diff --git a/install/deb/phpmyadmin/hestia-sso.php b/install/deb/phpmyadmin/hestia-sso.php
index 0db02ec1bd..be913d9a43 100644
--- a/install/deb/phpmyadmin/hestia-sso.php
+++ b/install/deb/phpmyadmin/hestia-sso.php
@@ -147,7 +147,11 @@ function session_invalid()
$user = $_GET['user'];
$host = 'localhost';
$token = $_GET['hestia_token'];
- $time = $_GET['exp'];
+ if(is_numeric($_GET['exp'])){
+ $time = $_GET['exp'];
+ }else{
+ $time = 0;
+ }
if ($time + 60 > time()) {
//note: Possible issues with cloudflare due to ip obfuscation
diff --git a/web/delete/backup/exclusion/index.php b/web/delete/backup/exclusion/index.php
index 343874db37..f16abeb7fa 100644
--- a/web/delete/backup/exclusion/index.php
+++ b/web/delete/backup/exclusion/index.php
@@ -4,16 +4,15 @@
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
- $user=$_GET['user'];
+ $user=escapeshellarg($_GET['user']);
}
// Check token
verify_csrf($_GET);
if (!empty($_GET['system'])) {
- $v_username = escapeshellarg($user);
$v_system = escapeshellarg($_GET['system']);
- exec(HESTIA_CMD."v-delete-user-backup-exclusions ".$v_username." ".$v_system, $output, $return_var);
+ exec(HESTIA_CMD."v-delete-user-backup-exclusions ".$user." ".$v_system, $output, $return_var);
}
check_return_code($return_var, $output);
unset($output);
diff --git a/web/delete/backup/index.php b/web/delete/backup/index.php
index dd8bfb9af5..f7ec611a8d 100644
--- a/web/delete/backup/index.php
+++ b/web/delete/backup/index.php
@@ -4,16 +4,15 @@
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
- $user=$_GET['user'];
+ $user=escapeshellarg($_GET['user']);
}
// Check token
verify_csrf($_GET);
if (!empty($_GET['backup'])) {
- $v_username = escapeshellarg($user);
$v_backup = escapeshellarg($_GET['backup']);
- exec(HESTIA_CMD."v-delete-user-backup ".$v_username." ".$v_backup, $output, $return_var);
+ exec(HESTIA_CMD."v-delete-user-backup ".$user." ".$v_backup, $output, $return_var);
}
check_return_code($return_var, $output);
unset($output);
diff --git a/web/delete/cron/index.php b/web/delete/cron/index.php
index d41f4a92dc..78f29849f1 100644
--- a/web/delete/cron/index.php
+++ b/web/delete/cron/index.php
@@ -4,7 +4,7 @@
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
- $user=$_GET['user'];
+ $user=escapeshellarg($_GET['user']);
}
// Check token
@@ -13,7 +13,7 @@
if (!empty($_GET['job'])) {
$v_username = escapeshellarg($user);
$v_job = escapeshellarg($_GET['job']);
- exec(HESTIA_CMD."v-delete-cron-job ".$v_username." ".$v_job, $output, $return_var);
+ exec(HESTIA_CMD."v-delete-cron-job ".$user." ".$v_job, $output, $return_var);
}
check_return_code($return_var, $output);
unset($output);
diff --git a/web/delete/db/index.php b/web/delete/db/index.php
index d5e8631f4a..8fc6fce576 100644
--- a/web/delete/db/index.php
+++ b/web/delete/db/index.php
@@ -4,16 +4,15 @@
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
- $user=$_GET['user'];
+ $user=escapeshellarg($_GET['user']);
}
// Check token
verify_csrf($_GET);
if (!empty($_GET['database'])) {
- $v_username = escapeshellarg($user);
$v_database = escapeshellarg($_GET['database']);
- exec(HESTIA_CMD."v-delete-database ".$v_username." ".$v_database, $output, $return_var);
+ exec(HESTIA_CMD."v-delete-database ".$user." ".$v_database, $output, $return_var);
}
check_return_code($return_var, $output);
unset($output);
diff --git a/web/delete/dns/index.php b/web/delete/dns/index.php
index a994a95ff0..03c68cf901 100644
--- a/web/delete/dns/index.php
+++ b/web/delete/dns/index.php
@@ -5,7 +5,7 @@
// Delete as someone else?
