security fix: CP-21: Websites – Create Website

Author: usmannasir

CyberCP/secMiddleware.py

@@ -80,7 +80,7 @@ def __call__(self, request):
                             or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \
                             or key == 'fileContent' or key == 'commands' or key == 'gitHost' or key == 'ipv6' or key == 'contentNow':
                         continue
-                    if value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \
+                    if value.find('- -') > -1 or value.find('\n') > -1 or  value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \
                             or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
                             or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find("{") > -1 or value.find("}") > -1\
                             or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:

websiteFunctions/website.py

@@ -1813,7 +1813,7 @@ def installWordpressStatus(self, userID=None, data=None):
             statusFile = data['statusFile']
 
             if (statusFile[:16] == "/home/cyberpanel" or statusFile[:4] == '/tmp' or statusFile[:18] == '/usr/local/CyberCP') \
-                    and statusFile != '/usr/local/CyberCP/CyberCP/settings.py' and statusFile.find('..') == -1:
+                    and statusFile != '/usr/local/CyberCP/CyberCP/settings.py' and statusFile.find('..') == -1 and statusFile != '/home/cyberpanel/.my.cnf':
                 pass
             else:
                 data_ret = {'abort': 1, 'installStatus': 0, 'installationProgress': "100",