Merge branch 'servicing' into release

hestiacp · Oct 24, 2023 · 67e9f57 · 67e9f57
2 parents 197bacf + e3f73a4
commit 67e9f57
Show file tree

Hide file tree

Showing 78 changed files with 2,912 additions and 1,902 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,31 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.8.9] - Service release
+
+### Security
+
+- Restrict PHP-FPM permissions to a new user to prevent permission escalation to admin or other users
+- Reduce Nginx keepalive_requests to 1000 ([Nginx default](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/#http2_max_concurrent_streams)) to limit risks of [CVE-2023-44487](https://www.cve.org/CVERecord?id=CVE-2023-44487)
+
+### Bug fixes
+
+- Fix: removing certificates during apache reload #4053
+- Fix: Firehol blacklists #4046
+- Fix PHP error + Add option to update WPCLI + Composer #4039
+- Update v-add-mail-domain #4027 #4026
+- Update MediaWikiSetup.php #4034
+- Fix: for v-list-sys-services, pidof command in Debian Buster doesn't support option -d #4022
+- Update main.php humanize_usage_size() #4015
+- Fix: Prevent the script v-add-sys-roundcube from freezing during Roundcube upgrade #4018
+- Fixed an issue with login when 2FA was enabled
+
+### Dependencies
+
+- Update Filegator to 7.9.3
+- Update Roundcube to 1.6.4
+- Update Snappymail to 2.29.1
+
 ## [1.8.8] - Service release
 
 ### Security

diff --git a/SECURITY.md b/SECURITY.md
@@ -4,10 +4,7 @@ Welcome and thanks for taking interest in Hestia CP!
 
 We are mostly interested in reports by actual Hestia CP users but all high quality contributions are welcome.
 
-If you believe that you have have discovered a vulnerability in Hestia Control Panel,
-please let our development team know by submitting a report [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) Bounties and CVEs are automatically managed and allocated via the platform.
-
-If you are unable to use [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) please send an email to <info@hestiacp.com>
+If you believe that you have have discovered a vulnerability in Hestia Control Panel, please let our development team know by sending an email to <info@hestiacp.com>
 
 We ask you to include a detailed description of the vulnerability, a list of services involved (e.g. exim, dovecot) and the versions which you've tested, full steps to reproduce the vulnerability, and include your findings and expected results.
 

diff --git a/bin/v-add-sys-roundcube b/bin/v-add-sys-roundcube
@@ -187,7 +187,9 @@ else
 
 	# Run Roundcube upgrade script
 	$RC_INSTALL_DIR/$RC_EXTRACT/bin/installto.sh -y $RC_INSTALL_DIR > /dev/null 2>&1
-	$RC_INSTALL_DIR/bin/update.sh --version "$version" > /dev/null 2>&1
+	# Use COMPOSER_ALLOW_SUPERUSER=1 to prevent update.sh script from freezing trying
+	# to execute composer as root to update roundcube dependencies
+	COMPOSER_ALLOW_SUPERUSER=1 $RC_INSTALL_DIR/bin/update.sh --version "$version" > /dev/null 2>&1
 	$RC_INSTALL_DIR/bin/indexcontacts.sh > /dev/null 2>&1
 	chown -R root:www-data $RC_INSTALL_DIR
 

diff --git a/bin/v-add-user-composer b/bin/v-add-user-composer
@@ -14,6 +14,7 @@
 # Argument definition
 user=$1
 version=${2-2}
+update=$3
 
 if [ -z "$HESTIA" ]; then
 	HESTIA="/usr/local/hestia"
@@ -31,7 +32,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '1' "$#" 'USER [VERSION]'
+check_args '1' "$#" 'USER [VERSION] [UPDATE]'
 is_format_valid 'user'
 is_number_format_valid "$version" "version"
 is_object_valid 'user' 'USER' "$user"
@@ -50,6 +51,10 @@ COMPOSER_DIR="$HOMEDIR/$user/.composer"
 COMPOSER_BIN="$COMPOSER_DIR/composer"
 
 if [ -f "$COMPOSER_BIN" ]; then
+	if [ -f "$update" ]; then
+		user_exec $COMPOSER_BIN selfupdate
+		exit
+	fi
 	echo "Composer already available"
 	exit
 fi