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
- $user=$_GET['user'];
+ $user=escapeshellarg($_GET['user']);
}
// Check token
@@ -13,9 +13,8 @@
// DNS domain
if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
- $v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
- exec(HESTIA_CMD."v-delete-dns-domain ".$v_username." ".$v_domain, $output, $return_var);
+ exec(HESTIA_CMD."v-delete-dns-domain ".$user." ".$v_domain, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
@@ -41,8 +40,14 @@
header("Location: ".$back);
exit;
}
- header("Location: /list/dns/?domain=".$_GET['domain']);
- exit;
+ if($return_var > 0){
+ header("Location: /list/dns/");
+ exit;
+ }else{
+ header("Location: /list/dns/?domain=".$_GET['domain']);
+ exit;
+ }
+
}
$back = $_SESSION['back'];
diff --git a/web/delete/key/index.php b/web/delete/key/index.php
index d73e5e1994..9cc6ee81e6 100644
--- a/web/delete/key/index.php
+++ b/web/delete/key/index.php
@@ -7,13 +7,12 @@
verify_csrf($_GET);
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
- $user = $_GET['user'];
+ $user=escapeshellarg($_GET['user']);
}
if (!empty($_GET['key'])) {
$v_key = escapeshellarg(trim($_GET['key']));
- $v_user = escapeshellarg(trim($user));
- exec(HESTIA_CMD."v-delete-user-ssh-key ".$v_user." ".$v_key);
+ exec(HESTIA_CMD."v-delete-user-ssh-key ".$user." ".$v_key);
check_return_code($return_var, $output);
}
diff --git a/web/delete/log/auth/index.php b/web/delete/log/auth/index.php
index b572d38a2b..84c6a6d888 100644
--- a/web/delete/log/auth/index.php
+++ b/web/delete/log/auth/index.php
@@ -7,13 +7,12 @@
// Check if administrator is viewing system log (currently 'admin' user)
if (($_SESSION['userContext'] === "admin") && (isset($_GET['user']))) {
- $user=$_GET['user'];
+ $user=escapeshellarg($_GET['user']);
$token=$_SESSION['token'];
}
// Clear log
-$v_username = escapeshellarg($user);
-exec(HESTIA_CMD."v-delete-user-auth-log ".$v_username, $output, $return_var);
+exec(HESTIA_CMD."v-delete-user-auth-log ".$user, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
@@ -32,7 +31,7 @@
// Add current user session back to log unless impersonating another user
if (!isset($_SESSION['look'])) {
- exec(HESTIA_CMD."v-log-user-login ".$v_username." ".$v_ip." success ".$v_session_id." ".$v_user_agent, $output, $return_var);
+ exec(HESTIA_CMD."v-log-user-login ".$user." ".$v_ip." success ".$v_session_id." ".$v_user_agent, $output, $return_var);
}
// Flush session messages
diff --git a/web/delete/log/index.php b/web/delete/log/index.php
index df8f6552cf..67376ad508 100644
--- a/web/delete/log/index.php
+++ b/web/delete/log/index.php
@@ -7,24 +7,27 @@
// Check if administrator is viewing system log (currently 'admin' user)
if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
- $user=$_GET['user'];
+ $user=escapeshellarg($_GET['user']);
$token=$_SESSION['token'];
}
-// Set correct page reload target
-if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
- header("Location: /list/log/?user=$user&token=$token");
-} else {
- header("Location: /list/log/");
-}
-
// Clear log
-$v_username = escapeshellarg($user);
-exec(HESTIA_CMD."v-delete-user-log ".$v_username." ".$output, $return_var);
+exec(HESTIA_CMD."v-delete-user-log ".$user." ".$output, $return_var);
check_return_code($return_var, $output);
unset($output);
unset($token);
+if($return_var > 0){
+ header("Location: /list/log/");
+}else{
+ // Set correct page reload target
+ if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
+ header("Location: /list/log/?user=$user&token=$token");
+ } else {
+ header("Location: /list/log/");
+ }
+}
+
// Render page
render_page($user, $TAB, 'list_log');
diff --git a/web/delete/mail/index.php b/web/delete/mail/index.php
index c5e3124431..111295fba6 100644
--- a/web/delete/mail/index.php
+++ b/web/delete/mail/index.php
@@ -5,7 +5,7 @@
// Delete as someone else?
