/** * @param EasySCP_TemplateEngine $tpl */ function gen_directories($tpl) { $sql = EasySCP_Registry::get('Db'); // Initialize variables $path = isset($_GET['cur_dir']) ? $_GET['cur_dir'] : ''; $domain = $_SESSION['user_logged']; // Create the virtual file system and open it so it can be used $vfs = new EasySCP_VirtualFileSystem($domain, $sql); // Get the directory listing $list = $vfs->ls($path); if (!$list) { set_page_message(tr('Cannot open directory!<br />Please contact your administrator!'), 'error'); return; } // Show parent directory link $parent = explode(DIRECTORY_SEPARATOR, $path); array_pop($parent); $parent = implode(DIRECTORY_SEPARATOR, $parent); $tpl->append(array('ACTION' => '', 'ACTION_LINK' => 'no', 'ICON' => "parent", 'DIR_NAME' => tr('Parent Directory'), 'CHOOSE_IT' => '', 'LINK' => 'ftp_choose_dir.php?cur_dir=' . $parent)); // Show directories only foreach ($list as $entry) { // Skip non-directory entries if ($entry['type'] != EasySCP_VirtualFileSystem::VFS_TYPE_DIR) { continue; } // Skip '.' and '..' if ($entry['file'] == '.' || $entry['file'] == '..') { continue; } // Check for .htaccess existence to display another icon $dr = $path . '/' . $entry['file']; $tfile = $dr . '/.htaccess'; if ($vfs->exists($tfile)) { $image = "locked"; } else { $image = "folder"; } // Check if folder does not contain a folder that can not be protected // @todo: valid directories (e.g. /htdocs/disabled/) are excluded (false positive) $forbiddenDirnames = '/backups|disabled|errors|logs|phptmp/i'; $forbidden = preg_match($forbiddenDirnames, $entry['file']); if ($forbidden === 1) { $tpl->append('ACTION_LINK', 'no'); } else { $tpl->append('ACTION_LINK', 'yes'); } // Create the directory link $tpl->append(array('PROTECT_IT' => "protected_areas_add.php?file=" . $dr, 'ICON' => $image, 'DIR_NAME' => tohtml($entry['file']), 'CHOOSE_IT' => $dr, 'LINK' => "ftp_choose_dir.php?cur_dir=" . $dr)); } }
function add_ftp_user($sql, $dmn_name) { $cfg = EasySCP_Registry::get('Config'); $username = strtolower(clean_input($_POST['username'])); if (!validates_username($username)) { set_page_message(tr("Incorrect username length or syntax!"), 'warning'); return; } // Set default values ($ftp_home may be overwritten if user // has specified a mount point) switch ($_POST['dmn_type']) { // Default moint point for a domain case 'dmn': $ftp_user = $username . $cfg->FTP_USERNAME_SEPARATOR . $dmn_name; $ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}"; break; // Default mount point for an alias domain // Default mount point for an alias domain case 'als': $ftp_user = $username . $cfg->FTP_USERNAME_SEPARATOR . $_POST['als_id']; $alias_mount_point = get_alias_mount_point($sql, $_POST['als_id']); $ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}" . $alias_mount_point; break; // Default mount point for a subdomain // Default mount point for a subdomain case 'sub': $ftp_user = $username . $cfg->FTP_USERNAME_SEPARATOR . $_POST['sub_id'] . '.' . $dmn_name; $ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}/" . clean_input($_POST['sub_id']); break; // Unknown domain type (?) // Unknown domain type (?) default: set_page_message(tr('Unknown domain type'), 'error'); return; break; } // User-specified mount point if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on') { $ftp_vhome = clean_input($_POST['other_dir'], false); // Strip possible double-slashes $ftp_vhome = str_replace('//', '/', $ftp_vhome); // Check for updirs ".." $res = preg_match("/\\.\\./", $ftp_vhome); if ($res !== 0) { set_page_message(tr('Incorrect mount point length or syntax'), 'error'); return; } $ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}/" . $ftp_vhome; // Strip possible double-slashes $ftp_home = str_replace('//', '/', $ftp_home); // Check for $ftp_vhome existence // Create a virtual filesystem (it's important to use =&!) $vfs = new EasySCP_VirtualFileSystem($dmn_name, $sql); // Check for directory existence $res = $vfs->exists($ftp_vhome); if (!