Esempio n. 1
0
/**
 * @param EasySCP_TemplateEngine $tpl
 */
function gen_directories($tpl)
{
    $sql = EasySCP_Registry::get('Db');
    // Initialize variables
    $path = isset($_GET['cur_dir']) ? $_GET['cur_dir'] : '';
    $domain = $_SESSION['user_logged'];
    // Create the virtual file system and open it so it can be used
    $vfs = new EasySCP_VirtualFileSystem($domain, $sql);
    // Get the directory listing
    $list = $vfs->ls($path);
    if (!$list) {
        set_page_message(tr('Cannot open directory!<br />Please contact your administrator!'), 'error');
        return;
    }
    // Show parent directory link
    $parent = explode(DIRECTORY_SEPARATOR, $path);
    array_pop($parent);
    $parent = implode(DIRECTORY_SEPARATOR, $parent);
    $tpl->append(array('ACTION' => '', 'ACTION_LINK' => 'no', 'ICON' => "parent", 'DIR_NAME' => tr('Parent Directory'), 'CHOOSE_IT' => '', 'LINK' => 'ftp_choose_dir.php?cur_dir=' . $parent));
    // Show directories only
    foreach ($list as $entry) {
        // Skip non-directory entries
        if ($entry['type'] != EasySCP_VirtualFileSystem::VFS_TYPE_DIR) {
            continue;
        }
        // Skip '.' and '..'
        if ($entry['file'] == '.' || $entry['file'] == '..') {
            continue;
        }
        // Check for .htaccess existence to display another icon
        $dr = $path . '/' . $entry['file'];
        $tfile = $dr . '/.htaccess';
        if ($vfs->exists($tfile)) {
            $image = "locked";
        } else {
            $image = "folder";
        }
        // Check if folder does not contain a folder that can not be protected
        // @todo: valid directories (e.g. /htdocs/disabled/) are excluded (false positive)
        $forbiddenDirnames = '/backups|disabled|errors|logs|phptmp/i';
        $forbidden = preg_match($forbiddenDirnames, $entry['file']);
        if ($forbidden === 1) {
            $tpl->append('ACTION_LINK', 'no');
        } else {
            $tpl->append('ACTION_LINK', 'yes');
        }
        // Create the directory link
        $tpl->append(array('PROTECT_IT' => "protected_areas_add.php?file=" . $dr, 'ICON' => $image, 'DIR_NAME' => tohtml($entry['file']), 'CHOOSE_IT' => $dr, 'LINK' => "ftp_choose_dir.php?cur_dir=" . $dr));
    }
}
Esempio n. 2
0
function add_ftp_user($sql, $dmn_name)
{
    $cfg = EasySCP_Registry::get('Config');
    $username = strtolower(clean_input($_POST['username']));
    if (!validates_username($username)) {
        set_page_message(tr("Incorrect username length or syntax!"), 'warning');
        return;
    }
    // Set default values ($ftp_home may be overwritten if user
    // has specified a mount point)
    switch ($_POST['dmn_type']) {
        // Default moint point for a domain
        case 'dmn':
            $ftp_user = $username . $cfg->FTP_USERNAME_SEPARATOR . $dmn_name;
            $ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}";
            break;
            // Default mount point for an alias domain
        // Default mount point for an alias domain
        case 'als':
            $ftp_user = $username . $cfg->FTP_USERNAME_SEPARATOR . $_POST['als_id'];
            $alias_mount_point = get_alias_mount_point($sql, $_POST['als_id']);
            $ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}" . $alias_mount_point;
            break;
            // Default mount point for a subdomain
        // Default mount point for a subdomain
        case 'sub':
            $ftp_user = $username . $cfg->FTP_USERNAME_SEPARATOR . $_POST['sub_id'] . '.' . $dmn_name;
            $ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}/" . clean_input($_POST['sub_id']);
            break;
            // Unknown domain type (?)
