diff --git a/api_keys.php b/api_keys.php
index 54e4f8098f..f29e97d6c3 100644
--- a/api_keys.php
+++ b/api_keys.php
@@ -70,7 +70,7 @@
), $id);
}
}
-} elseif ($action == 'add') {
+} elseif ($action == 'add' && isset($_POST['send']) && $_POST['send'] == 'send') {
$ins_stmt = Database::prepare("
INSERT INTO `" . TABLE_API_KEYS . "` SET
`apikey` = :key, `secret` = :secret, `adminid` = :aid, `customerid` = :cid, `valid_until` = '-1', `allowed_from` = ''
@@ -92,6 +92,10 @@
$success_message = $lng['apikeys']['apikey_added'];
} elseif ($action == 'jqEditApiKey') {
$keyid = isset($_POST['id']) ? (int) $_POST['id'] : 0;
+ if (empty($keyid)) {
+ echo json_encode(false);
+ exit;
+ }
$allowed_from = isset($_POST['allowed_from']) ? $_POST['allowed_from'] : "";
$valid_until = isset($_POST['valid_until']) ? (int) $_POST['valid_until'] : -1;
diff --git a/dns_editor.php b/dns_editor.php
index a5d25eacbf..293502cb51 100644
--- a/dns_editor.php
+++ b/dns_editor.php
@@ -58,15 +58,23 @@
// remove entry
$entry_id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
if ($entry_id > 0) {
- try {
- DomainZones::getLocal($userinfo, array(
- 'entry_id' => $entry_id,
- 'id' => $domain_id
- ))->delete();
- // success message (inline)
- $success_message = $lng['success']['dns_record_deleted'];
- } catch (Exception $e) {
- $errors = str_replace("\n", "
", $e->getMessage());
+ if (isset($_POST['send']) && $_POST['send'] == 'send') {
+ try {
+ DomainZones::getLocal($userinfo, array(
+ 'entry_id' => $entry_id,
+ 'id' => $domain_id
+ ))->delete();
+ // success message (inline)
+ $success_message = $lng['success']['dns_record_deleted'];
+ } catch (Exception $e) {
+ $errors = str_replace("\n", "
", $e->getMessage());
+ }
+ } else {
+ \Froxlor\UI\HTML::askYesNo('dnsentry_reallydelete', $filename, array(
+ 'page' => $page,
+ 'action' => $action,
+ 'id' => $id
+ ), $id);
}
}
}
diff --git a/index.php b/index.php
index d991d34581..7434badefd 100644
--- a/index.php
+++ b/index.php
@@ -425,159 +425,162 @@
}
}
- if ($result_stmt !== null) {
- $user = $result_stmt->fetch(PDO::FETCH_ASSOC);
-
- /* Check whether user is banned */
- if ($user['deactivated']) {
- \Froxlor\UI\Response::redirectTo('index.php', array(
- 'showmessage' => '8'
- ));
- exit();
+ $no_action = false;
+ if ($adminchecked) {
+ if (Settings::Get('panel.allow_preset_admin') != '1') {
+ $message = $lng['pwdreminder']['notallowed'];
+ unset($adminchecked);
+ }
+ } else {
+ if (Settings::Get('panel.allow_preset') != '1') {
+ $message = $lng['pwdreminder']['notallowed'];
}
+ }
- if (($adminchecked && Settings::Get('panel.allow_preset_admin') == '1') || $adminchecked == false) {
- if ($user !== false) {
- // build a activation code
- $timestamp = time();
- $first = substr(md5($user['loginname'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), 0, 15);
- $third = substr(md5($user['email'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), - 15);
- $activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10);
-
- // Drop all existing activation codes for this user
- $stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`
- WHERE `userid` = :userid
- AND `admin` = :admin");
- $params = array(
- "userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
- "admin" => $adminchecked ? 1 : 0
- );
- Database::pexecute($stmt, $params);
-
- // Add new activation code to database
- $stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_ACTIVATION . "`
- (userid, admin, creation, activationcode)
- VALUES (:userid, :admin, :creation, :activationcode)");
- $params = array(
- "userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
- "admin" => $adminchecked ? 1 : 0,
- "creation" => $timestamp,
- "activationcode" => $activationcode
- );
- Database::pexecute($stmt, $params);
+ if (empty($message)) {
+ if ($result_stmt !== null) {
+ $user = $result_stmt->fetch(PDO::FETCH_ASSOC);
- $rstlog = FroxlorLogger::getInstanceOf(array(
- 'loginname' => 'password_reset'
- ));
- $rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $user['loginname'] . "' requested a link for setting a new password.");
-
- // Set together our activation link
- $protocol = empty($_SERVER['HTTPS']) ? 'http' : 'https';
- // this can be a fixed value to avoid potential exploiting by modifying headers
- $host = Settings::Get('system.hostname'); // $_SERVER['HTTP_HOST'];
- $port = $_SERVER['SERVER_PORT'] != 80 ? ':' . $_SERVER['SERVER_PORT'] : '';
- // don't add :443 when https is used, as it is default (and just looks weird!)
