diff --git a/CyberCP/secMiddleware.py b/CyberCP/secMiddleware.py index 10299a67d..1f79d955d 100755 --- a/CyberCP/secMiddleware.py +++ b/CyberCP/secMiddleware.py @@ -1,4 +1,6 @@ # coding=utf-8 +import os.path + from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter as logging from django.shortcuts import HttpResponse, render import json @@ -51,8 +53,19 @@ class secMiddleware: except: pass + from plogical.processUtilities import ProcessUtilities + + if os.path.exists(ProcessUtilities.debugPath): + logging.writeToFile(request.build_absolute_uri()) + + FinalURL = request.build_absolute_uri().split('?')[0] + + if os.path.exists(ProcessUtilities.debugPath): + logging.writeToFile(f'Final actual URL without QS {FinalURL}') + if request.method == 'POST': try: + # logging.writeToFile(request.body) data = json.loads(request.body) for key, value in data.items(): @@ -68,7 +81,7 @@ class secMiddleware: "(") > -1 or items.find(")") > -1 \ or items.find("'") > -1 or items.find("[") > -1 or items.find( "]") > -1 or items.find("{") > -1 or items.find("}") > -1 \ - or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1: + or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1 or items.find("&") > -1: logging.writeToFile(request.body) final_dic = { 'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.", @@ -87,14 +100,14 @@ class secMiddleware: final_json = json.dumps(final_dic) return HttpResponse(final_json) - if request.build_absolute_uri().find( - 'api/remoteTransfer') > -1 or request.build_absolute_uri().find( - 'api/verifyConn') > -1 or request.build_absolute_uri().find( - 'webhook') > -1 or request.build_absolute_uri().find( - 'saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find( - 'docker') > -1 or request.build_absolute_uri().find( - 'cloudAPI') > -1 or request.build_absolute_uri().find( - 'verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1: + if FinalURL.find( + 'api/remoteTransfer') > -1 or FinalURL.find( + 'api/verifyConn') > -1 or FinalURL.find( + 'webhook') > -1 or FinalURL.find( + 'saveSpamAssassinConfigurations') > -1 or FinalURL.find( + 'docker') > -1 or FinalURL.find( + 'cloudAPI') > -1 or FinalURL.find( + 'verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1: continue if key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \ or key == 'imageByPass' or key == 'passwordByPass' or key == 'PasswordByPass' or key == 'cronCommand' \ @@ -108,7 +121,7 @@ class secMiddleware: ")") > -1 \ or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find( "{") > -1 or value.find("}") > -1 \ - or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1: + or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1 or value.find("&") > -1: logging.writeToFile(request.body) final_dic = { 'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.", @@ -119,7 +132,7 @@ class secMiddleware: or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \ or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find( "{") > -1 or key.find("}") > -1 \ - or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1: + or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1 or key.find("&") > -1: logging.writeToFile(request.body) final_dic = {'error_message': "Data supplied is not accepted.", "errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} diff --git a/api/views.py b/api/views.py index 1ba34f130..342ca642d 100755 --- a/api/views.py +++ b/api/views.py @@ -535,11 +535,10 @@ def FetchRemoteTransferStatus(request): dir = "/home/backup/transfer-"+str(data['dir'])+"/backup_log" try: - command = f"cat {dir}" - status = ProcessUtilities.outputExecutioner(command) - if hashPassword.check_password(admin.password, password): + command = f"cat {dir}" + status = ProcessUtilities.outputExecutioner(command) final_json = json.dumps({'fetchStatus': 1, 'error_message': "None", "status": status}) return HttpResponse(final_json) diff --git a/cloudAPI/cloudManager.py b/cloudAPI/cloudManager.py index 03ee71a0c..306443d98 100755 --- a/cloudAPI/cloudManager.py +++ b/cloudAPI/cloudManager.py @@ -344,6 +344,12 @@ class CloudManager: def statusFunc(self): try: statusFile = self.data['statusFile'] + + if not statusFile.startswith('/home/cyberpanel'): + data_ret = {'status': 0, 'abort': 0, 'installationProgress': "0", } + json_data = json.dumps(data_ret) + return HttpResponse(json_data) + statusData = open(statusFile, 'r').readlines() try: lastLine = statusData[-1] diff --git a/cloudAPI/views.py b/cloudAPI/views.py index 254f0e75f..bb426f82b 100755 --- a/cloudAPI/views.py +++ b/cloudAPI/views.py @@ -24,13 +24,11 @@ def router(request): if admin.api == 0: return cm.ajaxPre(0, 'API Access Disabled.') - if controller == 'statusFunc': + if cm.verifyLogin(request)[0] == 1: pass else: - if cm.verifyLogin(request)[0] == 1: - pass - else: - return cm.verifyLogin(request)[1] + return cm.verifyLogin(request)[1] + ## Debug Log diff --git a/filemanager/views.py b/filemanager/views.py index 49b2cfe01..4e2f0eb3f 100755 --- a/filemanager/views.py +++ b/filemanager/views.py @@ -144,7 +144,7 @@ def upload(request): else: return ACLManager.loadErrorJson() except: - pass + return ACLManager.loadErrorJson() fm = FM(request, data) return fm.upload() diff --git a/plogical/acl.py b/plogical/acl.py index e6d82da30..fed781d57 100644 --- a/plogical/acl.py +++ b/plogical/acl.py @@ -147,7 +147,7 @@ class ACLManager: or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \ or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find( "{") > -1 or value.find("}") > -1 \ - or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1: + or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1 or value.find("&") > -1: return 1 else: return 0 diff --git a/plogical/hashPassword.py b/plogical/hashPassword.py index 89cce7194..039112464 100755 --- a/plogical/hashPassword.py +++ b/plogical/hashPassword.py @@ -1,18 +1,35 @@ -import uuid -import hashlib +# import uuid +# import hashlib +# import base64 +# +# def hash_password(password): +# # uuid is used to generate a random number +# salt = uuid.uuid4().hex +# return hashlib.sha256(salt.encode() + password.encode()).hexdigest() + ':' + salt +# +# +# def check_password(hashed_password, user_password): +# password, salt = hashed_password.split(':') +# return password == hashlib.sha256(salt.encode() + user_password.encode()).hexdigest() +# +# def generateToken(serverUserName, serverPassword): +# credentials = '{0}:{1}'.format(serverUserName, serverPassword).encode() +# encoded_credentials = base64.b64encode(credentials).decode() +# return 'Basic {0}'.format(encoded_credentials) + + +import bcrypt import base64 +import secrets def hash_password(password): - # uuid is used to generate a random number - salt = uuid.uuid4().hex - return hashlib.sha256(salt.encode() + password.encode()).hexdigest() + ':' + salt - + salt = bcrypt.gensalt() + hashed_password = bcrypt.hashpw(password.encode(), salt) + return hashed_password.decode() def check_password(hashed_password, user_password): - password, salt = hashed_password.split(':') - return password == hashlib.sha256(salt.encode() + user_password.encode()).hexdigest() + return bcrypt.checkpw(user_password.encode(), hashed_password.encode()) -def generateToken(serverUserName, serverPassword): - credentials = '{0}:{1}'.format(serverUserName, serverPassword).encode() - encoded_credentials = base64.b64encode(credentials).decode() - return 'Basic {0}'.format(encoded_credentials) \ No newline at end of file +def generate_token(): + token = base64.urlsafe_b64encode(secrets.token_bytes(32)).decode() + return token