        // Unknown domain type (?)
        default:
            set_page_message(tr('Unknown domain type'), 'error');
            return;
            break;
    }
    // User-specified mount point
    if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on') {
        $ftp_vhome = clean_input($_POST['other_dir'], false);
        // Strip possible double-slashes
        $ftp_vhome = str_replace('//', '/', $ftp_vhome);
        // Check for updirs ".."
        $res = preg_match("/\\.\\./", $ftp_vhome);
        if ($res !== 0) {
            set_page_message(tr('Incorrect mount point length or syntax'), 'error');
            return;
        }
        $ftp_home = $cfg->FTP_HOMEDIR . "/{$dmn_name}/" . $ftp_vhome;
        // Strip possible double-slashes
        $ftp_home = str_replace('//', '/', $ftp_home);
        // Check for $ftp_vhome existence
        // Create a virtual filesystem (it's important to use =&!)
        $vfs = new EasySCP_VirtualFileSystem($dmn_name, $sql);
        // Check for directory existence
        $res = $vfs->exists($ftp_vhome);
        if (!$res) {
            set_page_message(tr('%s does not exist', $ftp_vhome), 'error');
            return;
        }
    }
    // End of user-specified mount-point
    $ftp_gid = get_ftp_user_gid($sql, $dmn_name, $ftp_user);
    $ftp_uid = get_ftp_user_uid($sql, $dmn_name, $ftp_user, $ftp_gid);
    if ($ftp_uid == -1) {
        return;
    }
    $ftp_shell = $cfg->CMD_SHELL;
    $ftp_passwd = crypt_user_pass_with_salt($_POST['pass']);
    $ftp_loginpasswd = encrypt_db_password($_POST['pass']);
    $query = "\n\t\tINSERT INTO ftp_users\n\t\t\t(`userid`, `passwd`, `net2ftppasswd`, `uid`, `gid`, `shell`, `homedir`)\n\t\tVALUES\n\t\t\t(?, ?, ?, ?, ?, ?, ?)\n\t";
    exec_query($sql, $query, array($ftp_user, $ftp_passwd, $ftp_loginpasswd, $ftp_uid, $ftp_gid, $ftp_shell, $ftp_home));
    $domain_props = get_domain_default_props($_SESSION['user_id']);
    update_reseller_c_props($domain_props['domain_created_id']);
    write_log($_SESSION['user_logged'] . ": add new FTP account: {$ftp_user}");
    set_page_message(tr('FTP account added!'), 'success');
    user_goto('ftp_accounts.php');
}
Esempio n. 3
0
/**
 * @todo use db prepared statements
 */
function protect_area($tpl, $sql, $dmn_id)
{
    $cfg = EasySCP_Registry::get('Config');
    if (!isset($_POST['uaction']) || $_POST['uaction'] != 'protect_it') {
        return;
    }
    if (!isset($_POST['users']) && !isset($_POST['groups'])) {
        set_page_message(tr('Please choose user or group'), 'warning');
        return;
    }
    if (empty($_POST['paname'])) {
        set_page_message(tr('Please enter area name'), 'warning');
        return;
    }
    if (empty($_POST['other_dir'])) {
        set_page_message(tr('Please enter area path'), 'warning');
        return;
    }
    $path = clean_input($_POST['other_dir'], false);
    // Cleanup path:
    // Adds a slash as a first char of the path if it doesn't exists
    // Removes the double slashes
    // Remove the trailing slash if it exists
    if ($path != '/') {
        $clean_path = array();
        foreach (explode(DIRECTORY_SEPARATOR, $path) as $dir) {
            if ($dir != '') {
                $clean_path[] = $dir;
            }
        }
        $path = '/' . implode(DIRECTORY_SEPARATOR, $clean_path);
    }
    // Check if path is allowed
    // @todo: valid directories (e.g. /htdocs/disabled/) are excluded (false positive)
    // @todo: This need to be reviewed on change of alias system
    $forbiddenDirnames = '/^\\/.*\\/?(backups|disabled|errors|logs|phptmp)\\/*$/i';
