-
-
Notifications
You must be signed in to change notification settings - Fork 670
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Any random hestiacp user (admin or not) can make nginx crash just by adding a wrong new domain #2055
Comments
As discussed on Discord it is indeed a bug |
Same happened to me this week. A user copied a domain name from somewhere, and it looked fine. Then all server has crashed, as there was some kind of invisible character in the copied domain name. He actually crashed my server twice, as the character was invisible for him, so he did not understand, what he did wrong... Hestia web did not show the domain lists afterwards and some invalid directories were made, showing the domain name as "piemers.\342\200\213lv". IDN must be accepted, though, so please do not filter out all non-latin characters... |
There is also a bug in: Line 659 in a2845d4
".." will be treated as literally instead of regex code changed that part. The restore part after failing to add a domain should be fixed anyway.. |
Hello,
Could you elaborate please ? |
Currently domain..nu is valid. After we merge the new code it will be invalid.. |
I tryed replacing "/./." by ".." and it detects jaap..nl as invalid, so that could resolve the case of an invalid domain containing ".." |
The main issue is still present if a buggy template it still kills nginx / apache2 we still need to solve this part.. |
check_result already contains allready an exit. Need to investigate the bug more... |
Another one option to break HestiaCP is use IDN in domain alias field. |
Please create a new issue for this one. The other one need to be patched at long term |
Describe the bug
It seems that hestia cp doesn't check new provided nginx configuration validity before restarting it.
Even if a check is made (cf
hestiacp/bin/v-restart-web
Line 58 in 0ac3db8
which results in errors like this:
So an error in the nginx conf can make all the server unavailable because nginx failed to restart .
cp panel, and all websites on the server unavailable because of one user.
To Reproduce
test..com
(<- notice 2 dots here)Expected behavior
hestiacp/bin/v-restart-web
Line 60 in 0ac3db8
hestiacp/bin/v-restart-web
Line 61 in 0ac3db8
Screenshots
Operating system:
Debian 10
Hestia Control Panel version:
hestia 1.4.9 and 1.4.10
only nginx + php-fpm (no apache)
Additional Context
systemctl status nginx.service
resultThe text was updated successfully, but these errors were encountered: