Merge branch 'servicing' into release

hestiacp · Aug 24, 2023 · be83532 · be83532
2 parents b00de25 + 5b7bc22
commit be83532
Show file tree

Hide file tree

Showing 30 changed files with 429 additions and 434 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -41,7 +41,7 @@ jobs:
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
 
       - name: Setup Node
-        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
         with:
           node-version: 16
 
@@ -59,7 +59,7 @@ jobs:
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
 
       - name: Setup Node
-        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
         with:
           node-version: 16
 
@@ -77,7 +77,7 @@ jobs:
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
 
       - name: Setup Node
-        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
         with:
           node-version: 16
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,28 @@ All notable changes to this project will be documented in this file.
 
 ## [1.8.5] - Service release
 
+### Features
+
+- Advertise auth only on localhost and TLS connections (#3935)
+- Added functionality to reset custom log. (#3952)
+
+### Security
+
+- Security patch for XSS in Edit server (#3946)
+
+### Bugfixes
+
+- Fixed an issue with v-generate-ssl-cert and IDN domains (#3942)
+- Add source_conf to the installers
+- Fixed White label Descriptions (#3952)
+- Update v-change-mail-domain-sslcert (#3920)
+- Improve v-list-sys-sshd-port to check custom ssh port (#3922)
+- Fixed Open PHPMyAdmin in new Window (#3196)
+- Add line breaks SSL Aliases / Allow purge cache via drop down (#3917)
+- Clarify Rclone instructions in docs (#3948)
+
+## [1.8.5] - Service release
+
 ### Bugfixes
 
 - Fixed an error that could occur when adding a new package (#3883)

diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 
 <h2 align="center">A lightweight and powerful control panel for the modern web</h2>
 
-<p align="center"><strong>Latest stable release:</strong> Version 1.8.5 | <a href="https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md">View Changelog</a></p>
+<p align="center"><strong>Latest stable release:</strong> Version 1.8.6 | <a href="https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md">View Changelog</a></p>
 
 <p align="center">
 	<a href="https://www.hestiacp.com/">HestiaCP.com</a> |

diff --git a/bin/v-add-firewall-chain b/bin/v-add-firewall-chain
@@ -56,8 +56,8 @@ heal_iptables_links
 
 # Checking known chains
 case $chain in
-	SSH) # Get ssh port by reading ssh config file.
-		sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
+        SSH) # Get ssh port (or ports) using v-list-sys-sshd-port.
+                sshport="$($BIN/v-list-sys-sshd-port plain | sed ':a;N;$!ba;s/\n/,/g')"
 		if [ -z "$sshport" ]; then
 			sshport=22
 		fi

diff --git a/bin/v-change-mail-domain-sslcert b/bin/v-change-mail-domain-sslcert
@@ -13,7 +13,8 @@
 user=$1
 domain=$2
 domain_idn=$2
-restart=$3
+ssl_dir=$3
+restart=$4
 
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
@@ -40,7 +41,7 @@ is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'mail' 'DOMAIN' "$domain_idn"
 is_object_unsuspended 'mail' 'DOMAIN' "$domain_idn"
-is_object_value_empty 'mail' 'DOMAIN' "$domain_idn" '$SSL'
+is_object_value_exist 'mail' 'DOMAIN' "$domain_idn" '$SSL'
 is_web_domain_cert_valid
 
 # Perform verification if read-only mode is enabled

diff --git a/bin/v-generate-ssl-cert b/bin/v-generate-ssl-cert
@@ -62,7 +62,10 @@ shell_list_ssl() {
 # Additional argument formatting
 format_domain_idn
 if [[ "$email" = *[![:ascii:]]* ]]; then
-	email=$(idn2 --quiet $email)
+	local=$(echo "$email" | cut -f1 -d'@')
+	email_domain=$(echo "$email" | cut -f2 -d'@')
+	email_domain_idn=$(idn2 --quiet $email_domain)
+	email="$local"@"$email_domain_idn"
 fi
 
 #----------------------------------------------------------#

diff --git a/bin/v-list-sys-hestia-updates b/bin/v-list-sys-hestia-updates
@@ -102,7 +102,7 @@ else
 fi
 
 UPDATED='yes'
-if [ -n "$hesta_v" ] && [ "$hestia_v" \> "$VERSION" ]; then
+if [ -n "$hestia_v" ] && [ "$hestia_v" \> "$VERSION" ]; then
 	UPDATED='no'
 fi
 

diff --git a/bin/v-update-firewall b/bin/v-update-firewall
@@ -60,10 +60,11 @@ if [ $? -ne 0 ]; then
 	conntrack_ftp='no'
 fi
 
-# Checking custom OpenSSH  port
-sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
-if [[ "$sshport" =~ ^[0-9]+$ ]] && [ "$sshport" -ne "22" ]; then
-	sed -i "s/PORT='22'/PORT=\'$sshport\'/" $rules
+# Checking custom OpenSSH port (or ports)
+sshport="$($BIN/v-list-sys-sshd-port plain | sed ':a;N;$!ba;s/\n/,/g')"
+if echo "$sshport" | grep -E '^[0-9]+(,[0-9]+)*$' &>/dev/null; then
+        sed -i -E "s/(PORT=')[0-9]+(,[0-9]+)*('.*COMMENT='SSH')/\1$sshport\3/" $rules
+        sed -i "/CHAIN='SSH'/c\CHAIN='SSH' PORT='$sshport' PROTOCOL='TCP'" "$HESTIA/data/firewall/chains.conf"
 fi
 
 # Load ipset lists before adding Hestia iptables rules

diff --git a/bin/v-update-white-label-logo b/bin/v-update-white-label-logo
@@ -6,55 +6,58 @@
 #
 # Replace Hestia logos with User created logo's
 
-download=${1-no}
 #----------------------------------------------------------#
 #                Variables & Functions                     #
 #----------------------------------------------------------#
 
 # Argument definition
-restart=$1
-skip=$2
+download=${1-no}
+reset=${2-no}
 
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
 source /etc/hestiacp/hestia.conf
 # shellcheck source=/usr/local/hestia/func/main.sh
-source $HESTIA/func/main.sh
+source "$HESTIA/func/main.sh"
 # load config file
 source_conf "$HESTIA/conf/hestia.conf"
 
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
+if [ "$reset" = "yes" ]; then
+	rm -rf "$HESTIA/web/images/custom/"
+fi
+
 if [ -f "$HESTIA/web/images/custom/logo.svg" ]; then
-	cp -f $HESTIA/web/images/custom/logo.svg $HESTIA/web/images/logo.svg
+	cp -f "$HESTIA/web/images/custom/logo.svg" "$HESTIA/web/images/logo.svg"
 elif [ ! -f "$HESTIA/web/images/custom/logo.svg" ] && [ "$download" = "yes" ]; then
-	download_file https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/images/logo.svg $HESTIA/web/images/logo.svg
+	download_file "https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/images/logo.svg" "$HESTIA/web/images/logo.svg"
 fi
 
 if [ -f "$HESTIA/web/images/custom/logo.png" ]; then
-	cp -f $HESTIA/web/images/custom/logo.png $HESTIA/web/images/logo.png
+	cp -f $"HESTIA/web/images/custom/logo.png" "$HESTIA/web/images/logo.png"
 elif [ ! -f "$HESTIA/web/images/custom/logo.png" ] && [ "$download" = "yes" ]; then
-	download_file https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/images/logo.png $HESTIA/web/images/logo.png
+	download_file "https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/images/logo.png" "$HESTIA/web/images/logo.png"
 fi
 
 if [ -f "$HESTIA/web/images/custom/logo-header.svg" ]; then
-	cp -f $HESTIA/web/images/custom/logo-header.svg $HESTIA/web/images/logo-header.svg
+	cp -f "$HESTIA/web/images/custom/logo-header.svg" "$HESTIA/web/images/logo-header.svg"
 elif [ ! -f "$HESTIA/web/images/custom/logo-header.svg" ] && [ "$download" = "yes" ]; then
-	download_file https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/images/logo-header.svg $HESTIA/web/images/logo-header.svg
+	download_file "https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/images/logo-header.svg" "$HESTIA/web/images/logo-header.svg"
 fi
 
 if [ -f "$HESTIA/web/images/custom/favicon.png" ]; then
-	cp -f $HESTIA/web/images/custom/favicon.png $HESTIA/web/images/favicon.png
+	cp -f" $HESTIA/web/images/custom/favicon.png" "$HESTIA/web/images/favicon.png"
 elif [ ! -f "$HESTIA/web/images/custom/favicon.png" ] && [ "$download" = "yes" ]; then
-	download_file https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/images/favicon.png $HESTIA/web/images/favicon.png
+	download_file "https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/images/favicon.png" "$HESTIA/web/images/favicon.png"
 fi
 
 if [ -f "$HESTIA/web/images/custom/favicon.ico" ]; then
-	cp -f $HESTIA/web/images/custom/favicon.ico $HESTIA/web/favicon.ico
+	cp -f "$HESTIA/web/images/custom/favicon.ico" "$HESTIA/web/favicon.ico"
 elif [ ! -f "$HESTIA/web/images/custom/favicon.ico" ] && [ "$download" = "yes" ]; then
-	download_file https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/favicon.ico $HESTIA/web/favicon.ico
+	download_file "https://raw.githubusercontent.com/hestiacp/hestiacp/release/web/favicon.ico" "$HESTIA/web/favicon.ico"
 fi
 
