diff --git a/.gitignore b/.gitignore index 64dffcb6a..184684c84 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ .LSOverride *.pyc .idea +venv diff --git a/CyberCP/secMiddleware.py b/CyberCP/secMiddleware.py index 901a08147..90ad60d1e 100755 --- a/CyberCP/secMiddleware.py +++ b/CyberCP/secMiddleware.py @@ -45,6 +45,7 @@ class secMiddleware: return HttpResponse(final_json) except: pass + if request.method == 'POST': try: #logging.writeToFile(request.body) diff --git a/filemanager/filemanager.py b/filemanager/filemanager.py index 5cbdc81b6..f1dc0185d 100755 --- a/filemanager/filemanager.py +++ b/filemanager/filemanager.py @@ -6,7 +6,7 @@ from websiteFunctions.models import Websites from random import randint from django.core.files.storage import FileSystemStorage import html.parser -import os +from plogical.acl import ACLManager class FileManager: def __init__(self, request, data): @@ -332,9 +332,15 @@ class FileManager: writeToFile.write(self.data['fileContent'].encode('utf-8')) writeToFile.close() - if os.path.islink(self.data['fileName']): + command = 'ls -la %s' % (self.data['fileName']) + output = ProcessUtilities.outputExecutioner(command) + + if output.find('lrwxrwxrwx') > -1 and output.find('->') > -1: return self.ajaxPre(0, 'File exists and is symlink.') + if ACLManager.commandInjectionCheck(self.data['fileName']) == 1: + return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') + if self.data['fileName'].find(self.data['home']) == -1 or self.data['fileName'].find('..') > -1: return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') @@ -365,6 +371,9 @@ class FileManager: finalData['fileName'] = fs.url(filename) pathCheck = '/home/%s' % (self.data['domainName']) + if ACLManager.commandInjectionCheck(self.data['completePath'] + '/' + myfile.name) == 1: + return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') + if (self.data['completePath'] + '/' + myfile.name).find(pathCheck) == -1 or ((self.data['completePath'] + '/' + myfile.name)).find('..') > -1: return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') diff --git a/ftp/ftpManager.py b/ftp/ftpManager.py index 274b12117..c57cc421d 100755 --- a/ftp/ftpManager.py +++ b/ftp/ftpManager.py @@ -13,11 +13,9 @@ from loginSystem.models import Administrator import plogical.CyberCPLogFileWriter as logging from loginSystem.views import loadLoginPage from websiteFunctions.models import Websites -from plogical.virtualHostUtilities import virtualHostUtilities from plogical.ftpUtilities import FTPUtilities import os from plogical.acl import ACLManager -from plogical.processUtilities import ProcessUtilities class FTPManager: def __init__(self, request): diff --git a/plogical/acl.py b/plogical/acl.py index 3fd12a4c3..62edb5277 100755 --- a/plogical/acl.py +++ b/plogical/acl.py @@ -17,6 +17,17 @@ from dockerManager.models import Containers class ACLManager: + @staticmethod + def commandInjectionCheck(value): + if value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \ + or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \ + or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find( + "{") > -1 or value.find("}") > -1 \ + or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1: + return 1 + else: + return 0 + @staticmethod def loadedACL(val): diff --git a/plogical/backupUtilities.py b/plogical/backupUtilities.py index 71b279993..1ddc0ffdc 100755 --- a/plogical/backupUtilities.py +++ b/plogical/backupUtilities.py @@ -628,6 +628,16 @@ class backupUtilities: for childDomain in childDomains: domain = childDomain.find('domain').text + + ## mail domain check + + mailDomain = 'mail.%s' % (masterDomain) + + if domain == mailDomain: + continue + + ## Mail domain check + phpSelection = childDomain.find('phpSelection').text path = childDomain.find('path').text @@ -668,6 +678,7 @@ class backupUtilities: continue else: + logging.CyberCPLogFileWriter.writeToFile('Error domain %s' % (domain)) logging.CyberCPLogFileWriter.statusWriter(status, "Error Message: " + retValues[1] + ". Not able to create child domains, aborting. [635][5009]") return 0 except BaseException as msg: diff --git a/plogical/renew.py b/plogical/renew.py index ec1c8535f..63ecf9b84 100644 --- a/plogical/renew.py +++ b/plogical/renew.py @@ -37,7 +37,7 @@ class Renew: if int(diff.days) >= 15: logging.writeToFile( 'SSL exists for %s and is not ready to renew, skipping..' % (website.domain), 0) - elif x509.get_issuer().get_components()[1][1] == 'Denial': + elif x509.get_issuer().get_components()[1][1].decode('utf-8') == 'Denial': logging.writeToFile( 'SSL exists for %s and ready to renew..' % (website.domain), 0) logging.writeToFile( @@ -45,6 +45,9 @@ class Renew: virtualHostUtilities.issueSSL(website.domain, '/home/%s/public_html' % (website.domain), website.adminEmail) + elif x509.get_issuer().get_components()[1][1].decode('utf-8') != "Let's Encrypt": + logging.writeToFile( + 'Custom SSL exists for %s and ready to renew..' % (website.domain), 1) else: logging.writeToFile( 'SSL exists for %s and ready to renew..' % (website.domain), 0) diff --git a/userManagment/userManager.py b/userManagment/userManager.py index bc6c87115..44858cf0d 100644 --- a/userManagment/userManager.py +++ b/userManagment/userManager.py @@ -28,7 +28,7 @@ class UserManager(multi.Thread): def controlUserState(self): try: - websites = ACLManager.findAllSites(self.extraArgs['currentACL'],self.extraArgs['user']) + websites = ACLManager.findAllSites(self.extraArgs['currentACL'],self.extraArgs['user'].pk) from websiteFunctions.website import WebsiteManager wm = WebsiteManager() diff --git a/userManagment/views.py b/userManagment/views.py index 9511a7c2c..3f37f5bc7 100755 --- a/userManagment/views.py +++ b/userManagment/views.py @@ -991,7 +991,8 @@ def fetchTableUsers(request): diskUsage = 0 for webs in items.websites_set.all(): - diskUsage = virtualHostUtilities.getDiskUsage("/home/" + webs.domain, webs.package.diskSpace)[0] + diskUsage + #diskUsage = virtualHostUtilities.getDiskUsage("/home/" + webs.domain, webs.package.diskSpace)[0] + diskUsage + diskUsage = 1 owner = Administrator.objects.get(pk=items.owner) @@ -1052,7 +1053,7 @@ def controlUserState(request): extraArgs = {} extraArgs['user'] = user - extraArgs['currentACL'] = currentACL + extraArgs['currentACL'] = ACLManager.loadedACL(user.pk) extraArgs['state'] = state from userManagment.userManager import UserManager diff --git a/websiteFunctions/website.py b/websiteFunctions/website.py index 84886109a..d779ce7c3 100755 --- a/websiteFunctions/website.py +++ b/websiteFunctions/website.py @@ -261,6 +261,9 @@ class WebsiteManager: else: return ACLManager.loadErrorJson('createWebSiteStatus', 0) + if data['path'].find('..') > -1: + return ACLManager.loadErrorJson('createWebSiteStatus', 0) + if currentACL['admin'] != 1: data['openBasedir'] = 1