address some security issues

CyberCP/secMiddleware.py

@@ -58,7 +58,6 @@ class secMiddleware:
                 for key, value in data.items():
                     if request.path.find('gitNotify') > -1:
                         break
-
                     if type(value) == str or type(value) == bytes:
                         pass
                     else:
@@ -72,31 +71,47 @@ class secMiddleware:
                             final_json = json.dumps(final_dic)
                             return HttpResponse(final_json)
 
-                    if request.build_absolute_uri().find('api/remoteTransfer') > -1 or request.build_absolute_uri().find('api/verifyConn') > -1 or request.build_absolute_uri().find('webhook') > -1 or request.build_absolute_uri().find('saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find('docker') > -1 or request.build_absolute_uri().find('cloudAPI') > -1 or request.build_absolute_uri().find('verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1:
+                    if hasattr(value, "__len__"):
-                        continue
+                        for items in value:
-                    if key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \
+                            if items.find('- -') > -1 or items.find('\n') > -1 or items.find(';') > -1 or items.find(
-                            or key == 'imageByPass' or key == 'passwordByPass' or key == 'cronCommand' \
+                                    '&&') > -1 or items.find('|') > -1 or items.find('...') > -1 \
-                            or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \
+                                    or items.find("`") > -1 or items.find("$") > -1 or items.find(
-                            or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \
+                                "(") > -1 or items.find(")") > -1 \
-                            or key == 'fileContent' or key == 'commands' or key == 'gitHost' or key == 'ipv6' or key == 'contentNow':
+                                    or items.find("'") > -1 or items.find("[") > -1 or items.find(
-                        continue
+                                "]") > -1 or items.find("{") > -1 or items.find("}") > -1 \
-                    if value.find('- -') > -1 or value.find('\n') > -1 or  value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \
+                                    or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1:
-                            or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
+                                logging.writeToFile(request.body)
-                            or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find("{") > -1 or value.find("}") > -1\
+                                final_dic = {
-                            or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
+                                    'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
-                        logging.writeToFile(request.body)
+                                    "errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
-                        final_dic = {'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
+                                final_json = json.dumps(final_dic)
-                                     "errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
+                                return HttpResponse(final_json)
-                        final_json = json.dumps(final_dic)
+                    else:
-                        return HttpResponse(final_json)
+                        if request.build_absolute_uri().find('api/remoteTransfer') > -1 or request.build_absolute_uri().find('api/verifyConn') > -1 or request.build_absolute_uri().find('webhook') > -1 or request.build_absolute_uri().find('saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find('docker') > -1 or request.build_absolute_uri().find('cloudAPI') > -1 or request.build_absolute_uri().find('verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1:
-                    if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \
+                            continue
-                            or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \
+                        if key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \
-                            or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find("{") > -1 or key.find("}") > -1\
+                                or key == 'imageByPass' or key == 'passwordByPass' or key == 'cronCommand' \
-                            or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1:
+                                or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \
-                        logging.writeToFile(request.body)
+                                or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \
-                        final_dic = {'error_message': "Data supplied is not accepted.", "errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
+                                or key == 'fileContent' or key == 'commands' or key == 'gitHost' or key == 'ipv6' or key == 'contentNow':
-                        final_json = json.dumps(final_dic)
+                            continue
-                        return HttpResponse(final_json)
+                        if value.find('- -') > -1 or value.find('\n') > -1 or  value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \
+                                or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
+                                or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find("{") > -1 or value.find("}") > -1\
+                                or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
+                            logging.writeToFile(request.body)
+                            final_dic = {'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
+                                         "errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
+                            final_json = json.dumps(final_dic)
+                            return HttpResponse(final_json)
+                        if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \
+                                or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \
+                                or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find("{") > -1 or key.find("}") > -1\
+                                or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1:
+                            logging.writeToFile(request.body)
+                            final_dic = {'error_message': "Data supplied is not accepted.", "errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
+                            final_json = json.dumps(final_dic)
+                            return HttpResponse(final_json)
             except BaseException as msg:
                 logging.writeToFile(str(msg))
                 response = self.get_response(request)

plogical/applicationInstaller.py

@@ -1841,8 +1841,6 @@ $parameters = array(
                 stdoutput = ProcessUtilities.outputExecutioner(command)
 
 
-
-
             elif self.data['plugin'] == 'selected':
 
                 pluginsList = ''

websiteFunctions/templates/websiteFunctions/WPEidtPlugin.html

@@ -10,7 +10,7 @@
     <div class="container">
         <span id="pluginbID" style="display: none">{{ pluginbID }}</span>
         <div id="page-title">
-            <h2 id="domainNamePage">{% trans "Eidt Plugin Bucket" %}
+            <h2 id="domainNamePage">{% trans "Edit Plugin Bucket" %}
 
             </h2>
         </div>

websiteFunctions/templates/websiteFunctions/WPRestoreHome.html

@@ -44,7 +44,7 @@
                             </div>
                         {% else %}
                             <div ng-hide="installationDetailsForm" class="form-group">
-                                <label class="col-sm-2 control-label">{% trans "Choose Restronig Method " %}</label>
+                                <label class="col-sm-2 control-label">{% trans "Choose Restoring Method " %}</label>
                                 <div class="col-sm-10">
                                     <select ng-click="checkmethode()" id="RestoreMethode" class="form-control" required>
                                         <option value="-1">Select Method</option>