- if ($protocol == 'https' && $_SERVER['SERVER_PORT'] == '443') {
- $port = '';
- }
- // there can be only one script to handle this so we can use a fixed value here
- $script = "/index.php"; // $_SERVER['SCRIPT_NAME'];
- if (Settings::Get('system.froxlordirectlyviahostname') == 0) {
- $script = \Froxlor\FileDir::makeCorrectFile("/" . basename(__DIR__) . "/" . $script);
- }
- $activationlink = $protocol . '://' . $host . $port . $script . '?action=resetpwd&resetcode=' . $activationcode;
-
- $replace_arr = array(
- 'SALUTATION' => \Froxlor\User::getCorrectUserSalutation($user),
- 'NAME' => $user['name'],
- 'FIRSTNAME' => $user['firstname'] ?? "",
- 'COMPANY' => $user['company'] ?? "",
- 'CUSTOMER_NO' => $user['customernumber'] ?? 0,
- 'USERNAME' => $loginname,
- 'LINK' => $activationlink
- );
-
- $def_language = ($user['def_language'] != '') ? $user['def_language'] : Settings::Get('panel.standardlanguage');
- $result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
- WHERE `adminid`= :adminid
- AND `language`= :lang
- AND `templategroup`=\'mails\'
- AND `varname`=\'password_reset_subject\'');
- Database::pexecute($result_stmt, array(
- "adminid" => $user['adminid'],
- "lang" => $def_language
- ));
- $result = $result_stmt->fetch(PDO::FETCH_ASSOC);
- $mail_subject = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['subject']), $replace_arr));
-
- $result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
- WHERE `adminid`= :adminid
- AND `language`= :lang
- AND `templategroup`=\'mails\'
- AND `varname`=\'password_reset_mailbody\'');
- Database::pexecute($result_stmt, array(
- "adminid" => $user['adminid'],
- "lang" => $def_language
+ /* Check whether user is banned */
+ if ($user['deactivated']) {
+ \Froxlor\UI\Response::redirectTo('index.php', array(
+ 'showmessage' => '8'
));
- $result = $result_stmt->fetch(PDO::FETCH_ASSOC);
- $mail_body = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['mailbody']), $replace_arr));
+ exit();
+ }
- $_mailerror = false;
- $mailerr_msg = "";
- try {
- $mail->Subject = $mail_subject;
- $mail->AltBody = $mail_body;
- $mail->MsgHTML(str_replace("\n", "
", $mail_body));
- $mail->AddAddress($user['email'], \Froxlor\User::getCorrectUserSalutation($user));
- $mail->Send();
- } catch (\PHPMailer\PHPMailer\Exception $e) {
- $mailerr_msg = $e->errorMessage();
- $_mailerror = true;
- } catch (Exception $e) {
- $mailerr_msg = $e->getMessage();
- $_mailerror = true;
- }
+ if (($adminchecked && Settings::Get('panel.allow_preset_admin') == '1') || $adminchecked == false) {
+ if ($user !== false) {
+ // build a activation code
+ $timestamp = time();
+ $first = substr(md5($user['loginname'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), 0, 15);
+ $third = substr(md5($user['email'] . $timestamp . \Froxlor\PhpHelper::randomStr(16)), - 15);
+ $activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10);
+
+ // Drop all existing activation codes for this user
+ $stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`
+ WHERE `userid` = :userid
+ AND `admin` = :admin");
+ $params = array(
+ "userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
+ "admin" => $adminchecked ? 1 : 0
+ );
+ Database::pexecute($stmt, $params);
+
+ // Add new activation code to database
+ $stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_ACTIVATION . "`
+ (userid, admin, creation, activationcode)
+ VALUES (:userid, :admin, :creation, :activationcode)");
+ $params = array(
+ "userid" => $adminchecked ? $user['adminid'] : $user['customerid'],
+ "admin" => $adminchecked ? 1 : 0,
+ "creation" => $timestamp,
+ "activationcode" => $activationcode
+ );
+ Database::pexecute($stmt, $params);
- if ($_mailerror) {
$rstlog = FroxlorLogger::getInstanceOf(array(
'loginname' => 'password_reset'
));
- $rstlog->logAction(\Froxlor\FroxlorLogger::ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
+ $rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $user['loginname'] . "' requested a link for setting a new password.");
+
+ // Set together our activation link
+ $protocol = empty($_SERVER['HTTPS']) ? 'http' : 'https';
+ // this can be a fixed value to avoid potential exploiting by modifying headers
+ $host = Settings::Get('system.hostname'); // $_SERVER['HTTP_HOST'];
+ $port = $_SERVER['SERVER_PORT'] != 80 ? ':' . $_SERVER['SERVER_PORT'] : '';
+ // don't add :443 when https is used, as it is default (and just looks weird!)