diff --git a/bin/v-add-user-wp-cli b/bin/v-add-user-wp-cli
@@ -12,6 +12,7 @@
 
 # Argument definition
 user=$1
+update=$2
 
 if [ -z "$HESTIA" ]; then
 	HESTIA="/usr/local/hestia"
@@ -28,7 +29,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '1' "$#" 'USER'
+check_args '1' "$#" 'USER [UPDATE]'
 is_format_valid 'user'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
@@ -44,6 +45,10 @@ WPCLI_DIR="/home/$user/.wp-cli"
 WPCLI_BIN="$WPCLI_DIR/wp"
 
 if [ -f "$WPCLI_BIN" ]; then
+	if [ -f "$update" ]; then
+		user_exec $WPCLI_BIN cli update --yes
+		exit
+	fi
 	check_result "$E_EXISTS" "For user name '$user' WP-CLI already available!"
 	exit
 fi

diff --git a/bin/v-add-web-domain b/bin/v-add-web-domain
@@ -204,6 +204,9 @@ if [ -n "$PROXY_SYSTEM" ]; then
 		PROXY_EXT="$PROXY_EXT,7z,bz2,gz,rar,tar,tgz,zip"
 		# Binaries
 		PROXY_EXT="$PROXY_EXT,apk,appx,bin,dmg,exe,img,iso,jar,msi"
+		# Other
+		PROXY_EXT="$PROXY_EXT,webmanifest"
+
 	fi
 	if [ -z "$PROXY_TEMPLATE" ]; then
 		PROXY_TEMPLATE='default'

diff --git a/bin/v-add-web-domain-alias b/bin/v-add-web-domain-alias
@@ -5,7 +5,7 @@
 # example: v-add-web-domain-alias admin acme.com www.acme.com yes
 #
 # This function adds one or more aliases to a domain (it is also called
-# "domain parking"). This function supports wildcards *.domain.tpl.
+# "domain parking"). This function supports wildcards <*.domain.tld>.
 
 #----------------------------------------------------------#
 #                Variables & Functions                     #

diff --git a/bin/v-add-web-php b/bin/v-add-web-php
@@ -50,7 +50,7 @@ fi
 # Check if php version is supported
 if [[ ! "$multiphp_v" =~ $version ]]; then
 	echo "ERROR: Specified PHP version is not supported or does not exist."
-	exit "$E_INVALID";
+	exit "$E_INVALID"
 fi
 
 # Perform verification if read-only mode is enabled
@@ -131,7 +131,7 @@ update-rc.d php$version-fpm defaults > /dev/null 2>&1
 v_tpl=${version//./}
 rm -f /etc/php/$version/fpm/pool.d/*
 cp -f $HESTIA_INSTALL_DIR/php-fpm/dummy.conf /etc/php/$version/fpm/pool.d/
-sed -i "s/9999/99$v_tpl/g" /etc/php/$version/fpm/pool.d/dummy.conf
+sed -i "s/%backend_version%/$version/g" /etc/php/$version/fpm/pool.d/dummy.conf
 cp -f $HESTIA_INSTALL_DIR/php-fpm/php-fpm.conf /etc/php/$version/fpm/
 sed -i "s/fpm_v/$version/g" /etc/php/$version/fpm/php-fpm.conf
 

diff --git a/bin/v-change-domain-owner b/bin/v-change-domain-owner
@@ -98,11 +98,10 @@ if [ -n "$web_data" ]; then
 		ssl_key=$HESTIA/data/users/$owner/ssl/$domain.key
 		ssl_ca=$HESTIA/data/users/$owner/ssl/$domain.ca
 		ssl_pem=$HESTIA/data/users/$owner/ssl/$domain.pem
-		mv $ssl_crt $HESTIA/data/users/$user/ssl/
-		mv $ssl_key $HESTIA/data/users/$user/ssl/
-		mv $ssl_ca $HESTIA/data/users/$user/ssl/ >> /dev/null 2>&1
-		mv $ssl_pem $HESTIA/data/users/$user/ssl/ >> /dev/null 2>&1
-		rm -f $HOMEDIR/$owner/conf/web/ssl.$domain.*
+		cp $ssl_crt $HESTIA/data/users/$user/ssl/
+		cp $ssl_key $HESTIA/data/users/$user/ssl/
+		cp $ssl_ca $HESTIA/data/users/$user/ssl/ >> /dev/null 2>&1
+		cp $ssl_pem $HESTIA/data/users/$user/ssl/ >> /dev/null 2>&1
 	fi
 
