function write_error_page($sql, $eid)
{
$error = $_POST['error'];
$file = '/errors/' . $eid . '.html';
$vfs = new EasySCP_VirtualFileSystem($_SESSION['user_logged'], $sql);
return $vfs->put($file, $error);
}
/**
* @param EasySCP_TemplateEngine $tpl
* @param EasySCP_Database $sql
* @param int $user_id
* @param string $eid
*/
function gen_error_page_data($tpl, $sql, $eid)
{
$domain = $_SESSION['user_logged'];
// Check if we already have an error page
$vfs = new EasySCP_VirtualFileSystem($domain, $sql);
$error = $vfs->get('/errors/' . $eid . '.html');
if (false !== $error) {
// We already have an error page, return it
$tpl->assign(array('ERROR' => tohtml($error)));
return;
}
// No error page
$tpl->assign(array('ERROR' => ''));
}
/**
* @param EasySCP_TemplateEngine $tpl
*/
function gen_directories($tpl)
{
$sql = EasySCP_Registry::get('Db');
// Initialize variables
$path = isset($_GET['cur_dir']) ? $_GET['cur_dir'] : '';
$domain = $_SESSION['user_logged'];
// Create the virtual file system and open it so it can be used
$vfs = new EasySCP_VirtualFileSystem($domain, $sql);
// Get the directory listing
$list = $vfs->ls($path);
if (!$list) {
set_page_message(tr('Cannot open directory!<br />Please contact your administrator!'), 'error');
return;
}
// Show parent directory link
$parent = explode(DIRECTORY_SEPARATOR, $path);
array_pop($parent);
$parent = implode(DIRECTORY_SEPARATOR, $parent);
$tpl->append(array('ACTION' => '', 'ACTION_LINK' => 'no', 'ICON' => "parent", 'DIR_NAME' => tr('Parent Directory'), 'CHOOSE_IT' => '', 'LINK' => 'ftp_choose_dir.php?cur_dir=' . $parent));
// Show directories only
foreach ($list as $entry) {
// Skip non-directory entries
if ($entry['type'] != EasySCP_VirtualFileSystem::VFS_TYPE_DIR) {
continue;
}
// Skip '.' and '..'
if ($entry['file'] == '.' || $entry['file'] == '..') {
continue;
}
// Check for .htaccess existence to display another icon
$dr = $path . '/' . $entry['file'];
$tfile = $dr . '/.htaccess';
if ($vfs->exists($tfile)) {
$image = "locked";
} else {
$image = "folder";
}
// Check if folder does not contain a folder that can not be protected
// @todo: valid directories (e.g. /htdocs/disabled/) are excluded (false positive)
$forbiddenDirnames = '/backups|disabled|errors|logs|phptmp/i';
$forbidden = preg_match($forbiddenDirnames, $entry['file']);
if ($forbidden === 1) {
$tpl->append('ACTION_LINK', 'no');
} else {
$tpl->append('ACTION_LINK', 'yes');
}
// Create the directory link
$tpl->append(array('PROTECT_IT' => "protected_areas_add.php?file=" . $dr, 'ICON' => $image, 'DIR_NAME' => tohtml($entry['file']), 'CHOOSE_IT' => $dr, 'LINK' => "ftp_choose_dir.php?cur_dir=" . $dr));
}
}
function add_ftp_user($sql, $dmn_name)
{
$cfg = EasySCP_Registry::get('Config');
$username = strtolower(clean_input($_POST['username']));
if (!validates_username($username)) {
set_page_message(tr("Incorrect username length or syntax!"), 'warning');
return;
}
// Set default values ($ftp_home may be overwritten if user
// has specified a mount point)
switch ($_POST['dmn_type']) {
// Default moint point for a domain
case 'dmn':
$ftp_user = $username . $cfg->FTP_USERNAME_SEPARATOR . $dmn_name;
$ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}";
break;
// Default mount point for an alias domain
// Default mount point for an alias domain
case 'als':
$ftp_user = $username . $cfg->FTP_USERNAME_SEPARATOR . $_POST['als_id'];
$alias_mount_point = get_alias_mount_point($sql, $_POST['als_id']);
$ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}" . $alias_mount_point;
break;
// Default mount point for a subdomain
// Default mount point for a subdomain
case 'sub':
$ftp_user = $username . $cfg->FTP_USERNAME_SEPARATOR . $_POST['sub_id'] . '.' . $dmn_name;
$ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}/" . clean_input($_POST['sub_id']);
break;
// Unknown domain type (?)