    $forbidden = preg_match($forbiddenDirnames, $path);
    if ($forbidden === 1) {
        set_page_message(tr('The path selected is a system path that cannot be secured.'), 'warning');
        return;
    }
    $domain = $_SESSION['user_logged'];
    // Check for existing directory
    // We need to use the virtual file system
    $vfs = new EasySCP_VirtualFileSystem($domain, $sql);
    $res = $vfs->exists($path);
    if (!$res) {
        set_page_message(tr("%s doesn't exist", $path), 'error');
        return;
    }
    $ptype = $_POST['ptype'];
    if (isset($_POST['users'])) {
        $users = $_POST['users'];
    }
    if (isset($_POST['groups'])) {
        $groups = $_POST['groups'];
    }
    $area_name = $_POST['paname'];
    $user_id = '';
    $group_id = '';
    if ($ptype == 'user') {
        for ($i = 0, $cnt_users = count($users); $i < $cnt_users; $i++) {
            if ($cnt_users == 1 || $cnt_users == $i + 1) {
                $user_id .= $users[$i];
                if ($user_id == '-1' || $user_id == '') {
                    set_page_message(tr('You cannot protect area without selected user(s)!'), 'warning');
                    return;
                }
            } else {
                $user_id .= $users[$i] . ',';
            }
        }
        $group_id = 0;
    } else {
        for ($i = 0, $cnt_groups = count($groups); $i < $cnt_groups; $i++) {
            if ($cnt_groups == 1 || $cnt_groups == $i + 1) {
                $group_id .= $groups[$i];
                if ($group_id == '-1' || $group_id == '') {
                    set_page_message(tr('You cannot protect area without selected group(s)'), 'warning');
                    return;
                }
            } else {
                $group_id .= $groups[$i] . ',';
            }
        }
        $user_id = 0;
    }
    // let's check if we have to update or to make new enrie
    $alt_path = $path . "/";
    $query = "\n\t\tSELECT\n\t\t\t`id`\n\t\tFROM\n\t\t\t`htaccess`\n\t\tWHERE\n\t\t\t`dmn_id` = ?\n\t\tAND\n\t\t\t(`path` = ? OR `path` = ?)\n\t;";
    $rs = exec_query($sql, $query, array($dmn_id, $path, $alt_path));
    $toadd_status = $cfg->ITEM_ADD_STATUS;
    $tochange_status = $cfg->ITEM_CHANGE_STATUS;
    if ($rs->recordCount() !== 0) {
        $update_id = $rs->fields['id'];
        // @todo Can we move $update_id to the prepared statement variables?
        $query = "\n\t\t\tUPDATE\n\t\t\t\t`htaccess`\n\t\t\tSET\n\t\t\t\t`user_id` = ?,\n\t\t\t\t`group_id` = ?,\n\t\t\t\t`auth_name` = ?,\n\t\t\t\t`path` = ?,\n\t\t\t\t`status` = ?\n\t\t\tWHERE\n\t\t\t\t`id` = '{$update_id}';\n\t\t";
        exec_query($sql, $query, array($user_id, $group_id, $area_name, $path, $tochange_status));
        send_request('110 DOMAIN htaccess ' . $dmn_id);
        set_page_message(tr('Protected area updated successfully!'), 'success');
    } else {
        $query = "\n\t\t\tINSERT INTO `htaccess`\n\t\t\t\t(`dmn_id`, `user_id`, `group_id`, `auth_type`, `auth_name`, `path`, `status`)\n\t\t\tVALUES\n\t\t\t\t(?, ?, ?, ?, ?, ?, ?);\n\t\t";
        exec_query($sql, $query, array($dmn_id, $user_id, $group_id, 'Basic', $area_name, $path, $toadd_status));
        send_request('110 DOMAIN htaccess ' . $dmn_id);
        set_page_message(tr('Protected area created successfully!'), 'success');
    }
    user_goto('protected_areas.php');
}
Esempio n. 4
0
function update_ftp_account($sql, $ftp_acc, $dmn_name)
{
    global $other_dir;
    $cfg = EasySCP_Registry::get('Config');
    // Create a virtual filesystem (it's important to use =&!)
