Merge branch 'servicing' into release

CHANGELOG.md

@@ -2,6 +2,32 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.8.8] - Service release
+
+### Security
+
+- Security patch for XSS in Edit server (#4013)
+
+### Bugfixes
+
+- Improve Gitea template with SSL support (#4012 @asessa)
+- Restart Nginx / Apache2 when suspending users via Web UI Bulk option (#4007)
+- Fix time and date variables in v-user-package (#4008 #sahsanu)
+- Prevent users creating DNS records with the ID 0 (#3993)
+- Decrease minimal length ipset files to 5. (#3992)
+- Add wp-cli to the user .bash_aliases file (#4002)
+- default value true to yes for three POLICY_USER directives (#3998)
+- Update v-delete-sys-api-ip (#3994)
+- Fix v-add-sys-quota and v-delete-sys-quota (#3991)
+- Allow up to 13 arguments for the api instead of 9
+- Fix an issue with listing overall stats admin user (#4001)
+
+### Dependencies
+
+- Update Roundcube to 1.6.3
+- Update Blackblaze CLI to 3.10.0
+- Update Phppgadmin to 7.4.16
+
 ## [1.8.7] - Service release
 
 ### Bugfixes

README.md

@@ -4,7 +4,7 @@
 
 <h2 align="center">A lightweight and powerful control panel for the modern web</h2>
 
-<p align="center"><strong>Latest stable release:</strong> Version 1.8.7 | <a href="https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md">View Changelog</a></p>
+<p align="center"><strong>Latest stable release:</strong> Version 1.8.8 | <a href="https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md">View Changelog</a></p>
 
 <p align="center">
 	<a href="https://www.hestiacp.com/">HestiaCP.com</a> |

bin/v-add-firewall-ipset

@@ -81,7 +81,7 @@ if ! echo "$data_source" | egrep -q '^(https?|script|file):'; then
 fi
 
 IPSET_FILE="${ip_name}.${ip_version}"
-IPSET_MIN_SIZE=10
+IPSET_MIN_SIZE=5
 
 #----------------------------------------------------------#
 #                       Action                             #

bin/v-add-sys-quota

@@ -22,8 +22,7 @@ source_conf "$HESTIA/conf/hestia.conf"
 #----------------------------------------------------------#
 
 # Ensure that quota kernel modules are installed
-kernel_module_check=$(find /lib/modules/$(uname -r) -type f -name '*quota_v*.ko*' | egrep '.*' && [ $? -eq 0 ])
-if [ -z "$kernel_module_check" ]; then
+if ! find "/lib/modules/$(uname -r)" -type f -name '*quota_v*.ko*' | grep -q '.*'; then
 	# Install kernel modules for quota support.
 	# Requires reboot to activate updated kernel.
 	echo "Installing required kernel modules for quota support..."
@@ -33,8 +32,7 @@ if [ -z "$kernel_module_check" ]; then
 fi
 
 # Checking quota package
-quota=$(which --skip-alias --skip-functions quota 2> /dev/null)
-if [ $? -ne 0 ]; then
+if ! type -P quota &>/dev/null; then
 	if [ -f "/etc/redhat-release" ]; then
 		dnf -y install quota > /dev/null 2>&1
 	else
@@ -56,10 +54,11 @@ mnt=$(df -P /home | awk '{print $6}' | tail -n1)
 lnr=$(cat -n /etc/fstab | grep -v "#" | awk '{print $1,$3}' | grep "$mnt$" | cut -f 1 -d ' ')
 opt=$(sed -n ${lnr}p /etc/fstab | awk '{print $4}')
 fnd='usrquota\|grpquota\|usrjquota=aquota.user\|grpjquota=aquota.group\|jqfmt=vfsv0'
-if [ $(echo $opt | tr ',' '\n' | grep -x $fnd | wc -l) -ne 5 ]; then
+if [ "$(echo "$opt" | tr ',' '\n' | grep -c -x $fnd)" -ne 5 ]; then
 	old=$(echo $(echo $opt | tr ',' '\n' | grep -v 'usrquota\|grpquota\|usrjquota=\|grpjquota=\|jqfmt=') | tr ' ' ',')
 	new='usrquota,grpquota,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0'
 	sed -i "$lnr s/$opt/$old,$new/" /etc/fstab
+	systemctl daemon-reload
 	mount -o remount "$mnt"
 fi
 
@@ -83,11 +82,7 @@ if [ -n "$(quotaon -pa | grep " $mnt " | grep 'user\|group' | grep 'is off')" ];
 fi
 