 	# Check ftp user account
@@ -124,6 +123,15 @@ if [ -n "$web_data" ]; then
 	find "$HOMEDIR/$user/web/$domain" -user "$owner" \
 		-exec chown -h $user:$user {} \;
 
+	if [ "$SSL" = 'yes' ]; then
+		sleep 10
+		rm $ssl_crt
+		rm $ssl_key
+		rm $ssl_ca > /dev/null 2>&1
+		rm $ssl_pem > /dev/null 2>&1
+		rm -f $HOMEDIR/$owner/conf/web/ssl.$domain.*
+	fi
+
 	# Rebuild config
 	$BIN/v-unsuspend-web-domain "$user" "$domain" no >> /dev/null 2>&1
 	$BIN/v-rebuild-web-domains "$owner" no

diff --git a/bin/v-change-sys-hostname b/bin/v-change-sys-hostname
@@ -35,37 +35,60 @@ check_hestia_demo_mode
 #                       Action                             #
 #----------------------------------------------------------#
 
-hostname "$domain"
+current_hostname="$(hostname)"
+if [[ "$current_hostname" == "$domain" ]]; then
+        echo "Current hostname \"$current_hostname\" is the same as the new one you want to use"
+        echo "I'm not going to change it"
+        exit
+fi
 
+hostname "$domain"
 if [ -d "/etc/sysconfig" ]; then
-	# RHEL/CentOS/Amazon
-	touch /etc/sysconfig/network
-	if [ -z "$(grep HOSTNAME /etc/sysconfig/network)" ]; then
-		echo "HOSTNAME='$domain'" >> /etc/sysconfig/network
-	else
-		sed -i "s/HOSTNAME=.*/HOSTNAME='$domain'/" /etc/sysconfig/network
-	fi
+        # RHEL/CentOS/Amazon
+        touch /etc/sysconfig/network
+        if [ -z "$(grep HOSTNAME /etc/sysconfig/network)" ]; then
+                echo "HOSTNAME='$domain'" >>/etc/sysconfig/network
+        else
+                sed -i "s/HOSTNAME=.*/HOSTNAME='$domain'/" /etc/sysconfig/network
+        fi
 else
-	# Debian/Ubuntu
-	hostnamectl set-hostname "$domain"
-	echo "$domain" > /etc/hostname
+        # Debian/Ubuntu
+        hostnamectl set-hostname "$domain"
+        echo "$domain" >/etc/hostname
 fi
 
-# Update Roundcube password plugin configuration
+# Update webmail's password plugin configuration
 if [ -d /etc/roundcube/ ]; then
-	sed -i "/password_hestia_host/c\$rcmail_config['password_hestia_host'] = '$domain';" /etc/roundcube/plugins/password/config.inc.php
+        sed -i "/password_hestia_host/c\$rcmail_config['password_hestia_host'] = '$domain';" /etc/roundcube/plugins/password/config.inc.php
 fi
 if [ -d /etc/rainloop/ ]; then
-	sed -i "/hestia_host/c\hestia_host = \"$domain\"" /etc/rainloop/data/_data_/_default_/configs/plugin-hestia-change-password.ini
+        sed -i "/hestia_host/c\hestia_host = \"$domain\"" /etc/rainloop/data/_data_/_default_/configs/plugin-hestia-change-password.ini
 fi
 if [ -d /etc/snappymail/ ]; then
-	sed -i "/\"hestia_host\":/c\\\"hestia_host\": \"$domain\"," /etc/snappymail/data/_data_/_default_/configs/plugin-change-password.json
+        sed -i "/\"hestia_host\":/c\\\"hestia_host\": \"$domain\"," /etc/snappymail/data/_data_/_default_/configs/plugin-change-password.json
 fi
 
