Security Improvements.

2026-01-03 22:29:43 +01:00 · 2018-01-18 22:31:31 +05:00
parent 625f1d7218
commit 4e58548bfe
2 changed files with 23 additions and 5 deletions
--- a/ftp/views.py
+++ b/ftp/views.py
@@ -101,12 +101,18 @@ def submitFTPCreation(request):

                    path = "/home/" + data['ftpDomain']+"/public_html/"+path

+                    ## Security Check
+
+                    if path.find("..") > -1:
+                        data_ret = {'creatFTPStatus': 0,
+                                    'error_message': "Specified path must be inside virtual host home!"}
+                        json_data = json.dumps(data_ret)
+                        return HttpResponse(json_data)
+
                    execPath = "sudo python " + virtualHostUtilities.cyberPanel + "/plogical/ftpUtilities.py"

                    execPath = execPath + " ftpFunctions --path " + path + " --externalApp " + externalApp

-
-
                    output = subprocess.check_output(shlex.split(execPath))

                    if output.find("1,None") > -1:
--- a/websiteFunctions/views.py
+++ b/websiteFunctions/views.py
@@ -1112,6 +1112,14 @@ def installWordpress(request):
                else:
                    finalPath = "/home/" + domainName + "/public_html/"

+                ## Security Check
+
+                if finalPath.find("..") > -1:
+                    data_ret = {'installStatus': 0,
+                                'error_message': "Specified path must be inside virtual host home!"}
+                    json_data = json.dumps(data_ret)
+                    return HttpResponse(json_data)
+
                try:
                    website = ChildDomains.objects.get(domain=domainName)
                    externalApp = website.master.externalApp
@@ -1155,11 +1163,8 @@ def installWordpress(request):
                db = Databases(website=website, dbName=dbName, dbUser=dbUser)
                db.save()

-
-
                ## Installation

-
                execPath = "sudo python " + virtualHostUtilities.cyberPanel + "/plogical/virtualHostUtilities.py"

                execPath = execPath + " installWordPress --virtualHostName " + domainName + " --virtualHostUser " + externalApp + " --path " + finalPath + " --dbName " + dbName + " --dbUser " + dbUser + " --dbPassword " + dbPassword
@@ -1213,6 +1218,13 @@ def installJoomla(request):
                else:
                    finalPath = "/home/" + domainName + "/public_html/"

+
+                if finalPath.find("..") > -1:
+                    data_ret = {'installStatus': 0,
+                                'error_message': "Specified path must be inside virtual host home!"}
+                    json_data = json.dumps(data_ret)
+                    return HttpResponse(json_data)
+
                try:
                    website = ChildDomains.objects.get(domain=domainName)
                    externalApp = website.master.externalApp