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
- $user=$_GET['user'];
+ $user=scapeshellarg($user);
}
// Check token
@@ -15,10 +15,13 @@
if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
$v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
- exec(HESTIA_CMD."v-delete-mail-domain ".$v_username." ".$v_domain, $output, $return_var);
+ exec(HESTIA_CMD."v-delete-mail-domain ".$user." ".$v_domain, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
$back = $_SESSION['back'];
+ if($return_var > 0){
+ header("Location: /list/mail/");
+ }
if (!empty($back)) {
header("Location: ".$back);
exit;
@@ -29,12 +32,14 @@
// Mail account
if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
- $v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
$v_account = escapeshellarg($_GET['account']);
- exec(HESTIA_CMD."v-delete-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
+ exec(HESTIA_CMD."v-delete-mail-account ".$user." ".$v_domain." ".$v_account, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
+ if($return_var > 0){
+ header("Location: /list/mail/");
+ }else{
$back = $_SESSION['back'];
if (!empty($back)) {
header("Location: ".$back);
@@ -42,6 +47,7 @@
}
header("Location: /list/mail/?domain=".$_GET['domain']);
exit;
+ }
}
$back = $_SESSION['back'];
diff --git a/web/delete/notification/index.php b/web/delete/notification/index.php
index 8009e8f893..ba0347acd0 100644
--- a/web/delete/notification/index.php
+++ b/web/delete/notification/index.php
@@ -6,15 +6,14 @@
verify_csrf($_GET);
if ($_GET['delete'] == 1) {
- $v_username = escapeshellarg($user);
$v_id = escapeshellarg((int)$_GET['notification_id']);
- exec(HESTIA_CMD."v-delete-user-notification ".$v_username." ".$v_id, $output, $return_var);
+ exec(HESTIA_CMD."v-delete-user-notification ".$user." ".$v_id, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
} else {
$v_username = escapeshellarg($user);
$v_id = escapeshellarg((int)$_GET['notification_id']);
- exec(HESTIA_CMD."v-acknowledge-user-notification ".$v_username." ".$v_id, $output, $return_var);
+ exec(HESTIA_CMD."v-acknowledge-user-notification ".$user." ".$v_id, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
}
diff --git a/web/delete/web/cache/index.php b/web/delete/web/cache/index.php
index 5a386e3e71..f8f06a2c5a 100644
--- a/web/delete/web/cache/index.php
+++ b/web/delete/web/cache/index.php
@@ -8,13 +8,12 @@
// Delete as someone else?
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
- $user=$_GET['user'];
+ $user=escapeshellarg($_GET['user']);
}
if (!empty($_GET['domain'])) {
- $v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
- exec(HESTIA_CMD."v-purge-nginx-cache ".$v_username." ".$v_domain, $output, $return_var);
+ exec(HESTIA_CMD."v-purge-nginx-cache ".$user." ".$v_domain, $output, $return_var);
check_return_code($return_var, $output);
}
$_SESSION['ok_msg'] = _('Nginx cache has been successfully purged');
diff --git a/web/delete/web/index.php b/web/delete/web/index.php
index e2dbb7ed57..e991053f5d 100644
--- a/web/delete/web/index.php
+++ b/web/delete/web/index.php
@@ -8,13 +8,12 @@
// Delete as someone else?