+# Update /etc/hosts
 if [ -f /etc/hosts ]; then
-	if ! cat /etc/hosts | grep $domain > /dev/null; then
-		echo "127.0.0.1 $domain" >> /etc/hosts
-	fi
+        if grep -q -E "^127\.0\.0\.1\s{1,}${current_hostname}$" /etc/hosts; then
+                sed -i -E "s/127\.0\.0\.1\s{1,}${current_hostname}/127\.0\.0\.1 ${domain}/" /etc/hosts
+        else
+                echo "127.0.0.1 $domain" >>/etc/hosts
+        fi
+        # Check whether hostname entries are duplicated and remove all but the last one
+        ndup_hosts="$(grep -c -E "^127\.0\.0\.1\s{1,}${domain}$" /etc/hosts)"
+        if [[ "${ndup_hosts}" -gt "1" ]]; then
+                nlines_to_del="$((ndup_hosts - 1))"
+                lines_to_del="$(grep -n -E "^127\.0\.0\.1\s{1,}${domain}$" /etc/hosts | head -n${nlines_to_del} | awk -F ':' '{print $1}')"
+                for i in $lines_to_del; do
+                        if [[ -z $list_lines ]]; then
+                                list_lines="${i}d"
+                        else
+                                list_lines+=";${i}d"
+                        fi
+                done
+                sed -i "${list_lines}" /etc/hosts
+        fi
 fi
 
 #----------------------------------------------------------#

diff --git a/bin/v-list-sys-services b/bin/v-list-sys-services
@@ -87,12 +87,14 @@ get_srv_state() {
 
 	# Searching related pids
 	if [ -z $3 ]; then
-		pids=$(pidof -d '|' $name)
+		pids=$(pidof $name | tr ' ' '|')
 	else
-		pids=$(pidof -d '|' -x $name)
+		pids=$(pidof -x $name | tr ' ' '|')
 	fi
+	used_pgrep=0
 	if [ -z "$pids" ] && [ "$name" != 'nginx' ]; then
 		pids=$(pgrep $name | tr '\n' '|')
+		used_pgrep=1
 	fi
 
 	# Prevent from an SSH false positive when there is a TTY or SFTP connection but service is down
@@ -102,7 +104,11 @@ get_srv_state() {
 
 	# Checking pid
 	if [ -n "$pids" ]; then
-		pid=$(echo "$pids" | awk -F '|' '{print $NF}')
+		if [[ "$used_pgrep" -eq 1 ]]; then
+			pid=$(echo "$pids" | awk -F '|' '{print $1}')
+		else
+			pid=$(echo "$pids" | awk -F '|' '{print $NF}')
+		fi
 		pids=${pids%|}
 		pids=$(egrep "$pids" $tmp_file)
 

diff --git a/bin/v-update-sys-hestia-git b/bin/v-update-sys-hestia-git
@@ -21,7 +21,7 @@ source $HESTIA/func/main.sh
 # load config file
 source_conf "$HESTIA/conf/hestia.conf"
 # define NodeJS version for download (required for building JS/CSS)
-nodejs_ver="20"
+NODE_MAJOR=20
 
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
@@ -30,7 +30,10 @@ check_hestia_demo_mode
 if [ -z $(which "node") ]; then
 	read -p "NodeJS not found. Install now to proceed? [Y/n] " answer
 	if [ "$answer" = 'y' ] || [ "$answer" = 'Y' ]; then
-		curl -fsSL "https://deb.nodesource.com/setup_$nodejs_ver.x" | bash - &&\
+		sudo mkdir -p /etc/apt/keyrings
+		curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
+
+		echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list
 		sudo apt-get install -y nodejs
 	else
 		exit 0
@@ -308,7 +311,7 @@ mkdir -p $BUILD_DIR_HESTIA/usr/local/hestia
 # Move needed directories
 cd $BUILD_DIR/hestiacp-$branch_dash
 
-npm install
+npm ci
 npm run build
 
 cp -rf bin func install web $BUILD_DIR_HESTIA/usr/local/hestia/