    $vfs = new EasySCP_VirtualFileSystem($dmn_name, $sql);
    if (isset($_POST['uaction']) && $_POST['uaction'] === 'edit_user') {
        if (!empty($_POST['pass']) || !empty($_POST['pass_rep'])) {
            if ($_POST['pass'] !== $_POST['pass_rep']) {
                set_page_message(tr('Entered passwords do not match!'), 'warning');
                return;
            }
            if (!chk_password($_POST['pass'])) {
                if ($cfg->PASSWD_STRONG) {
                    set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning');
                } else {
                    set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning');
                }
                return;
            }
            $pass = crypt_user_pass_with_salt($_POST['pass']);
            $loginpass = encrypt_db_password($_POST['pass']);
            if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on') {
                $other_dir = clean_input($_POST['other_dir']);
                $rs = $vfs->exists($other_dir);
                if (!$rs) {
                    set_page_message(tr('%s does not exist', clean_input($_POST['other_dir'])), 'warning');
                    return;
                }
                // domain_id
                // append the full path (vfs is always checking per ftp so it's logged
                // in in the root of the user (no absolute paths are allowed here!)
                $other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged'] . clean_input($_POST['other_dir']);
                $query = "\n\t\t\t\t\tUPDATE\n\t\t\t\t\t\t`ftp_users`\n\t\t\t\t\tSET\n\t\t\t\t\t\t`passwd` = ?,\n\t\t\t\t\t\t`net2ftppasswd` = ?,\n\t\t\t\t\t\t`homedir` = ?\n\t\t\t\t\tWHERE\n\t\t\t\t\t\t`userid` = ?\n\t\t\t\t";
                $param = array($pass, $loginpass, $other_dir, $ftp_acc);
            } else {
                $query = "\n\t\t\t\t\tUPDATE\n\t\t\t\t\t\t`ftp_users`\n\t\t\t\t\tSET\n\t\t\t\t\t\t`passwd` = ?,\n\t\t\t\t\t\t`net2ftppasswd` = ?\n\t\t\t\t\tWHERE\n\t\t\t\t\t\t`userid` = ?\n\t\t\t\t";
                $param = array($pass, $loginpass, $ftp_acc);
            }
            exec_query($sql, $query, $param);
            write_log($_SESSION['user_logged'] . ": updated FTP " . $ftp_acc . " account data");
            set_page_message(tr('FTP account data updated!'), 'success');
            user_goto('ftp_accounts.php');
        } else {
            if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on') {
                $other_dir = clean_input($_POST['other_dir']);
                // Strip possible double-slashes
                $other_dir = str_replace('//', '/', $other_dir);
                // Check for updirs ".."
                $res = preg_match("/\\.\\./", $other_dir);
                if ($res !== 0) {
                    set_page_message(tr('Incorrect mount point length or syntax'), 'warning');
                    return;
                }
                // Check for $other_dir existence
                // Create a virtual filesystem (it's important to use =&!)
                $vfs = new EasySCP_VirtualFileSystem($dmn_name, $sql);
                // Check for directory existence
                $res = $vfs->exists($other_dir);
                if (!$res) {
                    set_page_message(tr('%s does not exist', $other_dir), 'error');
                    return;
                }
                $other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged'] . $other_dir;
            } else {
                // End of user-specified mount-point
                $other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged'];
            }
            $query = "\n\t\t\t\tUPDATE\n\t\t\t\t\t`ftp_users`\n\t\t\t\tSET\n\t\t\t\t\t`homedir` = ?\n\t\t\t\tWHERE\n\t\t\t\t\t`userid` = ?\n\t\t\t";
            exec_query($sql, $query, array($other_dir, $ftp_acc));
            set_page_message(tr('FTP account data updated!'), 'success');
            user_goto('ftp_accounts.php');
        }
    }
}