$res) { set_page_message(tr('%s does not exist', $ftp_vhome), 'error'); return; } } // End of user-specified mount-point $ftp_gid = get_ftp_user_gid($sql, $dmn_name, $ftp_user); $ftp_uid = get_ftp_user_uid($sql, $dmn_name, $ftp_user, $ftp_gid); if ($ftp_uid == -1) { return; } $ftp_shell = $cfg->CMD_SHELL; $ftp_passwd = crypt_user_pass_with_salt($_POST['pass']); $ftp_loginpasswd = encrypt_db_password($_POST['pass']); $query = "\n\t\tINSERT INTO ftp_users\n\t\t\t(`userid`, `passwd`, `net2ftppasswd`, `uid`, `gid`, `shell`, `homedir`)\n\t\tVALUES\n\t\t\t(?, ?, ?, ?, ?, ?, ?)\n\t"; exec_query($sql, $query, array($ftp_user, $ftp_passwd, $ftp_loginpasswd, $ftp_uid, $ftp_gid, $ftp_shell, $ftp_home)); $domain_props = get_domain_default_props($_SESSION['user_id']); update_reseller_c_props($domain_props['domain_created_id']); write_log($_SESSION['user_logged'] . ": add new FTP account: {$ftp_user}"); set_page_message(tr('FTP account added!'), 'success'); user_goto('ftp_accounts.php'); }
/** * @todo use db prepared statements */ function protect_area($tpl, $sql, $dmn_id) { $cfg = EasySCP_Registry::get('Config'); if (!isset($_POST['uaction']) || $_POST['uaction'] != 'protect_it') { return; } if (!isset($_POST['users']) && !isset($_POST['groups'])) { set_page_message(tr('Please choose user or group'), 'warning'); return; } if (empty($_POST['paname'])) { set_page_message(tr('Please enter area name'), 'warning'); return; } if (empty($_POST['other_dir'])) { set_page_message(tr('Please enter area path'), 'warning'); return; } $path = clean_input($_POST['other_dir'], false); // Cleanup path: // Adds a slash as a first char of the path if it doesn't exists // Removes the double slashes // Remove the trailing slash if it exists if ($path != '/') { $clean_path = array(); foreach (explode(DIRECTORY_SEPARATOR, $path) as $dir) { if ($dir != '') { $clean_path[] = $dir; } } $path = '/' . implode(DIRECTORY_SEPARATOR, $clean_path); } // Check if path is allowed // @todo: valid directories (e.g. /htdocs/disabled/) are excluded (false positive) // @todo: This need to be reviewed on change of alias system $forbiddenDirnames = '/^\\/.*\\/?(backups|disabled|errors|logs|phptmp)\\/*$/i'; $forbidden = preg_match($forbiddenDirnames, $path); if ($forbidden === 1) { set_page_message(tr('The path selected is a system path that cannot be secured.'), 'warning'); return; } $domain = $_SESSION['user_logged']; // Check for existing directory // We need to use the virtual file system $vfs = new EasySCP_VirtualFileSystem($domain, $sql); $res = $vfs->exists($path); if (!$res) { set_page_message(tr("%s doesn't exist", $path), 'error'); return; } $ptype = $_POST['ptype']; if (isset($_POST['users'])) { $users = $_POST['users']; } if (isset($_POST['groups'])) { $groups = $_POST['groups']; } $area_name = $_POST['paname']; $user_id = ''; $group_id = ''; if ($ptype == 'user') { for ($i = 0, $cnt_users = count($users); $i < $cnt_users; $i++) { if ($cnt_users == 1 || $cnt_users == $i + 1) { $user_id .= $users[$i]; if ($user_id == '-1' || $user_id == '') { set_page_message(tr('You cannot protect area without selected user(s)!'), 'warning'); return; } } else { $user_id .= $users[$i] . ','; } } $group_id = 0; } else { for ($i = 0, $cnt_groups = count($groups); $i < $cnt_groups; $i++) { if ($cnt_groups == 1 || $cnt_groups == $i + 1) { $group_id .= $groups[$i]; if ($group_id == '-1' || $group_id == '') { set_page_message(tr('You cannot protect area without selected group(s)'), 'warning'); return; } } else { $group_id .= $groups[$i] . ','; } } $user_id = 0; } // let's check if we have to update or to make new enrie $alt_path = $path . "/"; $query = "\n\t\tSELECT\n\t\t\t`id`\n\t\tFROM\n\t\t\t`htaccess`\n\t\tWHERE\n\t\t\t`dmn_id` = ?\n\t\tAND\n\t\t\t(`path` = ? OR `path` = ?)\n\t;"; $rs = exec_query($sql, $query, array($dmn_id, $path, $alt_path)); $toadd_status = $cfg->ITEM_ADD_STATUS; $tochange_status = $cfg->ITEM_CHANGE_STATUS; if ($rs->recordCount() !