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
- $user = $_GET['user'];
+ $user = escapeshellarg($user);
}
if (!empty($_GET['domain'])) {
- $v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
- exec(HESTIA_CMD . 'v-delete-web-domain ' . $v_username . ' ' . $v_domain . " 'yes'", $output, $return_var);
+ exec(HESTIA_CMD . 'v-delete-web-domain ' . $user . ' ' . $v_domain . " 'yes'", $output, $return_var);
check_return_code($return_var, $output);
unset($output);
}
diff --git a/web/download/backup/index.php b/web/download/backup/index.php
index 7c895820d3..a1f43918b6 100644
--- a/web/download/backup/index.php
+++ b/web/download/backup/index.php
@@ -9,9 +9,8 @@
$backup = $_GET['backup'];
if (!file_exists('/backup/'.$backup)) {
- $v_username = escapeshellarg($user);
$backup = escapeshellarg($_GET['backup']);
- exec(HESTIA_CMD."v-schedule-user-backup-download ".$v_username." ".$backup, $output, $return_var);
+ exec(HESTIA_CMD."v-schedule-user-backup-download ".$user." ".$backup, $output, $return_var);
if ($return_var == 0) {
$_SESSION['error_msg'] = _('BACKUP_DOWNLOAD_SCHEDULED');
} else {
diff --git a/web/edit/cron/index.php b/web/edit/cron/index.php
index 160867e2db..06e31b3f06 100644
--- a/web/edit/cron/index.php
+++ b/web/edit/cron/index.php
@@ -19,7 +19,7 @@
// List cron job
$v_job = escapeshellarg($_GET['job']);
exec(HESTIA_CMD."v-list-cron-job ".$user." ".$v_job." 'json'", $output, $return_var);
-check_return_code($return_var, $output);
+check_return_code_redirect($return_var, $output, '/list/cron/');
$data = json_decode(implode('', $output), true);
unset($output);
diff --git a/web/edit/db/index.php b/web/edit/db/index.php
index dc5f507408..ef5c89a651 100644
--- a/web/edit/db/index.php
+++ b/web/edit/db/index.php
@@ -20,7 +20,7 @@
// List datbase
$v_database = $_GET['database'];
exec(HESTIA_CMD."v-list-database ".$user." ".escapeshellarg($v_database)." 'json'", $output, $return_var);
-check_return_code($return_var, $output);
+check_return_code_redirect($return_var, $output, '/list/db/');
$data = json_decode(implode('', $output), true);
unset($output);
diff --git a/web/edit/dns/index.php b/web/edit/dns/index.php
index 89a86735ae..87438e6d69 100644
--- a/web/edit/dns/index.php
+++ b/web/edit/dns/index.php
@@ -26,7 +26,7 @@
if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
$v_domain = escapeshellarg($_GET['domain']);
exec(HESTIA_CMD."v-list-dns-domain ".$user." ".$v_domain." json", $output, $return_var);
- check_return_code($return_var, $output);
+ check_return_code_redirect($return_var, $output,'/list/dns/');
$data = json_decode(implode('', $output), true);
unset($output);
@@ -58,10 +58,9 @@
$v_domain = escapeshellarg($_GET['domain']);
$v_record_id = escapeshellarg($_GET['record_id']);
exec(HESTIA_CMD."v-list-dns-records ".$user." ".$v_domain." 'json'", $output, $return_var);
- check_return_code($return_var, $output);
+ check_return_code_redirect($return_var, $output,'/list/dns/');
$data = json_decode(implode('', $output), true);
unset($output);
-
// Parse dns record
$v_username = $user;
$v_domain = $_GET['domain'];
@@ -206,6 +205,10 @@
// Display body for dns domain
render_page($user, $TAB, 'edit_dns');
} else {
+ if(empty($data[$_GET['record_id']])){
+ header("Location: /list/dns/");
+ $_SESSION['error_msg'] = _("Unknown record ID");
+ }
// Display body for dns record
render_page($user, $TAB, 'edit_dns_rec');
}
diff --git a/web/edit/firewall/index.php b/web/edit/firewall/index.php
index 666816fa07..f0ba0e3500 100644
--- a/web/edit/firewall/index.php