+ if ($protocol == 'https' && $_SERVER['SERVER_PORT'] == '443') {
+ $port = '';
+ }
+ // there can be only one script to handle this so we can use a fixed value here
+ $script = "/index.php"; // $_SERVER['SCRIPT_NAME'];
+ if (Settings::Get('system.froxlordirectlyviahostname') == 0) {
+ $script = \Froxlor\FileDir::makeCorrectFile("/" . basename(__DIR__) . "/" . $script);
+ }
+ $activationlink = $protocol . '://' . $host . $port . $script . '?action=resetpwd&resetcode=' . $activationcode;
+
+ $replace_arr = array(
+ 'SALUTATION' => \Froxlor\User::getCorrectUserSalutation($user),
+ 'NAME' => $user['name'],
+ 'FIRSTNAME' => $user['firstname'] ?? "",
+ 'COMPANY' => $user['company'] ?? "",
+ 'CUSTOMER_NO' => $user['customernumber'] ?? 0,
+ 'USERNAME' => $loginname,
+ 'LINK' => $activationlink
+ );
+
+ $def_language = ($user['def_language'] != '') ? $user['def_language'] : Settings::Get('panel.standardlanguage');
+ $result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
+ WHERE `adminid`= :adminid
+ AND `language`= :lang
+ AND `templategroup`=\'mails\'
+ AND `varname`=\'password_reset_subject\'');
+ Database::pexecute($result_stmt, array(
+ "adminid" => $user['adminid'],
+ "lang" => $def_language
+ ));
+ $result = $result_stmt->fetch(PDO::FETCH_ASSOC);
+ $mail_subject = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['subject']), $replace_arr));
+
+ $result_stmt = Database::prepare('SELECT `value` FROM `' . TABLE_PANEL_TEMPLATES . '`
+ WHERE `adminid`= :adminid
+ AND `language`= :lang
+ AND `templategroup`=\'mails\'
+ AND `varname`=\'password_reset_mailbody\'');
+ Database::pexecute($result_stmt, array(
+ "adminid" => $user['adminid'],
+ "lang" => $def_language
+ ));
+ $result = $result_stmt->fetch(PDO::FETCH_ASSOC);
+ $mail_body = html_entity_decode(\Froxlor\PhpHelper::replaceVariables((($result['value'] != '') ? $result['value'] : $lng['mails']['password_reset']['mailbody']), $replace_arr));
+
+ $_mailerror = false;
+ $mailerr_msg = "";
+ try {
+ $mail->Subject = $mail_subject;
+ $mail->AltBody = $mail_body;
+ $mail->MsgHTML(str_replace("\n", "
", $mail_body));
+ $mail->AddAddress($user['email'], \Froxlor\User::getCorrectUserSalutation($user));
+ $mail->Send();
+ } catch (\PHPMailer\PHPMailer\Exception $e) {
+ $mailerr_msg = $e->errorMessage();
+ $_mailerror = true;
+ } catch (Exception $e) {
+ $mailerr_msg = $e->getMessage();
+ $_mailerror = true;
+ }
+
+ if ($_mailerror) {
+ $rstlog = FroxlorLogger::getInstanceOf(array(
+ 'loginname' => 'password_reset'
+ ));
+ $rstlog->logAction(\Froxlor\FroxlorLogger::ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
+ \Froxlor\UI\Response::redirectTo('index.php', array(
+ 'showmessage' => '4',
+ 'customermail' => $user['email']
+ ));
+ exit();
+ }
+
+ $mail->ClearAddresses();
\Froxlor\UI\Response::redirectTo('index.php', array(
- 'showmessage' => '4',
- 'customermail' => $user['email']
+ 'showmessage' => '1'
));
exit();
+ } else {
+ $rstlog = FroxlorLogger::getInstanceOf(array(
+ 'loginname' => 'password_reset'
+ ));
+ $rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!");
+ $message = $lng['login']['combination_not_found'];
}
