ht: More restrictive directory names
This commit is contained in:
Miraty
parent
922f649a08
commit
05db184fa6
|
|
@ -47,6 +47,7 @@ cat_path = "/usr/bin/cat"
|
|||
rm_path = "/usr/bin/rm"
|
||||
mkdir_path = "/usr/bin/mkdir"
|
||||
|
||||
sftpgo_user = "sftpgo"
|
||||
sftpgo_group = "sftpgo"
|
||||
|
||||
; Will be shown to users
|
||||
|
|
|
|||
10
fn/ht.php
10
fn/ht.php
|
|
@ -16,7 +16,7 @@ function listFsDirs($username) {
|
|||
$absoluteDirs = glob(CONF['ht']['ht_path'] . '/' . $username . '/*/', GLOB_ONLYDIR);
|
||||
$dirs = [];
|
||||
foreach ($absoluteDirs as $absoluteDir)
|
||||
if (preg_match('/^[\p{L}\p{N}_-]{1,64}$/Du', basename($absoluteDir)))
|
||||
if (preg_match('/^[a-zA-Z0-9_-]{1,64}$/D', basename($absoluteDir)))
|
||||
array_push($dirs, basename($absoluteDir));
|
||||
return $dirs;
|
||||
}
|
||||
|
|
@ -32,14 +32,16 @@ function addSite($username, $siteDir, $domain, $domainType, $protocol) {
|
|||
]);
|
||||
}
|
||||
|
||||
function dirsStatuses($username, $domainType, $protocol) {
|
||||
function dirsStatuses($domainType, $protocol) {
|
||||
if (isset($_SESSION['username']) !== true)
|
||||
return [];
|
||||
$dbDirs = query('select', 'sites', [
|
||||
'username' => $username,
|
||||
'username' => $_SESSION['username'],
|
||||
'domain_type' => $domainType,
|
||||
'protocol' => $protocol,
|
||||
], 'site_dir');
|
||||
$dirs = [];
|
||||
foreach (listFsDirs($username) as $fsDir)
|
||||
foreach (listFsDirs($_SESSION['username']) as $fsDir)
|
||||
$dirs[$fsDir] = in_array($fsDir, $dbDirs);
|
||||
return $dirs;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ if (processForm()) {
|
|||
|
||||
removeDirectory(CONF['ht']['tor_config_path'] . '/' . $_SESSION['username']);
|
||||
|
||||
exec(CONF['ht']['sudo_path'] . ' ' . CONF['ht']['rm_path'] . ' --recursive ' . CONF['ht']['ht_path'] . '/' . $_SESSION['username'], result_code: $code);
|
||||
exec(CONF['ht']['sudo_path'] . ' -u ' . CONF['ht']['sftpgo_user'] . ' ' . CONF['ht']['rm_path'] . ' --recursive ' . CONF['ht']['ht_path'] . '/' . $_SESSION['username'], result_code: $code);
|
||||
if ($code !== 0)
|
||||
output(500, 'Can\'t remove user\'s directory.');
|
||||
|
||||
|
|
|
|||
|
|
@ -1,14 +1,9 @@
|
|||
<?php
|
||||
|
||||
if (isset($_SESSION['username']))
|
||||
$dirsStatuses = dirsStatuses($_SESSION['username'], 'dns', 'http');
|
||||
else
|
||||
$dirsStatuses = [];
|
||||
|
||||
if (processForm()) {
|
||||
$_POST['domain'] = formatDomain($_POST['domain']);
|
||||
|
||||
if ($dirsStatuses[$_POST['dir']] !== false)
|
||||
if (dirsStatuses('dns', 'http')[$_POST['dir']] !== false)
|
||||
output(403, 'Wrong value for <code>dir</code>.');
|
||||
|
||||
if (query('select', 'sites', ['domain' => $_POST['domain']], 'domain') !== [])
|
||||
|
|
@ -65,6 +60,8 @@ if (processForm()) {
|
|||
output(200, 'Accès HTTP par domaine ajouté sur ce dossier !');
|
||||
}
|
||||
|
||||
$dirsStatuses = dirsStatuses('onion', 'http');