+++ b/web/edit/firewall/index.php
@@ -21,7 +21,7 @@
// List rule
$v_rule = escapeshellarg($_GET['rule']);
exec(HESTIA_CMD."v-list-firewall-rule ".$v_rule." 'json'", $output, $return_var);
-check_return_code($return_var, $output);
+check_return_code_redirect($return_var, $output,'/list/firewall');
$data = json_decode(implode('', $output), true);
unset($output);
diff --git a/web/edit/ip/index.php b/web/edit/ip/index.php
index 81cd8c0fab..ad48556a08 100644
--- a/web/edit/ip/index.php
+++ b/web/edit/ip/index.php
@@ -21,7 +21,7 @@
// List ip
$v_ip = escapeshellarg($_GET['ip']);
exec(HESTIA_CMD."v-list-sys-ip ".$v_ip." 'json'", $output, $return_var);
-check_return_code($return_var, $output);
+check_return_code_redirect($return_var, $output,'/list/ip');
$data = json_decode(implode('', $output), true);
unset($output);
diff --git a/web/edit/mail/index.php b/web/edit/mail/index.php
index 032809037f..d5807c8dff 100644
--- a/web/edit/mail/index.php
+++ b/web/edit/mail/index.php
@@ -32,15 +32,10 @@
// List mail domain
if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
$v_domain = $_GET['domain'];
- if ($_SESSION['userContext'] !== 'admin') {
- if (!in_array($v_domain, $user_domains)) {
- header("Location: /list/mail/");
- exit;
- }
- }
exec(HESTIA_CMD."v-list-mail-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
$data = json_decode(implode('', $output), true);
+ check_return_code_redirect($return_var, $output, '/list/mail/');
unset($output);
// Parse domain
@@ -89,16 +84,11 @@
// List mail account
if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
$v_domain = $_GET['domain'];
- if ($_SESSION['userContext'] !== 'admin') {
- if (!in_array($v_domain, $user_domains)) {
- header("Location: /list/mail/");
- exit;
- }
- }
$v_account = $_GET['account'];
exec(HESTIA_CMD."v-list-mail-account ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." 'json'", $output, $return_var);
$data = json_decode(implode('', $output), true);
+ check_return_code_redirect($return_var, $output, '/list/mail/');
unset($output);
// Parse mail account
diff --git a/web/edit/package/index.php b/web/edit/package/index.php
index 17ff469b36..c8308ba30d 100644
--- a/web/edit/package/index.php
+++ b/web/edit/package/index.php
@@ -28,6 +28,7 @@
// List package
$v_package = escapeshellarg($_GET['package']);
exec(HESTIA_CMD."v-list-user-package ".$v_package." 'json'", $output, $return_var);
+check_return_code_redirect($return_var, $output, '/list/package/');
$data = json_decode(implode('', $output), true);
unset($output);
diff --git a/web/edit/user/index.php b/web/edit/user/index.php
index 59f7ddfd88..2b054aa427 100644
--- a/web/edit/user/index.php
+++ b/web/edit/user/index.php
@@ -33,7 +33,8 @@
// List user
exec(HESTIA_CMD."v-list-user ".escapeshellarg($v_username)." json", $output, $return_var);
-check_return_code($return_var, $output);
+check_return_code_redirect($return_var, $output, '/list/user/');
+
$data = json_decode(implode('', $output), true);
unset($output);
diff --git a/web/edit/web/index.php b/web/edit/web/index.php
index 5165bdf872..c739152eea 100644
--- a/web/edit/web/index.php
+++ b/web/edit/web/index.php
@@ -19,21 +19,15 @@
}
// Get all user domains
-exec(HESTIA_CMD."v-list-web-domains ".escapeshellarg($user)." json", $output, $return_var);
+exec(HESTIA_CMD."v-list-web-domains ".$user." json", $output, $return_var);
$user_domains = json_decode(implode('', $output), true);
$user_domains = array_keys($user_domains);
unset($output);
-// List domain
$v_domain = $_GET['domain'];