 # Updating hestia.conf value
-if [ -z "$(grep DISK_QUOTA $HESTIA/conf/hestia.conf)" ]; then
-	echo "DISK_QUOTA='yes'" >> $HESTIA/conf/hestia.conf
-else
-	sed -i "s/DISK_QUOTA=.*/DISK_QUOTA='yes'/g" $HESTIA/conf/hestia.conf
-fi
+$BIN/v-change-sys-config-value "DISK_QUOTA" "yes"
 
 # Rebuilding user quota
 for user in $($BIN/v-list-sys-users plain); do

bin/v-add-user-wp-cli

@@ -56,7 +56,7 @@ chown $user:$user "$WPCLI_DIR"
 
 user_exec wget --tries=3 --timeout=15 --read-timeout=15 --waitretry=3 --no-dns-cache --quiet -O "$WPCLI_BIN" https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
 user_exec chmod +x "$WPCLI_BIN"
-user_exec echo -e "#add wp-cli alias for user\nalias wp='php $WPCLI_BIN'" >> ~/.bashrc
+echo "alias wp=/home/"$user"/.wp-cli/wp" >> /home/$user/.bash_aliases
 
 #----------------------------------------------------------#
 #                       Hestia                             #

bin/v-change-user-package

@@ -77,8 +77,8 @@ is_package_available() {
 change_user_package() {
 	source_conf "$USER_DATA/user.conf"
 	# Keep user creation date and time saved
-	time="$TIME"
-	date="$DATE"
+	creation_time="$TIME"
+	creation_date="$DATE"
 	source_conf "$HESTIA/data/packages/$package.pkg"
 	echo "NAME='$NAME'
 PACKAGE='$package'
@@ -142,8 +142,8 @@ PREF_UI_SORT='$PREF_UI_SORT'
 LOGIN_DISABLED='$LOGIN_DISABLED'
 LOGIN_USE_IPLIST='$LOGIN_USE_IPLIST'
 LOGIN_ALLOW_IPS='$LOGIN_ALLOW_IPS'
-TIME='$time'
-DATE='$date'" > $USER_DATA/user.conf
+TIME='$creation_time'
+DATE='$creation_date'" > $USER_DATA/user.conf
 }
 
 #----------------------------------------------------------#

bin/v-delete-sys-api-ip

@@ -36,7 +36,7 @@ check_hestia_demo_mode
 
 new_list=''
 set -f # avoid globbing (expansion of *).
-array=("${API_ALLOWED_IP//,/ }")
+array=(${API_ALLOWED_IP//,/ })
 for i in "${!array[@]}"; do
 	if [ "${array[i]}" != "$ip46" ]; then
 		if [ "$new_list" = '' ]; then

bin/v-delete-sys-quota

@@ -31,37 +31,38 @@ check_hestia_demo_mode
 
 # Deleting group and user quota on /home partition
 mnt=$(df -P /home | awk '{print $6}' | tail -n1)
-lnr=$(cat -n /etc/fstab | awk '{print $1,$3}' | grep "$mnt$" | cut -f 1 -d ' ')
+lnr=$(cat -n /etc/fstab | grep -v "#" | awk '{print $1,$3}' | grep "$mnt$" | cut -f 1 -d ' ')
 opt=$(sed -n ${lnr}p /etc/fstab | awk '{print $4}')
 fnd='usrquota\|grpquota\|usrjquota=\|grpjquota=\|jqfmt='
 if [ -n "$(echo $opt | grep $fnd)" ]; then
 	rep=$(echo $(echo $opt | tr ',' '\n' | grep -v $fnd) | tr ' ' ',')
 	sed -i "$lnr s/$opt/$rep/" /etc/fstab
+	systemctl daemon-reload
 	mount -o remount "$mnt"
 fi
 
 # Disabling group and user quota
-quotaoff=$(which --skip-alias --skip-functions quotaoff 2> /dev/null)
-if [ $? -eq 0 ]; then
-	if [ -n "$(quotaon -pa | grep " $mnt " | grep 'user\|group' | grep 'is on')" ]; then
-		$quotaoff $mnt
+if quotaon="$(type -P quotaon 2>/dev/null)" && quotaoff="$(type -P quotaoff 2>/dev/null)"; then
+        if "${quotaon}" -pa | grep " $mnt " | grep 'user\|group' | grep -q 'is on' &>/dev/null; then
+		"$quotaoff" "$mnt"
 	fi
 fi
 
