Commit f2fc77f2 authored by Till Brehm's avatar Till Brehm
Browse files

Improved input validation.

parent 4ef653ec
......@@ -427,7 +427,11 @@ class functions {
public function is_allowed_user($username, $restrict_names = false) {
global $app;
if($username == 'root') return false;
$name_blacklist = array('root','ispconfig','vmail','getmail');
if(in_array($username,$name_blacklist)) return false;
if(preg_match('/^[\w\.\-]{0,32}$/', $username) == false) return false;
if($restrict_names == true && preg_match('/^web\d+$/', $username) == false) return false;
return true;
......@@ -436,7 +440,11 @@ class functions {
public function is_allowed_group($groupname, $restrict_names = false) {
global $app;
if($groupname == 'root') return false;
$name_blacklist = array('root','ispconfig','vmail','getmail');
if(in_array($groupname,$name_blacklist)) return false;
if(preg_match('/^[\w\.\-]{0,32}$/', $groupname) == false) return false;
if($restrict_names == true && preg_match('/^client\d+$/', $groupname) == false) return false;
return true;
......
......@@ -187,7 +187,10 @@ if($app->auth->is_admin()) {
'datatype' => 'VARCHAR',
'formtype' => 'TEXT',
'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY',
'errmsg'=> 'directory_error_empty'),
'errmsg'=> 'directory_error_empty'),
1 => array ( 'type' => 'REGEX',
'regex' => '/^\/[a-zA-Z0-9\ \.\-\_\/]{10,128}$/',
'errmsg'=> 'directory_error_regex'),
),
'default' => '',
'value' => '',
......
......@@ -197,6 +197,12 @@ if($_SESSION["s"]["user"]["typ"] == 'admin') {
'shell' => array (
'datatype' => 'VARCHAR',
'formtype' => 'TEXT',
'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY',
'errmsg'=> 'shell_error_empty'),
1 => array ( 'type' => 'REGEX',
'regex' => '/^\/[a-zA-Z0-9\/]{5,20}$/',
'errmsg'=> 'shell_error_regex'),
),
'default' => '/bin/bash',
'value' => '',
'width' => '30',
......@@ -205,8 +211,11 @@ if($_SESSION["s"]["user"]["typ"] == 'admin') {
'dir' => array (
'datatype' => 'VARCHAR',
'formtype' => 'TEXT',
'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY',
'errmsg'=> 'directory_error_empty'),
'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY',
'errmsg'=> 'directory_error_empty'),
1 => array ( 'type' => 'REGEX',
'regex' => '/^\/[a-zA-Z0-9\ \.\-\_\/]{10,128}$/',
'errmsg'=> 'directory_error_regex'),
),
'default' => '',
'value' => '',
......
......@@ -138,6 +138,11 @@ class page_action extends tform_actions {
$dir = $app->db->quote($web["document_root"]);
$uid = $app->db->quote($web["system_user"]);
$gid = $app->db->quote($web["system_group"]);
// Check system user and group
if($app->functions->is_allowed_user($uid) == false || $app->functions->is_allowed_group($gid) == false) {
$app->error('Invalid system user or group');
}
// The FTP user shall be owned by the same group then the website
$sys_groupid = $app->functions->intval($web['sys_groupid']);
......@@ -148,7 +153,15 @@ class page_action extends tform_actions {
function onBeforeUpdate() {
global $app, $conf, $interfaceConf;
// Check system user and group
if(isset($this->dataRecord['uid'])) {
if($app->functions->is_allowed_user(strtolower($this->dataRecord['uid']),true) == false || $app->functions->is_allowed_group(strtolower($this->dataRecord['gid']),true) == false) {
$app->tform->errorMessage .= $app->tform->lng('invalid_system_user_or_group_txt');
}
}
/*
* If the names should be restricted -> do it!
*/
......
......@@ -32,4 +32,6 @@ $wb['generate_password_txt'] = 'Generate Password';
$wb['repeat_password_txt'] = 'Repeat Password';
$wb['password_mismatch_txt'] = 'The passwords do not match.';
$wb['password_match_txt'] = 'The passwords do match.';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
$wb['directory_error_regex'] = 'Invalid directory';
?>
......@@ -28,4 +28,7 @@ $wb['password_mismatch_txt'] = 'The passwords do not match.';
$wb['password_match_txt'] = 'The passwords do match.';
$wb['username_must_not_exceed_32_chars_txt'] = 'The username must not exceed 32 characters.';
$wb['username_not_allowed_txt'] = 'The username is not allowed.';
$wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
$wb['directory_error_regex'] = 'Invalid directory';
$wb['shell_error_regex'] = 'Invalid shell';
?>
......@@ -135,6 +135,8 @@ class page_action extends tform_actions {
}
}
unset($blacklist);
if($app->functions->is_allowed_user(trim(strtolower($this->dataRecord['username']))) == false) $app->tform->errorMessage .= $app->tform->lng('username_not_allowed_txt');
/*
* If the names should be restricted -> do it!
......@@ -163,6 +165,11 @@ class page_action extends tform_actions {
$dir = $app->db->quote($web["document_root"]);
$uid = $app->db->quote($web["system_user"]);
$gid = $app->db->quote($web["system_group"]);
// Check system user and group
if($app->functions->is_allowed_user($uid) == false || $app->functions->is_allowed_group($gid) == false) {
$app->error($app->tform->lng('invalid_system_user_or_group_txt'));
}
// The FTP user shall be owned by the same group then the website
$sys_groupid = $app->functions->intval($web['sys_groupid']);
......@@ -183,6 +190,13 @@ class page_action extends tform_actions {
}
}
unset($blacklist);
// Check system user and group
if(isset($this->dataRecord['puser'])) {
if($app->functions->is_allowed_user(strtolower($this->dataRecord['puser']),true) == false || $app->functions->is_allowed_group(strtolower($this->dataRecord['pgroup']),true) == false) {
$app->tform->errorMessage .= $app->tform->lng('invalid_system_user_or_group_txt');
}
}
/*
* If the names should be restricted -> do it!
......
......@@ -1821,7 +1821,11 @@ class system{
public function is_allowed_user($username, $check_id = true, $restrict_names = false) {
global $app;
if($username == 'root') return false;
$name_blacklist = array('root','ispconfig','vmail','getmail');
if(in_array($username,$name_blacklist)) return false;
if(preg_match('/^[\w\.\-]{0,32}$/', $username) == false) return false;
if($check_id && intval($this->getuid($username)) < $this->min_uid) return false;
if($restrict_names == true && preg_match('/^web\d+$/', $username) == false) return false;
......@@ -1832,7 +1836,11 @@ class system{
public function is_allowed_group($groupname, $restrict_names = false) {
global $app;
if($groupname == 'root') return false;
$name_blacklist = array('root','ispconfig','vmail','getmail');
if(in_array($groupname,$name_blacklist)) return false;
if(preg_match('/^[\w\.\-]{0,32}$/', $groupname) == false) return false;
if(intval($this->getgid($groupname)) < $this->min_gid) return false;
if($restrict_names == true && preg_match('/^client\d+$/', $groupname) == false) return false;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment