Merge branch 'Froxlor:main' into main

Author: boonkerz

.github/workflows/build-mariadb.yml

@@ -12,7 +12,7 @@ jobs:
         mariadb-version: [ 10.11, 10.5 ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2
@@ -57,7 +57,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup PHP with PECL extension
         uses: shivammathur/setup-php@v2
@@ -70,7 +70,7 @@ jobs:
         run: composer install --no-dev
 
       - name: Install Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '20.x'
 
@@ -119,7 +119,7 @@ jobs:
           mv froxlor-nightly.${{steps.vars.outputs.sha_short}}.zip.sha256 dist/
 
       - name: Deploy nightly to server
-        uses: easingthemes/ssh-deploy@v3.4.3
+        uses: easingthemes/ssh-deploy@main
         env:
           ARGS: "-rltDzvO --chown=${{ secrets.WEB_USER }}:${{ secrets.WEB_USER }}"
           SOURCE: "dist/"

.github/workflows/build-mysql.yml

@@ -12,7 +12,7 @@ jobs:
         mysql-version: [8.0, 5.7]
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2

actions/admin/settings/120.system.php

@@ -180,18 +180,6 @@
 					'default' => true,
 					'save_method' => 'storeSettingField'
 				],
-				'system_httpuser' => [
-					'settinggroup' => 'system',
-					'varname' => 'httpuser',
-					'type' => 'hidden',
-					'default' => 'www-data'
-				],
-				'system_httpgroup' => [
-					'settinggroup' => 'system',
-					'varname' => 'httpgroup',
-					'type' => 'hidden',
-					'default' => 'www-data'
-				],
 				'system_report_enable' => [
 					'label' => lng('serversettings.report.report'),
 					'settinggroup' => 'system',

lib/Froxlor/Api/Commands/Customers.php

@@ -460,6 +460,28 @@ public function add()
 						if (function_exists('posix_getpwnam') && !in_array("posix_getpwnam", explode(",", ini_get('disable_functions'))) && posix_getpwnam($loginname)) {
 							Response::standardError('loginnameissystemaccount', $loginname, true);
 						}
+
+						// blacklist some system-internal names that might lead to issues
+						Database::needSqlData();
+						$sqldata = Database::getSqlData();
+						Database::needRoot(true);
+						Database::needSqlData();
+						$sqlrdata = Database::getSqlData();
+						$login_blacklist = [
+							'root',
+							'admin',
+							'froxroot',
+							'froxlor',
+							$sqldata['user'],
+							$sqldata['db'],
+							$sqlrdata['user'],
+						];
+						unset($sqldata);
+						unset($sqlrdata);
+						$login_blacklist = array_unique($login_blacklist);
+						if (in_array($loginname, $login_blacklist)) {
+							Response::standardError('loginnameisreservedname', $loginname, true);
+						}
 					} else {
 						$accountnumber = intval(Settings::Get('system.lastaccountnumber')) + 1;
 						$loginname = Settings::Get('customer.accountprefix') . $accountnumber;
@@ -748,9 +770,10 @@ public function add()
 							$dbm = new DbManager($this->logger());
 							// give permission to the user on every access-host we have
 							foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) {
-								$dbm->getManager()->grantPrivilegesTo($loginname, $password, $mysql_access_host, false, false);
+								$dbm->getManager()->grantPrivilegesTo($loginname, $password, $mysql_access_host, false, false, true);
 							}
 							$dbm->getManager()->flushPrivileges();
+							Database::needRoot(false);
 						}
 					}
 
@@ -1320,7 +1343,8 @@ public function update()
 				]);
 
 				// enable/disable global mysql-user (loginname)
-				foreach ($result['allowed_mysqlserver'] as $dbserver) {
+				$current_allowed_mysqlserver =  isset($result['allowed_mysqlserver']) && !empty($result['allowed_mysqlserver']) ? json_decode($result['allowed_mysqlserver'], true) : [];
+				foreach ($current_allowed_mysqlserver as $dbserver) {
 					// require privileged access for target db-server
 					Database::needRoot(true, $dbserver, false);
 					// get DbManager
@@ -1336,6 +1360,7 @@ public function update()
 						}
 					}
 					$dbm->getManager()->flushPrivileges();
+					Database::needRoot(false);
 				}
 
 				// Retrieve customer's databases
@@ -1650,7 +1675,8 @@ public function delete()
 			$id = $result['customerid'];
 
 			// remove global mysql-user (loginname)
-			foreach ($result['allowed_mysqlserver'] as $dbserver) {
+			$current_allowed_mysqlserver =  isset($result['allowed_mysqlserver']) && !empty($result['allowed_mysqlserver']) ? json_decode($result['allowed_mysqlserver'], true) : [];
+			foreach ($current_allowed_mysqlserver as $dbserver) {
 				// require privileged access for target db-server
 				Database::needRoot(true, $dbserver, false);
 				// get DbManager
@@ -1659,6 +1685,7 @@ public function delete()
 					$dbm->getManager()->deleteUser($result['loginname'], $mysql_access_host);
 				}
 				$dbm->getManager()->flushPrivileges();
+				Database::needRoot(false);
 			}
 
 			// remove all databases

lib/Froxlor/Api/Commands/Domains.php

@@ -1528,13 +1528,12 @@ public function update()
 				// enabled ssl for the domain but no ssl ip/port is selected
 				Response::standardError('nosslippportgiven', '', true);
 			}
-			if (Settings::Get('system.use_ssl') == "0" || empty($ssl_ipandports)) {
+			if (Settings::Get('system.use_ssl') == "0" || empty($ssl_ipandports) || !$sslenabled) {
 				$ssl_redirect = 0;
 				$letsencrypt = 0;
 				$http2 = 0;
-				// we need this for the json_encode
-				// if ssl is disabled or no ssl-ip/port exists
-				$ssl_ipandports[] = -1;
+				// act like $remove_ssl_ipandport
+				$ssl_ipandports = [];
 
 				// HSTS
 				$hsts_maxage = 0;

lib/Froxlor/Cron/Http/Apache.php

@@ -26,6 +26,7 @@
 namespace Froxlor\Cron\Http;
 
 use Froxlor\Cron\Http\Php\PhpInterface;
+use Froxlor\Cron\TaskId;
 use Froxlor\Customer\Customer;
 use Froxlor\Database\Database;
 use Froxlor\Domain\Domain;
@@ -36,6 +37,7 @@
 use Froxlor\Http\Statistics;
 use Froxlor\PhpHelper;
 use Froxlor\Settings;
+use Froxlor\System\Cronjob;
 use Froxlor\System\Crypt;
 use Froxlor\Validate\Validate;
 use PDO;
@@ -133,6 +135,7 @@ public function createIpPort()
 					if (Settings::Get('system.le_froxlor_enabled') && ($this->froxlorVhostHasLetsEncryptCert() == false || $this->froxlorVhostLetsEncryptNeedsRenew())) {
 						$this->virtualhosts_data[$vhosts_filename] .= '# temp. disabled ssl-redirect due to Let\'s Encrypt certificate generation.' . PHP_EOL;
 						$is_redirect = false;
+						Cronjob::inserttask(TaskId::REBUILD_VHOST);
 					} else {
 						$_sslport = $this->checkAlternativeSslPort();
 

lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php

@@ -525,6 +525,8 @@ private static function runIssueFor($certrows = [])
 				self::runAcmeSh($certrow, $domains, $cronlog, $do_force, $certrow['domainid'] == 0);
 			} else {
 				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_WARNING, "Skipping Let's Encrypt generation for " . $certrow['domain'] . " due to an enabled ssl_redirect");
+				// we need another reconfigure in order to get the certificate
+				Cronjob::inserttask(TaskId::REBUILD_VHOST);
 			}
 		}
 	}

lib/Froxlor/PhpHelper.php

@@ -416,6 +416,7 @@ public static function cleanGlobal(array &$global, AntiXSS &$antiXss)
 			'mysql_unprivileged_pass',
 			'admin_pass',
 			'admin_pass_confirm',
+			'panel_password_special_char',
 		];
 		if (!empty($global)) {
 			$tmp = $global;