// Unknown domain type (?)
default:
set_page_message(tr('Unknown domain type'), 'error');
return;
break;
}
// User-specified mount point
if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on') {
$ftp_vhome = clean_input($_POST['other_dir'], false);
// Strip possible double-slashes
$ftp_vhome = str_replace('//', '/', $ftp_vhome);
// Check for updirs ".."
$res = preg_match("/\\.\\./", $ftp_vhome);
if ($res !== 0) {
set_page_message(tr('Incorrect mount point length or syntax'), 'error');
return;
}
$ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}/" . $ftp_vhome;
// Strip possible double-slashes
$ftp_home = str_replace('//', '/', $ftp_home);
// Check for $ftp_vhome existence
// Create a virtual filesystem (it's important to use =&!)
$vfs = new EasySCP_VirtualFileSystem($dmn_name, $sql);
// Check for directory existence
$res = $vfs->exists($ftp_vhome);
if (!$res) {
set_page_message(tr('%s does not exist', $ftp_vhome), 'error');
return;
}
}
// End of user-specified mount-point
$ftp_gid = get_ftp_user_gid($sql, $dmn_name, $ftp_user);
$ftp_uid = get_ftp_user_uid($sql, $dmn_name, $ftp_user, $ftp_gid);
if ($ftp_uid == -1) {
return;
}
$ftp_shell = $cfg->CMD_SHELL;
$ftp_passwd = crypt_user_pass_with_salt($_POST['pass']);
$ftp_loginpasswd = encrypt_db_password($_POST['pass']);
$query = "\n\t\tINSERT INTO ftp_users\n\t\t\t(`userid`, `passwd`, `net2ftppasswd`, `uid`, `gid`, `shell`, `homedir`)\n\t\tVALUES\n\t\t\t(?, ?, ?, ?, ?, ?, ?)\n\t";
exec_query($sql, $query, array($ftp_user, $ftp_passwd, $ftp_loginpasswd, $ftp_uid, $ftp_gid, $ftp_shell, $ftp_home));
$domain_props = get_domain_default_props($_SESSION['user_id']);
update_reseller_c_props($domain_props['domain_created_id']);
write_log($_SESSION['user_logged'] . ": add new FTP account: {$ftp_user}");
set_page_message(tr('FTP account added!'), 'success');
user_goto('ftp_accounts.php');
}
/**
* @todo use db prepared statements
*/
function protect_area($tpl, $sql, $dmn_id)
{
$cfg = EasySCP_Registry::get('Config');
if (!isset($_POST['uaction']) || $_POST['uaction'] != 'protect_it') {
return;
}
if (!isset($_POST['users']) && !isset($_POST['groups'])) {
set_page_message(tr('Please choose user or group'), 'warning');
return;
}
if (empty($_POST['paname'])) {
set_page_message(tr('Please enter area name'), 'warning');
return;
}
if (empty($_POST['other_dir'])) {
set_page_message(tr('Please enter area path'), 'warning');
return;
}
$path = clean_input($_POST['other_dir'], false);
// Cleanup path:
// Adds a slash as a first char of the path if it doesn't exists
// Removes the double slashes
// Remove the trailing slash if it exists
if ($path != '/') {
$clean_path = array();
foreach (explode(DIRECTORY_SEPARATOR, $path) as $dir) {
if ($dir != '') {
$clean_path[] = $dir;
}
}
$path = '/' . implode(DIRECTORY_SEPARATOR, $clean_path);
}
// Check if path is allowed
// @todo: valid directories (e.g. /htdocs/disabled/) are excluded (false positive)
// @todo: This need to be reviewed on change of alias system