|
||||
|
||||
$proof = getAuthToken();
|
||||
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -1,12 +1,7 @@
|
|||
<?php
|
||||
|
||||
if (isset($_SESSION['username']))
|
||||
$dirsStatuses = dirsStatuses($_SESSION['username'], 'onion', 'http');
|
||||
else
|
||||
$dirsStatuses = [];
|
||||
|
||||
if (processForm()) {
|
||||
if ($dirsStatuses[$_POST['dir']] !== false)
|
||||
if (dirsStatuses('onion', 'http')[$_POST['dir']] !== false)
|
||||
output(403, 'Wrong value for <code>dir</code>.');
|
||||
|
||||
rateLimit();
|
||||
|
|
@ -53,6 +48,8 @@ if (processForm()) {
|
|||
output(200, 'L\'adresse de votre service Onion HTTP est : <a href="http://' . $onion . '/"><code>http://' . $onion . '/</code></a>');
|
||||
}
|
||||
|
||||
$dirsStatuses = dirsStatuses('onion', 'http');
|
||||
|
||||
?>
|
||||
|
||||
<p>
|
||||
|
|
|
|||
|
|
@ -1,12 +1,7 @@
|
|||
<?php
|
||||
|
||||
if (isset($_SESSION['username']))
|
||||
$dirsStatuses = dirsStatuses($_SESSION['username'], 'dns', 'http');
|
||||
else
|
||||
$dirsStatuses = [];
|
||||
|
||||
if (processForm()) {
|
||||
if ($dirsStatuses[$_POST['dir']] !== true)
|
||||
if (dirsStatuses('dns', 'http')[$_POST['dir']] !== true)
|
||||
output(403, 'Wrong value for <code>dir</code>.');
|
||||
|
||||
htDeleteSite($_POST['dir'], domainType: 'dns', protocol: 'http');
|
||||
|
|
@ -14,6 +9,8 @@ if (processForm()) {
|
|||
output(200, 'Accès retiré.');
|
||||
}
|
||||
|
||||
$dirsStatuses = dirsStatuses('onion', 'http');
|
||||
|
||||
?>
|
||||
|
||||
<p>
|
||||
|
|
|
|||
|
|
@ -1,12 +1,7 @@
|
|||
<?php
|
||||
|
||||
if (isset($_SESSION['username']))
|
||||
$dirsStatuses = dirsStatuses($_SESSION['username'], 'onion', 'http');
|
||||
else
|
||||
$dirsStatuses = [];
|
||||
|
||||
if (processForm()) {
|
||||
if ($dirsStatuses[$_POST['dir']] !== true)
|
||||
if (dirsStatuses('onion', 'http')[$_POST['dir']] !== true)
|
||||
output(403, 'Wrong value for <code>dir</code>.');
|
||||
|
||||
htDeleteSite($_POST['dir'], domainType: 'onion', protocol: 'http');
|
||||
|
|
@ -14,6 +9,8 @@ if (processForm()) {
|
|||
output(200, 'Accès retiré.');
|
||||
}
|
||||
|
||||
$dirsStatuses = dirsStatuses('onion', 'http');
|
||||
|
||||
?>
|
||||
|
||||
<p>
|
||||
|
|
|
|||
|
|
@ -30,6 +30,12 @@ else {
|
|||
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h2>Ajouter un accès de site</h2>
|
||||
|
||||
<p>Pour pouvoir y ajouter un accès par ce service, un site doit auparavent être téléversé dans un sous-dossier direct de l'espace SFTP. Le nom de ce sous-dossier ne peut contenir que <abbr title="abcdefghijklmnopqrstuvwxyz"><code>a</code>-<code>z</code></abbr>, <abbr title="ABCDEFGHIJKLMNOPQRSTUVWXYZ"><code>A</code>-<code>Z</code></abbr>, <abbr title="0123456789"><code>0</code>-<code>9</code></abbr>, <code>_</code> et <code>-</code>.</p>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h2>SFTP</h2>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue