Merge branch 'stable' into qtwrkdev

.gitignore

@@ -3,3 +3,4 @@
 .LSOverride
 *.pyc
 .idea
+venv

CyberCP/secMiddleware.py

@@ -45,6 +45,7 @@ class secMiddleware:
                     return HttpResponse(final_json)
         except:
             pass
+
         if request.method == 'POST':
             try:
                 #logging.writeToFile(request.body)

filemanager/filemanager.py

@@ -6,7 +6,7 @@ from websiteFunctions.models import Websites
 from random import randint
 from django.core.files.storage import FileSystemStorage
 import html.parser
-import os
+from plogical.acl import ACLManager
 
 class FileManager:
     def __init__(self, request, data):
@@ -332,9 +332,15 @@ class FileManager:
             writeToFile.write(self.data['fileContent'].encode('utf-8'))
             writeToFile.close()
 
-            if os.path.islink(self.data['fileName']):
+            command = 'ls -la %s' % (self.data['fileName'])
+            output = ProcessUtilities.outputExecutioner(command)
+
+            if output.find('lrwxrwxrwx') > -1 and output.find('->') > -1:
                 return self.ajaxPre(0, 'File exists and is symlink.')
 
+            if ACLManager.commandInjectionCheck(self.data['fileName']) == 1:
+                return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
+
             if self.data['fileName'].find(self.data['home']) == -1 or self.data['fileName'].find('..') > -1:
                 return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
 
@@ -365,6 +371,9 @@ class FileManager:
             finalData['fileName'] = fs.url(filename)
             pathCheck = '/home/%s' % (self.data['domainName'])
 
+            if ACLManager.commandInjectionCheck(self.data['completePath'] + '/' + myfile.name) == 1:
+                return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
+
             if (self.data['completePath'] + '/' + myfile.name).find(pathCheck) == -1 or ((self.data['completePath'] + '/' + myfile.name)).find('..') > -1:
                 return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
 

ftp/ftpManager.py

@@ -13,11 +13,9 @@ from loginSystem.models import Administrator
 import plogical.CyberCPLogFileWriter as logging
 from loginSystem.views import loadLoginPage
 from websiteFunctions.models import Websites
-from plogical.virtualHostUtilities import virtualHostUtilities
 from plogical.ftpUtilities import FTPUtilities
 import os
 from plogical.acl import ACLManager
-from plogical.processUtilities import ProcessUtilities
 
 class FTPManager:
     def __init__(self, request):

plogical/acl.py

@@ -17,6 +17,17 @@ from dockerManager.models import Containers
 
 class ACLManager:
 
+    @staticmethod
+    def commandInjectionCheck(value):
+        if value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \
+                or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
+                or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find(
+            "{") > -1 or value.find("}") > -1 \
+                or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
+            return 1
+        else:
+            return 0
+
     @staticmethod
     def loadedACL(val):
 

plogical/backupUtilities.py

@@ -628,6 +628,16 @@ class backupUtilities:
                 for childDomain in childDomains:
 
                     domain = childDomain.find('domain').text
+
+                    ## mail domain check
+
+                    mailDomain = 'mail.%s' % (masterDomain)
+
+                    if domain == mailDomain:
+                        continue
+
+                    ## Mail domain check
+
                     phpSelection = childDomain.find('phpSelection').text
                     path = childDomain.find('path').text
 
@@ -668,6 +678,7 @@ class backupUtilities:
 
                         continue
                     else:
+                        logging.CyberCPLogFileWriter.writeToFile('Error domain %s' % (domain))
                         logging.CyberCPLogFileWriter.statusWriter(status, "Error Message: " + retValues[1] + ". Not able to create child domains, aborting. [635][5009]")
                         return 0
             except BaseException as msg:

plogical/renew.py

@@ -37,7 +37,7 @@ class Renew:
                     if int(diff.days) >= 15:
                         logging.writeToFile(
                             'SSL exists for %s and is not ready to renew, skipping..' % (website.domain), 0)
-                    elif x509.get_issuer().get_components()[1][1] == 'Denial':
+                    elif x509.get_issuer().get_components()[1][1].decode('utf-8') == 'Denial':
                         logging.writeToFile(
                             'SSL exists for %s and ready to renew..' % (website.domain), 0)
                         logging.writeToFile(
@@ -45,6 +45,9 @@ class Renew:
 
                         virtualHostUtilities.issueSSL(website.domain, '/home/%s/public_html' % (website.domain),
                                                       website.adminEmail)
+                    elif x509.get_issuer().get_components()[1][1].decode('utf-8') != "Let's Encrypt":
+                        logging.writeToFile(
+                            'Custom SSL exists for %s and ready to renew..' % (website.domain), 1)
                     else:
                         logging.writeToFile(
                             'SSL exists for %s and ready to renew..' % (website.domain), 0)

userManagment/userManager.py

@@ -28,7 +28,7 @@ class UserManager(multi.Thread):
 
     def controlUserState(self):
         try:
-            websites = ACLManager.findAllSites(self.extraArgs['currentACL'],self.extraArgs['user'])
+            websites = ACLManager.findAllSites(self.extraArgs['currentACL'],self.extraArgs['user'].pk)
             from websiteFunctions.website import WebsiteManager
 
             wm = WebsiteManager()

userManagment/views.py

@@ -991,7 +991,8 @@ def fetchTableUsers(request):
             diskUsage = 0
 
             for webs in items.websites_set.all():
-                diskUsage = virtualHostUtilities.getDiskUsage("/home/" + webs.domain, webs.package.diskSpace)[0] + diskUsage
+                #diskUsage = virtualHostUtilities.getDiskUsage("/home/" + webs.domain, webs.package.diskSpace)[0] + diskUsage
+                diskUsage = 1
 
             owner = Administrator.objects.get(pk=items.owner)
 
@@ -1052,7 +1053,7 @@ def controlUserState(request):
 
                 extraArgs = {}
                 extraArgs['user'] = user
-                extraArgs['currentACL'] = currentACL
+                extraArgs['currentACL'] = ACLManager.loadedACL(user.pk)
                 extraArgs['state'] = state
 
                 from userManagment.userManager import UserManager

websiteFunctions/website.py

@@ -261,6 +261,9 @@ class WebsiteManager:
             else:
                 return ACLManager.loadErrorJson('createWebSiteStatus', 0)
 
+            if data['path'].find('..') > -1:
+                return ACLManager.loadErrorJson('createWebSiteStatus', 0)
+
             if currentACL['admin'] != 1:
                 data['openBasedir'] = 1