- $mail->ClearAddresses();
- \Froxlor\UI\Response::redirectTo('index.php', array(
- 'showmessage' => '1'
- ));
- exit();
- } else {
- $rstlog = FroxlorLogger::getInstanceOf(array(
- 'loginname' => 'password_reset'
- ));
- $rstlog->logAction(\Froxlor\FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!");
- $message = $lng['login']['combination_not_found'];
+ unset($user);
}
-
- unset($user);
+ } else {
+ $message = $lng['login']['usernotfound'];
}
- } else {
- $message = $lng['login']['usernotfound'];
- }
- }
-
- if ($adminchecked) {
- if (Settings::Get('panel.allow_preset_admin') != '1') {
- $message = $lng['pwdreminder']['notallowed'];
- unset($adminchecked);
- }
- } else {
- if (Settings::Get('panel.allow_preset') != '1') {
- $message = $lng['pwdreminder']['notallowed'];
}
}
diff --git a/lib/Froxlor/Settings/Store.php b/lib/Froxlor/Settings/Store.php
index d19328f1f0..0b595aa31b 100644
--- a/lib/Froxlor/Settings/Store.php
+++ b/lib/Froxlor/Settings/Store.php
@@ -1,4 +1,5 @@
0) {
$defaultips_new = explode(',', $newfieldvalue);
- if (! empty($defaultips_old) && ! empty($newfieldvalue)) {
+ if (!empty($defaultips_old) && !empty($newfieldvalue)) {
$in_value = $defaultips_old . ", " . $newfieldvalue;
- } elseif (! empty($defaultips_old) && empty($newfieldvalue)) {
+ } elseif (!empty($defaultips_old) && empty($newfieldvalue)) {
$in_value = $defaultips_old;
} else {
$in_value = $newfieldvalue;
@@ -280,11 +281,11 @@ public static function storeSettingMysqlAccessHost($fieldname, $fielddata, $newf
if ($returnvalue !== false && is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] == 'system' && isset($fielddata['varname']) && $fielddata['varname'] == 'mysql_access_host') {
$mysql_access_host_array = array_map('trim', explode(',', $newfieldvalue));
- if (in_array('127.0.0.1', $mysql_access_host_array) && ! in_array('localhost', $mysql_access_host_array)) {
+ if (in_array('127.0.0.1', $mysql_access_host_array) && !in_array('localhost', $mysql_access_host_array)) {
$mysql_access_host_array[] = 'localhost';
}
- if (! in_array('127.0.0.1', $mysql_access_host_array) && in_array('localhost', $mysql_access_host_array)) {
+ if (!in_array('127.0.0.1', $mysql_access_host_array) && in_array('localhost', $mysql_access_host_array)) {
$mysql_access_host_array[] = '127.0.0.1';
}
@@ -306,8 +307,8 @@ public static function storeSettingMysqlAccessHost($fieldname, $fielddata, $newf
private static function cleanMySQLAccessHost($value)
{
- if (substr($value, 0, 1) == '[' && substr($value, - 1) == ']') {
- return substr($value, 1, - 1);
+ if (substr($value, 0, 1) == '[' && substr($value, -1) == ']') {
+ return substr($value, 1, -1);
}
return $value;
}
@@ -370,66 +371,85 @@ public static function storeSettingWebserverFcgidFpmUser($fieldname, $fielddata,
}
public static function storeSettingImage($fieldname, $fielddata)
- {
- if (isset($fielddata['settinggroup'], $fielddata['varname']) && is_array($fielddata) && $fielddata['settinggroup'] !== '' && $fielddata['varname'] !== '') {
- $save_to = null;
- $path = \Froxlor\Froxlor::getInstallDir().'/img/';
- $path = \Froxlor\FileDir::makeCorrectDir($path);
-
- // New file?
- if (isset($_FILES[$fieldname]) && $_FILES[$fieldname]['tmp_name']) {
- // Make sure upload directory exists
- if (!is_dir($path) && !mkdir($path, 0775)) {
- throw new \Exception("img directory does not exist and cannot be created");
- }
-
- // Make sure we can write to the upload directory
- if (!is_writable($path)) {
- if (!chmod($path, 0775)) {
- throw new \Exception("Cannot write to img directory");
- }
- }
-
- // Make sure mime-type matches an image
- if (!in_array(mime_content_type($_FILES[$fieldname]['tmp_name']), ['image/jpeg','image/jpg','image/png','image/gif'])) {
- throw new \Exception("Uploaded file not a valid image");
- }
-
- // Determine file extension
- $spl = explode('.', $_FILES[$fieldname]['name']);
- $file_extension = strtolower(array_pop($spl));
- unset($spl);
-
- // Move file
- if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path.$fielddata['image_name'].'.'.$file_extension)) {
- throw new \Exception("Unable to save image to img folder");
- }
-
- $save_to = 'img/'.$fielddata['image_name'].'.'.$file_extension.'?v='.time();
- }
-
- // Delete file?
- if ($fielddata['value'] !== "" && array_key_exists($fieldname.'_delete', $_POST) && $_POST[$fieldname.'_delete']) {
- @unlink(\Froxlor\Froxlor::getInstallDir() . '/' . explode('?', $fielddata['value'], 2)[0]);
- $save_to = '';
- }
-
- // Nothing changed
- if ($save_to === null) {
- return array(
- $fielddata['settinggroup'] . '.' . $fielddata['varname'] => $fielddata['value']
- );
- }
-
- if (Settings::Set($fielddata['settinggroup'] . '.' . $fielddata['varname'], $save_to) === false) {
- return false;
- }
-
- return array(
- $fielddata['settinggroup'] . '.' . $fielddata['varname'] => $save_to
- );
- }
-
- return false;
- }
+ {
+ if (isset($fielddata['settinggroup'], $fielddata['varname']) && is_array($fielddata) && $fielddata['settinggroup'] !== '' && $fielddata['varname'] !== '') {
+ $save_to = null;
+ $path = \Froxlor\Froxlor::getInstallDir() . '/img/';
+ $path = \Froxlor\FileDir::makeCorrectDir($path);
+
+ // New file?
+ if (isset($_FILES[$fieldname]) && $_FILES[$fieldname]['tmp_name']) {
+ // Make sure upload directory exists
+ if (!is_dir($path) && !mkdir($path, 0775)) {
+ throw new \Exception("img directory does not exist and cannot be created");
+ }
+
+ // Make sure we can write to the upload directory
+ if (!is_writable($path)) {
+ if (!chmod($path, 0775)) {
+ throw new \Exception("Cannot write to img directory");
+ }
+ }
+
+ // Make sure mime-type matches an image
+ if (function_exists('finfo_open')) {
+ $finfo = finfo_open(FILEINFO_MIME_TYPE);
+ $mimetype = finfo_file($finfo, $_FILES[$fieldname]['tmp_name']);
+ finfo_close($finfo);
+ } else {
+ $mimetype = mime_content_type($_FILES[$fieldname]['tmp_name']);
+ }
+ if (empty($mimetype)) {
+ $mimetype = 'application/octet-stream';
+ }
+ if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
+ throw new \Exception("Uploaded file is not a valid image");
+ }
+
+ // Determine file extension
+ $spl = explode('.', $_FILES[$fieldname]['name']);
+ $file_extension = strtolower(array_pop($spl));
+ unset($spl);
+
+ if (!in_array($file_extension, [
+ 'jpeg',
+ 'jpg',
+ 'png',
+ 'gif'
+ ])) {
+ throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
+ }
+
+ // Move file
+ if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path . $fielddata['image_name'] . '.' . $file_extension)) {
+ throw new \Exception("Unable to save image to img folder");
+ }
+
+ $save_to = 'img/' . $fielddata['image_name'] . '.' . $file_extension . '?v=' . time();
+ }
+
+ // Delete file?