 # Deleting v1 + v2 group and user quota index
-for idx in $(echo 'quota.user quota.group aquota.user aquota.group'); do
+for idx in quota.user quota.group aquota.user aquota.group; do
 	[ -e "$mnt/$idx" ] && rm -f "$mnt/$idx"
 done
 
-# Deleting cron job
-rm -f /etc/cron.daily/quotacheck
+# Deleting cron job and forcequotacheck
+if [[ -f "/etc/cron.daily/quotacheck" ]]; then
+        rm -f "/etc/cron.daily/quotacheck"
+fi
+if [[ -f "/forcequotacheck" ]]; then
+        rm -f "/forcequotacheck"
+fi
 
 # Updating hestia.conf value
-if [ -z "$(grep DISK_QUOTA $HESTIA/conf/hestia.conf)" ]; then
-	echo "DISK_QUOTA='no'" >> $HESTIA/conf/hestia.conf
-else
-	sed -i "s/DISK_QUOTA=.*/DISK_QUOTA='no'/g" $HESTIA/conf/hestia.conf
-fi
+$BIN/v-change-sys-config-value "DISK_QUOTA" "no"
 
 #----------------------------------------------------------#
 #                       Hestia                             #

bin/v-list-sys-services

@@ -87,9 +87,9 @@ get_srv_state() {
 
 	# Searching related pids
 	if [ -z $3 ]; then
-		pids=$(pidof $name | tr ' ' '|')
+		pids=$(pidof -d '|' $name)
 	else
-		pids=$(pidof -x $name | tr ' ' '|')
+		pids=$(pidof -d '|' -x $name)
 	fi
 	if [ -z "$pids" ] && [ "$name" != 'nginx' ]; then
 		pids=$(pgrep $name | tr '\n' '|')
@@ -102,7 +102,7 @@ get_srv_state() {
 
 	# Checking pid
 	if [ -n "$pids" ]; then
-		pid=$(echo "$pids" | cut -f 1 -d '|')
+		pid=$(echo "$pids" | awk -F '|' '{print $NF}')
 		pids=${pids%|}
 		pids=$(egrep "$pids" $tmp_file)
 

docs/docs/server-administration/email.md

@@ -49,6 +49,15 @@ If you are unable to receive emails, make sure you have setup your DNS properly.
 
 When you are done you can check the configuration via [MXToolBox](https://mxtoolbox.com/MXLookup.aspx).
 
+## Rejected because [ip] is in black list at zen.spamhaus.org. Error open resolver: `https://www.spamhaus.org/returnc/pub/65.1.174.102`
+
+1. Go to [Spamhaus free data query account](https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/)
+1. Fill in the form and verify your email address by via the link in the email you recive.
+1. Once logged, go to Products → DQS and you will see your Query Key and below you will see the exactly fqdn that you will need to use Zen Spamhaus black list. Something like: `HereYourQueryKey.zen.dq.spamhaus.net`
+1. Edit /etc/exim4/dnsbl.conf and replace `zen.spamhaus.org` with `HereYourQueryKey.zen.dq.spamhaus.net`
+1. Also edit /etc/exim4/exim4.conf.template on the line: `deny    message       = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text` to `deny    message       = Rejected because $sender_host_address is in a black list` to prevent your Query key from leaking
+1. Restart exim4 with systemctl restart exim4
+
 ## How do I disable internal lookup for email
 
 If you use an SMTP relay or want to use DKIM on your web server but host email on gmail you need to disable internal lookup in Exim4.

func/main.sh

@@ -1010,12 +1010,19 @@ is_fw_port_format_valid() {
 			check_result "$E_INVALID" "invalid port format :: $1"
 		fi
 	else
-		if ! [[ "$1" =~ ^[0-9][-|,|:|0-9]{0,30}[0-9]$ ]]; then
-			check_result "$E_INVALID" "invalid port format :: $1"
+		if ! [[ "$1" =~ ^[0-9][-|,|:|0-9]{0,76}[0-9]$ ]]; then
+			check_result "$E_INVALID" "invalid port format and/or more than 78 chars used :: $1"
 		fi
 	fi
 }
 