-if ($_SESSION['userContext'] !== 'admin') {
- if (!in_array($v_domain, $user_domains)) {
- header("Location: /list/mail/");
- exit;
- }
-}
-
exec(HESTIA_CMD."v-list-web-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var);
+# Check if domain exists if not return /list/web/
+check_return_code_redirect($return_var, $output, '/list/web/');
$data = json_decode(implode('', $output), true);
unset($output);
diff --git a/web/inc/main.php b/web/inc/main.php
index c081307d6c..982aca7d53 100644
--- a/web/inc/main.php
+++ b/web/inc/main.php
@@ -113,11 +113,11 @@ function destroy_sessions()
}
if (isset($_SESSION['user'])) {
- $user = $_SESSION['user'];
+ $user = escapeshellarg($_SESSION['user']);
}
if (isset($_SESSION['look']) && ($_SESSION['userContext'] === 'admin')) {
- $user = $_SESSION['look'];
+ $user = escapeshellarg($_SESSION['look']);
}
require_once(dirname(__FILE__) . '/i18n.php');
@@ -140,6 +140,17 @@ function check_return_code($return_var, $output)
$_SESSION['error_msg'] = $error;
}
}
+function check_return_code_redirect($return_var, $output, $location){
+ if ($return_var != 0) {
+ $error = implode('
', $output);
+ if (empty($error)) {
+ $error = sprintf(_('Error code:'), $return_var);
+ }
+ $_SESSION['error_msg'] = $error;
+ header("Location:".$location);
+ }
+
+}
function render_page($user, $TAB, $page)
{
@@ -189,14 +200,31 @@ function verify_csrf($method, $return = false)
}
}
+function show_error_panel($data){
+ if (!empty($data['error_msg'])) {
+ $msg_icon = 'fa-exclamation-circle status-icon red';
+ $msg_text = $data['error_msg'];
+ $msg_id = 'vst-error';
+ } else {
+ if (!empty($data['ok_msg'])) {
+ $msg_icon = 'fa-check-circle status-icon green';
+ $msg_text = $data['ok_msg'];
+ $msg_id = 'vst-ok';
+ }
+ }
+ ?>
+ =htmlentities($msg_text);?>
+ 0) {
- echo 'ERROR: Unable to retrieve account details.
Please log in again.';
destroy_sessions();
+ $_SESSION['error_msg'] = _('You have been logged out. Please log in again.');
header('Location: /login/');
exit;
}
@@ -206,8 +234,8 @@ function top_panel($user, $TAB)
// Log out active sessions for suspended users
if (($panel[$user]['SUSPENDED'] === 'yes') && ($_SESSION['POLICY_USER_VIEW_SUSPENDED'] !== 'yes')) {
if(empty($_SESSION['look'])){
- $_SESSION['error_msg'] = 'You have been logged out. Please log in again.';
destroy_sessions();
+ $_SESSION['error_msg'] = _('You have been logged out. Please log in again.');
header('Location: /login/');
}
}
diff --git a/web/login/index.php b/web/login/index.php
index ee6ad222c2..20d97f3215 100644
--- a/web/login/index.php
+++ b/web/login/index.php
@@ -36,6 +36,9 @@
unset($_SESSION['_sf2_attributes']);
unset($_SESSION['_sf2_meta']);
header('Location: /login/');
+ }else{
+ # User doesn't exists
+ header('Location: /');
}
}
exit;
diff --git a/web/suspend/cron/index.php b/web/suspend/cron/index.php
index 0beffcb829..823034c2c1 100644
--- a/web/suspend/cron/index.php
+++ b/web/suspend/cron/index.php
@@ -6,9 +6,8 @@
verify_csrf($_GET);
if (!empty($_GET['job'])) {
- $v_username = escapeshellarg($user);
$v_job = escapeshellarg($_GET['job']);
- exec(HESTIA_CMD."v-suspend-cron-job ".$v_username." ".$v_job, $output, $return_var);
+ exec(HESTIA_CMD."v-suspend-cron-job ".$user." ".$v_job, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
}
diff --git a/web/suspend/db/index.php b/web/suspend/db/index.php
index 8837ddf69c..47566a7ed5 100644
--- a/web/suspend/db/index.php
+++ b/web/suspend/db/index.php
@@ -10,9 +10,8 @@
verify_csrf($_GET);
if (!empty($_GET['database'])) {