$forbiddenDirnames = '/^\\/.*\\/?(backups|disabled|errors|logs|phptmp)\\/*$/i';
$forbidden = preg_match($forbiddenDirnames, $path);
if ($forbidden === 1) {
set_page_message(tr('The path selected is a system path that cannot be secured.'), 'warning');
return;
}
$domain = $_SESSION['user_logged'];
// Check for existing directory
// We need to use the virtual file system
$vfs = new EasySCP_VirtualFileSystem($domain, $sql);
$res = $vfs->exists($path);
if (!$res) {
set_page_message(tr("%s doesn't exist", $path), 'error');
return;
}
$ptype = $_POST['ptype'];
if (isset($_POST['users'])) {
$users = $_POST['users'];
}
if (isset($_POST['groups'])) {
$groups = $_POST['groups'];
}
$area_name = $_POST['paname'];
$user_id = '';
$group_id = '';
if ($ptype == 'user') {
for ($i = 0, $cnt_users = count($users); $i < $cnt_users; $i++) {
if ($cnt_users == 1 || $cnt_users == $i + 1) {
$user_id .= $users[$i];
if ($user_id == '-1' || $user_id == '') {
set_page_message(tr('You cannot protect area without selected user(s)!'), 'warning');
return;
}
} else {
$user_id .= $users[$i] . ',';
}
}
$group_id = 0;
} else {
for ($i = 0, $cnt_groups = count($groups); $i < $cnt_groups; $i++) {
if ($cnt_groups == 1 || $cnt_groups == $i + 1) {
$group_id .= $groups[$i];
if ($group_id == '-1' || $group_id == '') {
set_page_message(tr('You cannot protect area without selected group(s)'), 'warning');
return;
}
} else {
$group_id .= $groups[$i] . ',';
}
}
$user_id = 0;
}
// let's check if we have to update or to make new enrie
$alt_path = $path . "/";
$query = "\n\t\tSELECT\n\t\t\t`id`\n\t\tFROM\n\t\t\t`htaccess`\n\t\tWHERE\n\t\t\t`dmn_id` = ?\n\t\tAND\n\t\t\t(`path` = ? OR `path` = ?)\n\t;";
$rs = exec_query($sql, $query, array($dmn_id, $path, $alt_path));
$toadd_status = $cfg->ITEM_ADD_STATUS;
$tochange_status = $cfg->ITEM_CHANGE_STATUS;
if ($rs->recordCount() !== 0) {
$update_id = $rs->fields['id'];
// @todo Can we move $update_id to the prepared statement variables?
$query = "\n\t\t\tUPDATE\n\t\t\t\t`htaccess`\n\t\t\tSET\n\t\t\t\t`user_id` = ?,\n\t\t\t\t`group_id` = ?,\n\t\t\t\t`auth_name` = ?,\n\t\t\t\t`path` = ?,\n\t\t\t\t`status` = ?\n\t\t\tWHERE\n\t\t\t\t`id` = '{$update_id}';\n\t\t";
exec_query($sql, $query, array($user_id, $group_id, $area_name, $path, $tochange_status));
send_request('110 DOMAIN htaccess ' . $dmn_id);
set_page_message(tr('Protected area updated successfully!'), 'success');
} else {
$query = "\n\t\t\tINSERT INTO `htaccess`\n\t\t\t\t(`dmn_id`, `user_id`, `group_id`, `auth_type`, `auth_name`, `path`, `status`)\n\t\t\tVALUES\n\t\t\t\t(?, ?, ?, ?, ?, ?, ?);\n\t\t";
exec_query($sql, $query, array($dmn_id, $user_id, $group_id, 'Basic', $area_name, $path, $toadd_status));
send_request('110 DOMAIN htaccess ' . $dmn_id);
set_page_message(tr('Protected area created successfully!'), 'success');
}
user_goto('protected_areas.php');
}
function update_ftp_account($sql, $ftp_acc, $dmn_name)
{
global $other_dir;
$cfg = EasySCP_Registry::get('Config');
// Create a virtual filesystem (it's important to use =&!)
