100644 --- a/interface/web/sites/lib/lang/fr_web_domain.lng +++ b/interface/web/sites/lib/lang/fr_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/hr_web_domain.lng b/interface/web/sites/lib/lang/hr_web_domain.lng index 51fcb92d6..a7927a354 100644 --- a/interface/web/sites/lib/lang/hr_web_domain.lng +++ b/interface/web/sites/lib/lang/hr_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/hu_web_domain.lng b/interface/web/sites/lib/lang/hu_web_domain.lng index e160449c0..3fc994edc 100644 --- a/interface/web/sites/lib/lang/hu_web_domain.lng +++ b/interface/web/sites/lib/lang/hu_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/id_web_domain.lng b/interface/web/sites/lib/lang/id_web_domain.lng index ef3423ee3..8ed9ad9df 100644 --- a/interface/web/sites/lib/lang/id_web_domain.lng +++ b/interface/web/sites/lib/lang/id_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/it_web_domain.lng b/interface/web/sites/lib/lang/it_web_domain.lng index c946023d5..5a2bdf544 100644 --- a/interface/web/sites/lib/lang/it_web_domain.lng +++ b/interface/web/sites/lib/lang/it_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/ja_web_domain.lng b/interface/web/sites/lib/lang/ja_web_domain.lng index d32a9d19b..41ce4717f 100644 --- a/interface/web/sites/lib/lang/ja_web_domain.lng +++ b/interface/web/sites/lib/lang/ja_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/nl_web_domain.lng b/interface/web/sites/lib/lang/nl_web_domain.lng index 1efbbc6e3..aa3134b92 100644 --- a/interface/web/sites/lib/lang/nl_web_domain.lng +++ b/interface/web/sites/lib/lang/nl_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/pl_web_domain.lng b/interface/web/sites/lib/lang/pl_web_domain.lng index ed288131e..858b35c6f 100644 --- a/interface/web/sites/lib/lang/pl_web_domain.lng +++ b/interface/web/sites/lib/lang/pl_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/pt_web_domain.lng b/interface/web/sites/lib/lang/pt_web_domain.lng index 3d197794e..ac0f7f724 100644 --- a/interface/web/sites/lib/lang/pt_web_domain.lng +++ b/interface/web/sites/lib/lang/pt_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/ro_web_domain.lng b/interface/web/sites/lib/lang/ro_web_domain.lng index e568b8cf4..d4667d00c 100644 --- a/interface/web/sites/lib/lang/ro_web_domain.lng +++ b/interface/web/sites/lib/lang/ro_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/ru_web_domain.lng b/interface/web/sites/lib/lang/ru_web_domain.lng index c19265692..06d82c1a2 100644 --- a/interface/web/sites/lib/lang/ru_web_domain.lng +++ b/interface/web/sites/lib/lang/ru_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/se_web_domain.lng b/interface/web/sites/lib/lang/se_web_domain.lng index 5156df19f..d25c8b152 100644 --- a/interface/web/sites/lib/lang/se_web_domain.lng +++ b/interface/web/sites/lib/lang/se_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Ogiltiga php.ini-inställningar'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/sk_web_domain.lng b/interface/web/sites/lib/lang/sk_web_domain.lng index 5497f9f5d..e38610de4 100644 --- a/interface/web/sites/lib/lang/sk_web_domain.lng +++ b/interface/web/sites/lib/lang/sk_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> diff --git a/interface/web/sites/lib/lang/tr_web_domain.lng b/interface/web/sites/lib/lang/tr_web_domain.lng index 59dc02aa8..557b69b25 100644 --- a/interface/web/sites/lib/lang/tr_web_domain.lng +++ b/interface/web/sites/lib/lang/tr_web_domain.lng @@ -128,4 +128,5 @@ $wb['backup_excludes_note_txt'] = '(Separate multiple directories with commas. E $wb['backup_excludes_error_regex'] = 'The excluded directories contain invalid characters.'; $wb['invalid_custom_php_ini_settings_txt'] = 'Invalid php.ini settings'; $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; +$wb['apache_directive_blocked_error'] = 'Apache directive blocked by security settings:'; ?> -- GitLab