From a548f0c0423fabec4a502b418c6d143992c8dfcd Mon Sep 17 00:00:00 2001
From: master3395 <master3395@users.noreply.github.com>
Date: Tue, 14 Apr 2026 21:54:02 +0200
Subject: [PATCH 1/2] fix password argument quoting for adminPass flows

Quote admin password arguments during install and harden upgrade rewrites of /usr/bin/adminPass so shell-sensitive characters are preserved instead of expanded.
---
 cyberpanel_upgrade_monolithic.sh              | 7 +++++++
 install/venvsetup_modules/04_after_install.sh | 2 +-
 install/venvsetup_monolithic.sh               | 2 +-
 upgrade_modules/10_post_tweak.sh              | 7 +++++++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/cyberpanel_upgrade_monolithic.sh b/cyberpanel_upgrade_monolithic.sh
index 0ef2f1526..34bbc5dfe 100644
--- a/cyberpanel_upgrade_monolithic.sh
+++ b/cyberpanel_upgrade_monolithic.sh
@@ -1813,6 +1813,13 @@ if [[ "$Server_Country" = "CN" ]] ; then
 fi
 
 sed -i 's|python2|python|g' /usr/bin/adminPass
+if [[ -f /usr/bin/adminPass ]]; then
+  cat >/usr/bin/adminPass <<'EOF'
+/usr/local/CyberPanel/bin/python /usr/local/CyberCP/plogical/adminPass.py --password "$@"
+systemctl restart lscpd
+echo "$@" > /etc/cyberpanel/adminPass
+EOF
+fi
 chmod 700 /usr/bin/adminPass
 
 rm -f /usr/bin/php
diff --git a/install/venvsetup_modules/04_after_install.sh b/install/venvsetup_modules/04_after_install.sh
index b14eb0e5d..1453cbe61 100644
--- a/install/venvsetup_modules/04_after_install.sh
+++ b/install/venvsetup_modules/04_after_install.sh
@@ -123,7 +123,7 @@ DISK2=$(df -h | awk '$NF=="/"{printf "%d/%dGB (%s)\n", $3,$2,$5}')
 ELAPSED="$(($SECONDS / 3600)) hrs $((($SECONDS / 60) % 60)) min $(($SECONDS % 60)) sec"
 MYSQLPASSWD=$(cat /etc/cyberpanel/mysqlPassword)
 echo "$ADMIN_PASS" > /etc/cyberpanel/adminPass
-/usr/local/CyberPanel/bin/python2 /usr/local/CyberCP/plogical/adminPass.py --password $ADMIN_PASS
+/usr/local/CyberPanel/bin/python2 /usr/local/CyberCP/plogical/adminPass.py --password "$ADMIN_PASS"
 _restart_lscpd_safe
 systemctl restart lsws
 echo "/usr/local/CyberPanel/bin/python2 /usr/local/CyberCP/plogical/adminPass.py --password \"\$@\"" > /usr/bin/adminPass
diff --git a/install/venvsetup_monolithic.sh b/install/venvsetup_monolithic.sh
index 8dbf7f4d0..088f84b8e 100644
--- a/install/venvsetup_monolithic.sh
+++ b/install/venvsetup_monolithic.sh
@@ -1153,7 +1153,7 @@ DISK2=$(df -h | awk '$NF=="/"{printf "%d/%dGB (%s)\n", $3,$2,$5}')
 ELAPSED="$(($SECONDS / 3600)) hrs $((($SECONDS / 60) % 60)) min $(($SECONDS % 60)) sec"
 MYSQLPASSWD=$(cat /etc/cyberpanel/mysqlPassword)
 echo "$ADMIN_PASS" > /etc/cyberpanel/adminPass
-/usr/local/CyberPanel/bin/python2 /usr/local/CyberCP/plogical/adminPass.py --password $ADMIN_PASS
+/usr/local/CyberPanel/bin/python2 /usr/local/CyberCP/plogical/adminPass.py --password "$ADMIN_PASS"
 systemctl restart lscpd
 systemctl restart lsws
 echo "/usr/local/CyberPanel/bin/python2 /usr/local/CyberCP/plogical/adminPass.py --password \"\$@\"" > /usr/bin/adminPass
diff --git a/upgrade_modules/10_post_tweak.sh b/upgrade_modules/10_post_tweak.sh
index 85cf57c29..370ff79e7 100644
--- a/upgrade_modules/10_post_tweak.sh
+++ b/upgrade_modules/10_post_tweak.sh
@@ -72,6 +72,13 @@ if [[ "$Server_Country" = "CN" ]] ; then
 fi
 