lng/de.lng.php

@@ -408,7 +408,10 @@
 			'description' => 'Hier kann ein eigenes RSS-Feed angegeben werden, welches den Kunden auf dem Dashboard angezeigt wird.<br /><small>Leerlassen um das offizielle Froxlor Newsfeed (https://inside.froxlor.org/news/) zu verwenden.</small>',
 		],
 		'movetoadmin' => 'Kunde verschieben',
-		'movecustomertoadmin' => 'Verschiebe den Kunden zum angegebenen Admin/Reseller<br /><small>Leerlassen für keine Änderung.<br />Wird der gewünschte Admin/Reseller hier nicht aufgelistet, hat er sein Kunden-Kontigent erreicht.</small>',
+		'movecustomertoadmin' => [
+			'title' => 'Verschiebe den Kunden zum angegebenen Admin/Reseller',
+			'description' => 'Leerlassen für keine Änderung.<br />Wird der gewünschte Admin/Reseller hier nicht aufgelistet, hat er sein Kunden-Kontigent erreicht.',
+		],
 		'note' => 'Hinweis',
 		'mod_fcgid_umask' => [
 			'title' => 'Umask (Standard: 022)',
@@ -432,8 +435,8 @@
 			'description' => 'Die optionale "includeSubDomains" Direktive, wenn vorhanden, signalisiert dem UA, dass die HSTS Regel für diese Domain und auch jede Subdomain dieser gilt.',
 		],
 		'domain_hsts_preload' => [
-			'title' => 'Füge Domain in die <a href="https://hstspreload.org/" target="_blank">HSTS preload Liste</a> hinzu',
-			'description' => 'Wenn die Domain in die HSTS preload Liste, verwaltet von Chrome (und genutzt von Firefox und Safari), hinzugefügt werden soll, dann aktivieren Sie diese Einstellung.<br>Die preload-Direktive zu senden kann PERMANTENTE KONSEQUENZEN haben und dazu führen, dass Benutzer auf diese Domain und auch Subdomains nicht zugreifen können.<br>Beachten Sie die Details unter <a href="https://hstspreload.org/#removal" target="_blank">https://hstspreload.org/#removal</a> bevor ein Header mit "preload" gesendet wird.',
+			'title' => 'Füge Domain in die HSTS preload Liste hinzu',
+			'description' => 'Wenn die Domain in die <a href="https://hstspreload.org/" target="_blank">HSTS preload Liste</a>, verwaltet von Chrome (und genutzt von Firefox und Safari), hinzugefügt werden soll, dann aktivieren Sie diese Einstellung.<br>Die preload-Direktive zu senden kann PERMANTENTE KONSEQUENZEN haben und dazu führen, dass Benutzer auf diese Domain und auch Subdomains nicht zugreifen können.<br>Beachten Sie die Details unter <a href="https://hstspreload.org/#removal" target="_blank">https://hstspreload.org/#removal</a> bevor ein Header mit "preload" gesendet wird.',
 		],
 		'domain_ocsp_stapling' => [
 			'title' => 'OCSP stapling',
@@ -810,6 +813,7 @@
 		'stringformaterror' => 'Der Wert des Feldes "%s" hat nicht das erwartete Format.',
 		'loginnameisusingprefix' => 'Sie können keinen Account anlegen, der mit "%s" beginnt, da dieser Prefix für die automatische Namensvergabe eingestellt ist. Bitte wählen Sie einen anderen Accountnamen.',
 		'loginnameissystemaccount' => 'Der Account "%s" existiert bereits auf dem System und kann daher nicht verwendet werden. Bitte wählen Sie einen anderen Accountnamen.',
+		'loginnameisreservedname' => 'Der Account-Name "%s" ist systemseitig reserviert und kann nicht verwenden werden.',
 		'youcantdeleteyourself' => 'Aus Sicherheitsgründen können Sie sich nicht selbst löschen.',
 		'youcanteditallfieldsofyourself' => 'Hinweis: Aus Sicherheitsgründen können Sie nicht alle Felder Ihres eigenen Accounts bearbeiten.',
 		'documentrootexists' => 'Es existiert noch ein Verzeichnis "%s" für diesen Kunden. Bitte löschen Sie dieses vorher.',

lng/en.lng.php

@@ -413,7 +413,10 @@
 			'description' => 'Specify a custom RSS-feed that will be shown to your customers on their dashboard.<br /><small>Leave this empty to use the official froxlor newsfeed (https://inside.froxlor.org/news/).</small>',
 		],
 		'movetoadmin' => 'Move customer',
-		'movecustomertoadmin' => 'Move customer to the selected admin/reseller<br /><small>Leave this empty for no change.<br />If the desired admin does not show up in the list, his customer-limit has been reached.</small>',
+		'movecustomertoadmin' => [
+			'title' => 'Move customer to the selected admin/reseller',
+			'description' => 'Leave this empty for no change.<br />If the desired admin does not show up in the list, his customer-limit has been reached.',
+		],
 		'note' => 'Note',
 		'mod_fcgid_umask' => [
 			'title' => 'Umask (default: 022)',
@@ -440,8 +443,8 @@
 			'description' => 'The optional "includeSubDomains" directive, if present, signals the UA that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host\'s domain name.',
 		],
 		'domain_hsts_preload' => [
-			'title' => 'Include domain in <a href="https://hstspreload.org/" target="_blank">HSTS preload list</a>',
-			'description' => 'If you would like this domain to be included in the HSTS preload list maintained by Chrome (and used by Firefox and Safari), then use activate this.<br>Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains.<br>Please read the details at <a href="https://hstspreload.org/#removal" target="_blank">https://hstspreload.org/#removal</a> before sending the header with "preload".',
+			'title' => 'Include domain in HSTS preload list',
+			'description' => 'If you would like this domain to be included in the <a href="https://hstspreload.org/" target="_blank">HSTS preload list</a> maintained by Chrome (and used by Firefox and Safari), then use activate this.<br>Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains.<br>Please read the details at <a href="https://hstspreload.org/#removal" target="_blank">https://hstspreload.org/#removal</a> before sending the header with "preload".',
 		],
 		'domain_ocsp_stapling' => [
 			'title' => 'OCSP stapling',
@@ -882,6 +885,7 @@
 		'stringformaterror' => 'The value for the field "%s" is not in the expected format.',
 		'loginnameisusingprefix' => 'You cannot create accounts that begin with "%s", as this prefix is set to be used for the automatic account-naming. Please enter another account name.',
 		'loginnameissystemaccount' => 'The account "%s" already exists on the system and cannot be used. Please enter another account name.',
+		'loginnameisreservedname' => 'The account-name "%s" is reserved for system internals and cannot be used.',
 		'youcantdeleteyourself' => 'You cannot delete yourself for security reasons.',
 		'youcanteditallfieldsofyourself' => 'Note: You cannot edit all fields of your own account for security reasons.',
 		'documentrootexists' => 'The directory "%s" already exists for this customer. Please remove this before adding the customer again.',