$vfs = new EasySCP_VirtualFileSystem($dmn_name, $sql);
if (isset($_POST['uaction']) && $_POST['uaction'] === 'edit_user') {
if (!empty($_POST['pass']) || !empty($_POST['pass_rep'])) {
if ($_POST['pass'] !== $_POST['pass_rep']) {
set_page_message(tr('Entered passwords do not match!'), 'warning');
return;
}
if (!chk_password($_POST['pass'])) {
if ($cfg->PASSWD_STRONG) {
set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning');
} else {
set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning');
}
return;
}
$pass = crypt_user_pass_with_salt($_POST['pass']);
$loginpass = encrypt_db_password($_POST['pass']);
if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on') {
$other_dir = clean_input($_POST['other_dir']);
$rs = $vfs->exists($other_dir);
if (!$rs) {
set_page_message(tr('%s does not exist', clean_input($_POST['other_dir'])), 'warning');
return;
}
// domain_id
// append the full path (vfs is always checking per ftp so it's logged
// in in the root of the user (no absolute paths are allowed here!)
$other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged'] . clean_input($_POST['other_dir']);
$query = "\n\t\t\t\t\tUPDATE\n\t\t\t\t\t\t`ftp_users`\n\t\t\t\t\tSET\n\t\t\t\t\t\t`passwd` = ?,\n\t\t\t\t\t\t`net2ftppasswd` = ?,\n\t\t\t\t\t\t`homedir` = ?\n\t\t\t\t\tWHERE\n\t\t\t\t\t\t`userid` = ?\n\t\t\t\t";
$param = array($pass, $loginpass, $other_dir, $ftp_acc);
} else {
$query = "\n\t\t\t\t\tUPDATE\n\t\t\t\t\t\t`ftp_users`\n\t\t\t\t\tSET\n\t\t\t\t\t\t`passwd` = ?,\n\t\t\t\t\t\t`net2ftppasswd` = ?\n\t\t\t\t\tWHERE\n\t\t\t\t\t\t`userid` = ?\n\t\t\t\t";
$param = array($pass, $loginpass, $ftp_acc);
}
exec_query($sql, $query, $param);
write_log($_SESSION['user_logged'] . ": updated FTP " . $ftp_acc . " account data");
set_page_message(tr('FTP account data updated!'), 'success');
user_goto('ftp_accounts.php');
} else {
if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on') {
$other_dir = clean_input($_POST['other_dir']);
// Strip possible double-slashes
$other_dir = str_replace('//', '/', $other_dir);
// Check for updirs ".."
$res = preg_match("/\\.\\./", $other_dir);
if ($res !== 0) {
set_page_message(tr('Incorrect mount point length or syntax'), 'warning');
return;
}
// Check for $other_dir existence
// Create a virtual filesystem (it's important to use =&!)
$vfs = new EasySCP_VirtualFileSystem($dmn_name, $sql);
// Check for directory existence
$res = $vfs->exists($other_dir);
if (!$res) {
set_page_message(tr('%s does not exist', $other_dir), 'error');
return;
}
$other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged'] . $other_dir;
} else {
// End of user-specified mount-point
$other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged'];
}
$query = "\n\t\t\t\tUPDATE\n\t\t\t\t\t`ftp_users`\n\t\t\t\tSET\n\t\t\t\t\t`homedir` = ?\n\t\t\t\tWHERE\n\t\t\t\t\t`userid` = ?\n\t\t\t";
exec_query($sql, $query, array($other_dir, $ftp_acc));
set_page_message(tr('FTP account data updated!'), 'success');
user_goto('ftp_accounts.php');
}
}
}