 sed -i 's|python2|python|g' /usr/bin/adminPass
+if [[ -f /usr/bin/adminPass ]]; then
+  cat >/usr/bin/adminPass <<'EOF'
+/usr/local/CyberPanel/bin/python /usr/local/CyberCP/plogical/adminPass.py --password "$@"
+systemctl restart lscpd
+echo "$@" > /etc/cyberpanel/adminPass
+EOF
+fi
 chmod 700 /usr/bin/adminPass
 
 rm -f /usr/bin/php

From c434aaeb54ce230830f8476a526a93686f37dc82 Mon Sep 17 00:00:00 2001
From: master3395 <master3395@users.noreply.github.com>
Date: Tue, 14 Apr 2026 21:57:04 +0200
Subject: [PATCH 2/2] harden installer adminPass wrapper behavior

Persist quoted admin password to /etc/cyberpanel/adminPass and tighten wrapper permissions to 700 in installer-generated /usr/bin/adminPass.
---
 install/venvsetup_modules/04_after_install.sh | 3 ++-
 install/venvsetup_monolithic.sh               | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/venvsetup_modules/04_after_install.sh b/install/venvsetup_modules/04_after_install.sh
index 1453cbe61..48569186f 100644
--- a/install/venvsetup_modules/04_after_install.sh
+++ b/install/venvsetup_modules/04_after_install.sh
@@ -128,7 +128,8 @@ _restart_lscpd_safe
 systemctl restart lsws
 echo "/usr/local/CyberPanel/bin/python2 /usr/local/CyberCP/plogical/adminPass.py --password \"\$@\"" > /usr/bin/adminPass
 echo "systemctl restart lscpd" >> /usr/bin/adminPass
-chmod +x /usr/bin/adminPass
+echo "echo \"\$@\" > /etc/cyberpanel/adminPass" >> /usr/bin/adminPass
+chmod 700 /usr/bin/adminPass
 if [[ $VERSION = "OLS" ]] ; then
 	WORD="OpenLiteSpeed"
 #	sed -i 's|maxConnections               10000|maxConnections               100000|g' /usr/local/lsws/conf/httpd_config.conf
diff --git a/install/venvsetup_monolithic.sh b/install/venvsetup_monolithic.sh
index 088f84b8e..0af4b2f54 100644
--- a/install/venvsetup_monolithic.sh
+++ b/install/venvsetup_monolithic.sh
@@ -1158,7 +1158,8 @@ systemctl restart lscpd
 systemctl restart lsws
 echo "/usr/local/CyberPanel/bin/python2 /usr/local/CyberCP/plogical/adminPass.py --password \"\$@\"" > /usr/bin/adminPass
 echo "systemctl restart lscpd" >> /usr/bin/adminPass
-chmod +x /usr/bin/adminPass
+echo "echo \"\$@\" > /etc/cyberpanel/adminPass" >> /usr/bin/adminPass
+chmod 700 /usr/bin/adminPass
 if [[ $VERSION = "OLS" ]] ; then
 	WORD="OpenLiteSpeed"
 #	sed -i 's|maxConnections               10000|maxConnections               100000|g' /usr/local/lsws/conf/httpd_config.conf