+ if ($fielddata['value'] !== "" && array_key_exists($fieldname . '_delete', $_POST) && $_POST[$fieldname . '_delete']) {
+ @unlink(\Froxlor\Froxlor::getInstallDir() . '/' . explode('?', $fielddata['value'], 2)[0]);
+ $save_to = '';
+ }
+
+ // Nothing changed
+ if ($save_to === null) {
+ return array(
+ $fielddata['settinggroup'] . '.' . $fielddata['varname'] => $fielddata['value']
+ );
+ }
+
+ if (Settings::Set($fielddata['settinggroup'] . '.' . $fielddata['varname'], $save_to) === false) {
+ return false;
+ }
+
+ return array(
+ $fielddata['settinggroup'] . '.' . $fielddata['varname'] => $save_to
+ );
+ }
+
+ return false;
+ }
}
diff --git a/lib/init.php b/lib/init.php
index 0448a244b9..83af9d6652 100644
--- a/lib/init.php
+++ b/lib/init.php
@@ -59,7 +59,7 @@
// Inline-JS is no longer allowed and used
// See: http://people.mozilla.org/~bsterne/content-security-policy/index.html
// New stuff see: https://www.owasp.org/index.php/List_of_useful_HTTP_headers and https://www.owasp.org/index.php/Content_Security_Policy
-$csp_content = "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self';";
+$csp_content = "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; object-src 'self'; frame-src 'self'; frame-ancestors 'self';";
header("Content-Security-Policy: " . $csp_content);
header("X-Content-Security-Policy: " . $csp_content);
header("X-WebKit-CSP: " . $csp_content);
diff --git a/lng/english.lng.php b/lng/english.lng.php
index 5b6907acc7..f79249e83d 100644
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -2140,4 +2140,6 @@
$lng['serversettings']['acmeshpath']['title'] = 'Path to acme.sh';
$lng['serversettings']['acmeshpath']['description'] = 'Set this to where acme.sh is installed to, including the acme.sh script
Default is /root/.acme.sh/acme.sh';
-$lng['question']['api_reallydelete'] = 'Do you really want to delete the api-key #%d?';
\ No newline at end of file
+$lng['question']['api_reallydelete'] = 'Do you really want to delete the api-key #%d?';
+$lng['question']['dnsentry_reallydelete'] = 'Do you really want to delete the dns entry #%d?';
+$lng['question']['certificate_reallydelete'] = 'Do you really want to delete the certificate #%d?';
diff --git a/lng/german.lng.php b/lng/german.lng.php
index 53b29d684e..e094bf5969 100644
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1787,3 +1787,5 @@
$lng['serversettings']['acmeshpath']['description'] = 'Installationspfad zu acme.sh, inklusive acme.sh Script
Standard ist /root/.acme.sh/acme.sh';
$lng['question']['api_reallydelete'] = 'Api-Key #%d wirklich löschen?';
+$lng['question']['dnsentry_reallydelete'] = 'Zonen-Eintrag #%d wirklich löschen?';
+$lng['question']['certificate_reallydelete'] = 'Zertifikat #%d wirklich löschen?';
diff --git a/ssl_certificates.php b/ssl_certificates.php
index cdc0b67d81..5d22e71a2e 100644
--- a/ssl_certificates.php
+++ b/ssl_certificates.php
@@ -31,13 +31,21 @@
if ($action == 'delete') {
$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
if ($id > 0) {
- try {
- $json_result = Certificates::getLocal($userinfo, array(
+ if (isset($_POST['send']) && $_POST['send'] == 'send') {
+ try {
+ $json_result = Certificates::getLocal($userinfo, array(
+ 'id' => $id
+ ))->delete();
+ $success_message = sprintf($lng['domains']['ssl_certificate_removed'], $id);
+ } catch (Exception $e) {
+ \Froxlor\UI\Response::dynamic_error($e->getMessage());
+ }
+ } else {
+ \Froxlor\UI\HTML::askYesNo('certificate_reallydelete', $filename, array(
+ 'page' => $page,
+ 'action' => $action,
'id' => $id
- ))->delete();
- $success_message = sprintf($lng['domains']['ssl_certificate_removed'], $id);
- } catch (Exception $e) {
- \Froxlor\UI\Response::dynamic_error($e->getMessage());
+ ), $id);
}
}
}