== 0) { $update_id = $rs->fields['id']; // @todo Can we move $update_id to the prepared statement variables? $query = "\n\t\t\tUPDATE\n\t\t\t\t`htaccess`\n\t\t\tSET\n\t\t\t\t`user_id` = ?,\n\t\t\t\t`group_id` = ?,\n\t\t\t\t`auth_name` = ?,\n\t\t\t\t`path` = ?,\n\t\t\t\t`status` = ?\n\t\t\tWHERE\n\t\t\t\t`id` = '{$update_id}';\n\t\t"; exec_query($sql, $query, array($user_id, $group_id, $area_name, $path, $tochange_status)); send_request('110 DOMAIN htaccess ' . $dmn_id); set_page_message(tr('Protected area updated successfully!'), 'success'); } else { $query = "\n\t\t\tINSERT INTO `htaccess`\n\t\t\t\t(`dmn_id`, `user_id`, `group_id`, `auth_type`, `auth_name`, `path`, `status`)\n\t\t\tVALUES\n\t\t\t\t(?, ?, ?, ?, ?, ?, ?);\n\t\t"; exec_query($sql, $query, array($dmn_id, $user_id, $group_id, 'Basic', $area_name, $path, $toadd_status)); send_request('110 DOMAIN htaccess ' . $dmn_id); set_page_message(tr('Protected area created successfully!'), 'success'); } user_goto('protected_areas.php'); }
function update_ftp_account($sql, $ftp_acc, $dmn_name) { global $other_dir; $cfg = EasySCP_Registry::get('Config'); // Create a virtual filesystem (it's important to use =&!) $vfs = new EasySCP_VirtualFileSystem($dmn_name, $sql); if (isset($_POST['uaction']) && $_POST['uaction'] === 'edit_user') { if (!empty($_POST['pass']) || !empty($_POST['pass_rep'])) { if ($_POST['pass'] !== $_POST['pass_rep']) { set_page_message(tr('Entered passwords do not match!'), 'warning'); return; } if (!chk_password($_POST['pass'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } return; } $pass = crypt_user_pass_with_salt($_POST['pass']); $loginpass = encrypt_db_password($_POST['pass']); if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on') { $other_dir = clean_input($_POST['other_dir']); $rs = $vfs->exists($other_dir); if (!$rs) { set_page_message(tr('%s does not exist', clean_input($_POST['other_dir'])), 'warning'); return; } // domain_id // append the full path (vfs is always checking per ftp so it's logged // in in the root of the user (no absolute paths are allowed here!) $other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged'] . clean_input($_POST['other_dir']); $query = "\n\t\t\t\t\tUPDATE\n\t\t\t\t\t\t`ftp_users`\n\t\t\t\t\tSET\n\t\t\t\t\t\t`passwd` = ?,\n\t\t\t\t\t\t`net2ftppasswd` = ?,\n\t\t\t\t\t\t`homedir` = ?\n\t\t\t\t\tWHERE\n\t\t\t\t\t\t`userid` = ?\n\t\t\t\t"; $param = array($pass, $loginpass, $other_dir, $ftp_acc); } else { $query = "\n\t\t\t\t\tUPDATE\n\t\t\t\t\t\t`ftp_users`\n\t\t\t\t\tSET\n\t\t\t\t\t\t`passwd` = ?,\n\t\t\t\t\t\t`net2ftppasswd` = ?\n\t\t\t\t\tWHERE\n\t\t\t\t\t\t`userid` = ?\n\t\t\t\t"; $param = array($pass, $loginpass, $ftp_acc); } exec_query($sql, $query, $param); write_log($_SESSION['user_logged'] . ": updated FTP " . $ftp_acc . " account data"); set_page_message(tr('FTP account data updated!'), 'success'); user_goto('ftp_accounts.php'); } else { if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on') { $other_dir = clean_input($_POST['other_dir']); // Strip possible double-slashes $other_dir = str_replace('//', '/', $other_dir); // Check for updirs ".." $res = preg_match("/\\.\\./", $other_dir); if ($res !== 0) { set_page_message(tr('Incorrect mount point length or syntax'), 'warning'); return; } // Check for $other_dir existence // Create a virtual filesystem (it's important to use =&!) $vfs = new EasySCP_VirtualFileSystem($dmn_name, $sql); // Check for directory existence $res = $vfs->exists($other_dir); if (!$res) { set_page_message(tr('%s does not exist', $other_dir), 'error'); return; } $other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged'] . $other_dir; } else { // End of user-specified mount-point $other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged']; } $query = "\n\t\t\t\tUPDATE\n\t\t\t\t\t`ftp_users`\n\t\t\t\tSET\n\t\t\t\t\t`homedir` = ?\n\t\t\t\tWHERE\n\t\t\t\t\t`userid` = ?\n\t\t\t"; exec_query($sql, $query, array($other_dir, $ftp_acc)); set_page_message(tr('FTP account data updated!'), 'success'); user_goto('ftp_accounts.php'); } } }