 #----------------------------------------------------------#

diff --git a/docs/docs/server-administration/backup-restore.md b/docs/docs/server-administration/backup-restore.md
@@ -103,7 +103,7 @@ sudo -v
 curl https://rclone.org/install.sh | sudo bash
 ```
 
-Once the download and installation is complete, run `rclone config` and then `n`. Follow the instruction on the screen, then save when completed.
+Once the download and installation is complete, run `rclone config` as the `root` user and then select the option `n`. Follow the instruction on the screen, then save when completed.
 
 To verify if it is working run as intended:
 

diff --git a/docs/docs/server-administration/email.md b/docs/docs/server-administration/email.md
@@ -49,6 +49,32 @@ If you are unable to receive emails, make sure you have setup your DNS properly.
 
 When you are done you can check the configuration via [MXToolBox](https://mxtoolbox.com/MXLookup.aspx).
 
+## How do I disable internal lookup for email
+
+If you use an SMTP relay or want to use DKIM on your web server but host email on gmail you need to disable internal lookup in Exim4.
+
+```bash
+nano /etc/exim4/exim4.conf.template
+```
+
+```bash
+dnslookup:
+driver = dnslookup
+domains = !+local_domains
+transport = remote_smtp
+no_more
+```
+
+Replace with:
+
+```bash
+dnslookup:
+driver = dnslookup
+domains = *
+transport = remote_smtp
+no_more
+```
+
 ## How do I install SnappyMail?
 
 You can install SnappyMail by running the following command:

diff --git a/install/deb/exim/exim4.conf.4.94.template b/install/deb/exim/exim4.conf.4.94.template
@@ -65,6 +65,7 @@ tls_privatekey = \
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465
 tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
+auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}
 never_users = root
 host_lookup = *
 rfc1413_hosts = *

diff --git a/install/deb/exim/exim4.conf.4.95.template b/install/deb/exim/exim4.conf.4.95.template
@@ -67,6 +67,7 @@ tls_privatekey = \
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465
 tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
+auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}
 never_users = root
 host_lookup = *
 rfc1413_hosts = *

diff --git a/install/deb/exim/exim4.conf.template b/install/deb/exim/exim4.conf.template
@@ -65,6 +65,7 @@ tls_privatekey = \
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465
 tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
+auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}
 never_users = root
 host_lookup = *
 rfc1413_hosts = *

diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -31,7 +31,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.8.5'
+HESTIA_INSTALL_VER='1.8.6'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1" "8.2")
 fpm_v="8.2"
@@ -111,6 +111,19 @@ check_result() {
 	fi
 }
 
+# Source conf in installer
+source_conf() {
+	while IFS='= ' read -r lhs rhs; do
+		if [[ ! $lhs =~ ^\ *# && -n $lhs ]]; then
+			rhs="${rhs%%^\#*}" # Del in line right comments
+			rhs="${rhs%%*( )}" # Del trailing spaces
+			rhs="${rhs%\'*}"   # Del opening string quotes
+			rhs="${rhs#\'*}"   # Del closing string quotes
+			declare -g $lhs="$rhs"
+		fi
+	done < $1
+}
+
 # Defining function to set default value
 set_default_value() {
 	eval variable=\$$1

diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -31,7 +31,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.8.5'
+HESTIA_INSTALL_VER='1.8.6'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1" "8.2")
 fpm_v="8.2"
@@ -111,6 +111,19 @@ check_result() {
 	fi
 }
 
+# Source conf in installer
+source_conf() {
+	while IFS='= ' read -r lhs rhs; do
+		if [[ ! $lhs =~ ^\ *# && -n $lhs ]]; then
+			rhs="${rhs%%^\#*}" # Del in line right comments
+			rhs="${rhs%%*( )}" # Del trailing spaces
+			rhs="${rhs%\'*}"   # Del opening string quotes
+			rhs="${rhs#\'*}"   # Del closing string quotes
+			declare -g $lhs="$rhs"
+		fi
+	done < $1
+}
+
 # Defining function to set default value
 set_default_value() {
 	eval variable=\$$1

diff --git a/install/upgrade/manual/disable-non-tls-auth.sh b/install/upgrade/manual/disable-non-tls-auth.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Modify Exim conf file (/etc/exim4/exim4.conf.template) to advertise AUTH only for localhost and TLS
+# connections, so we avoid that users send their passwords as clear text over the net.
+if ! grep -qw '^auth_advertise_hosts =' '/etc/exim4/exim4.conf.template'; then
+	echo '[ * ] Enable auth advertise for Exim only for localhost and TLS connections'
+	sed -i '/^tls_require_ciphers\s=\s.*/a auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}' '/etc/exim4/exim4.conf.template'
+	systemctl restart exim4
+fi
diff --git a/install/upgrade/versions/1.8.6.sh b/install/upgrade/versions/1.8.6.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.8.6
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+####### upgrade_config_set_value only accepts true or false.                    #######
+#######                                                                         #######
+####### Pass through information to the end user in case of a issue or problem  #######
+#######                                                                         #######
+####### Use add_upgrade_message "My message here" to include a message          #######
+####### in the upgrade notification email. Example:                             #######
+#######                                                                         #######
+####### add_upgrade_message "My message here"                                   #######
+#######                                                                         #######
+####### You can use \n within the string to create new lines.                   #######
+#######################################################################################
+
+upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'