+# DNS record id validator
+is_id_format_valid() {
+	if ! echo "$1" | grep -qE '^[1-9][0-9]{0,}$'; then
+		check_result "$E_INVALID" "invalid $2 format :: $1"
+	fi
+}
+
 # Integer validator
 is_int_format_valid() {
 	if ! [[ "$1" =~ ^[0-9]+$ ]]; then
@@ -1182,7 +1189,7 @@ is_format_valid() {
 				hash) is_hash_format_valid "$arg" "$arg_name" ;;
 				host) is_object_format_valid "$arg" "$arg_name" ;;
 				hour) is_cron_format_valid "$arg" $arg_name ;;
-				id) is_int_format_valid "$arg" 'id' ;;
+				id) is_id_format_valid "$arg" 'id' ;;
 				iface) is_interface_format_valid "$arg" ;;
 				ip) is_ip_format_valid "$arg" ;;
 				ipv6) is_ipv6_format_valid "$arg" ;;

func/syshealth.sh

@@ -394,7 +394,7 @@ function syshealth_repair_system_config() {
 	# Theme editor
 	if [[ -z $(check_key_exists 'POLICY_USER_CHANGE_THEME') ]]; then
 		echo "[ ! ] Adding missing variable to hestia.conf: POLICY_USER_CHANGE_THEME ('yes')"
-		$BIN/v-change-sys-config-value "POLICY_USER_CHANGE_THEME" "true"
+		$BIN/v-change-sys-config-value "POLICY_USER_CHANGE_THEME" "yes"
 	fi
 	# Protect admin user
 	if [[ -z $(check_key_exists 'POLICY_SYSTEM_PROTECTED_ADMIN') ]]; then
@@ -419,12 +419,12 @@ function syshealth_repair_system_config() {
 	# Allow users to edit web templates
 	if [[ -z $(check_key_exists 'POLICY_USER_EDIT_WEB_TEMPLATES') ]]; then
 		echo "[ ! ] Adding missing variable to hestia.conf: POLICY_USER_EDIT_WEB_TEMPLATES ('yes')"
-		$BIN/v-change-sys-config-value "POLICY_USER_EDIT_WEB_TEMPLATES" "true"
+		$BIN/v-change-sys-config-value "POLICY_USER_EDIT_WEB_TEMPLATES" "yes"
 	fi
 	# View user logs
 	if [[ -z $(check_key_exists 'POLICY_USER_VIEW_LOGS') ]]; then
 		echo "[ ! ] Adding missing variable to hestia.conf: POLICY_USER_VIEW_LOGS ('yes')"
-		$BIN/v-change-sys-config-value "POLICY_USER_VIEW_LOGS" "true"
+		$BIN/v-change-sys-config-value "POLICY_USER_VIEW_LOGS" "yes"
 	fi
 	# Allow users to login (read only) when suspended
 	if [[ -z $(check_key_exists 'POLICY_USER_VIEW_SUSPENDED') ]]; then

install/deb/templates/web/nginx/php-fpm/gitea.stpl

@@ -24,8 +24,9 @@ server {
 
 	include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
 
-	location ~ /.well-known {
-		allow all;
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
 	}
 
 	location / {

install/deb/templates/web/nginx/php-fpm/gitea.tpl

@@ -15,8 +15,9 @@ server {
 
 	include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;
 
-	location ~ /.well-known {
-		allow all;
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
 	}
 
 	location / {

install/hst-install-debian.sh

@@ -31,7 +31,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.8.7'
+HESTIA_INSTALL_VER='1.8.8'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1" "8.2")
 fpm_v="8.2"

install/hst-install-ubuntu.sh

@@ -31,7 +31,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.8.7'
+HESTIA_INSTALL_VER='1.8.8'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1" "8.2")
 fpm_v="8.2"

install/rpm/templates/web/nginx/php-fpm/gitea.stpl

@@ -24,8 +24,9 @@ server {
 
 	include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
 
-	location ~ /.well-known {
-		allow all;
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
 	}
 
 	location / {

install/rpm/templates/web/nginx/php-fpm/gitea.tpl

@@ -15,8 +15,9 @@ server {
 
 	include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;
 
-	location ~ /.well-known {
-		allow all;
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
 	}
 
 	location / {

install/upgrade/upgrade.conf

@@ -46,11 +46,11 @@ multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1" "8.2")
 pma_v='5.2.1'
 
 # Set version of phppgadmin to install during upgrade if not already installed
-pga_v='7.14.5'
+pga_v='7.14.6'
 
 # Set version of RoundCube (Webmail) to update during upgrade if not already installed
 # Note: only applies to "non-apt installs >= 1.4.0 or manually phased out"
-rc_v='1.6.2'
+rc_v='1.6.3'
 
 # Set version of SnappyMail (Webmail) to update during upgrade if not already installed
 sm_v='2.28.4'
@@ -63,4 +63,4 @@ UPGRADE_UPDATE_FILEMANAGER_CONFIG='false'
 fm_v='7.9.2'
 
 # Backblaze
-b2_v='3.6.0'
+b2_v='3.10.0'