- $v_username = escapeshellarg($user);
$v_database = escapeshellarg($_GET['database']);
- exec(HESTIA_CMD."v-suspend-database ".$v_username." ".$v_database, $output, $return_var);
+ exec(HESTIA_CMD."v-suspend-database ".$user." ".$v_database, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
}
diff --git a/web/suspend/dns/index.php b/web/suspend/dns/index.php
index 07367cd611..080988f11e 100644
--- a/web/suspend/dns/index.php
+++ b/web/suspend/dns/index.php
@@ -11,9 +11,8 @@
// DNS domain
if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
- $v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
- exec(HESTIA_CMD."v-suspend-dns-domain ".$v_username." ".$v_domain, $output, $return_var);
+ exec(HESTIA_CMD."v-suspend-dns-domain ".$user." ".$v_domain, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
$back = $_SESSION['back'];
@@ -27,10 +26,9 @@
// DNS record
if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) {
- $v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
$v_record_id = escapeshellarg($_GET['record_id']);
- exec(HESTIA_CMD."v-suspend-dns-record ".$v_username." ".$v_domain." ".$v_record_id, $output, $return_var);
+ exec(HESTIA_CMD."v-suspend-dns-record ".$user." ".$v_domain." ".$v_record_id, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
$back = $_SESSION['back'];
diff --git a/web/suspend/mail/index.php b/web/suspend/mail/index.php
index 4f92d2678d..ca304e2fdf 100644
--- a/web/suspend/mail/index.php
+++ b/web/suspend/mail/index.php
@@ -11,9 +11,8 @@
// Mail domain
if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
- $v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
- exec(HESTIA_CMD."v-suspend-mail-domain ".$v_username." ".$v_domain, $output, $return_var);
+ exec(HESTIA_CMD."v-suspend-mail-domain ".$user." ".$v_domain, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
$back=getenv("HTTP_REFERER");
@@ -30,7 +29,7 @@
$v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
$v_account = escapeshellarg($_GET['account']);
- exec(HESTIA_CMD."v-suspend-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
+ exec(HESTIA_CMD."v-suspend-mail-account ".$user." ".$v_domain." ".$v_account, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
$back = $_SESSION['back'];
diff --git a/web/suspend/user/index.php b/web/suspend/user/index.php
index 35a38ec384..1ef3762865 100644
--- a/web/suspend/user/index.php
+++ b/web/suspend/user/index.php
@@ -16,8 +16,7 @@
}
if (!empty($_GET['user'])) {
- $v_username = escapeshellarg($_GET['user']);
- exec(HESTIA_CMD."v-suspend-user ".$v_username, $output, $return_var);
+ exec(HESTIA_CMD."v-suspend-user ".$user, $output, $return_var);
}
check_return_code($return_var, $output);
unset($output);
diff --git a/web/suspend/web/index.php b/web/suspend/web/index.php
index 9d1b111960..d5dcfaac21 100644
--- a/web/suspend/web/index.php
+++ b/web/suspend/web/index.php
@@ -12,7 +12,7 @@
if (!empty($_GET['domain'])) {
$v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
- exec(HESTIA_CMD."v-suspend-web-domain ".$v_username." ".$v_domain, $output, $return_var);
+ exec(HESTIA_CMD."v-suspend-web-domain ".$user." ".$v_domain, $output, $return_var);
}
check_return_code($return_var, $output);
unset($output);
diff --git a/web/templates/includes/title.html b/web/templates/includes/title.html
index f46c0d77de..513c92460b 100644
--- a/web/templates/includes/title.html
+++ b/web/templates/includes/title.html
@@ -1,2 +1,2 @@
-
=_('2FA Reset Code:').' '.$v_twofa; ?>
=_('Please scan the code below in your 2FA application:'); ?>
- +