From 4e58548bfe11bf2a3e32cdeb90e367892b656060 Mon Sep 17 00:00:00 2001
From: usmannasir <01-134132-158@student.bahria.edu.pk>
Date: Thu, 18 Jan 2018 22:31:31 +0500
Subject: [PATCH] Security Improvements.

---
 ftp/views.py              | 10 ++++++++--
 websiteFunctions/views.py | 18 +++++++++++++++---
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/ftp/views.py b/ftp/views.py
index 14a370d70..645505af1 100644
--- a/ftp/views.py
+++ b/ftp/views.py
@@ -101,12 +101,18 @@ def submitFTPCreation(request):
 
                     path = "/home/" + data['ftpDomain']+"/public_html/"+path
 
+                    ## Security Check
+
+                    if path.find("..") > -1:
+                        data_ret = {'creatFTPStatus': 0,
+                                    'error_message': "Specified path must be inside virtual host home!"}
+                        json_data = json.dumps(data_ret)
+                        return HttpResponse(json_data)
+
                     execPath = "sudo python " + virtualHostUtilities.cyberPanel + "/plogical/ftpUtilities.py"
 
                     execPath = execPath + " ftpFunctions --path " + path + " --externalApp " + externalApp
 
-
-
                     output = subprocess.check_output(shlex.split(execPath))
 
                     if output.find("1,None") > -1:
diff --git a/websiteFunctions/views.py b/websiteFunctions/views.py
index ecd5999e4..3e63aa54f 100644
--- a/websiteFunctions/views.py
+++ b/websiteFunctions/views.py
@@ -1112,6 +1112,14 @@ def installWordpress(request):
                 else:
                     finalPath = "/home/" + domainName + "/public_html/"
 
+                ## Security Check
+
+                if finalPath.find("..") > -1:
+                    data_ret = {'installStatus': 0,
+                                'error_message': "Specified path must be inside virtual host home!"}
+                    json_data = json.dumps(data_ret)
+                    return HttpResponse(json_data)
+
                 try:
                     website = ChildDomains.objects.get(domain=domainName)
                     externalApp = website.master.externalApp
@@ -1155,11 +1163,8 @@ def installWordpress(request):
                 db = Databases(website=website, dbName=dbName, dbUser=dbUser)
                 db.save()
 
-
-
                 ## Installation
 
-
                 execPath = "sudo python " + virtualHostUtilities.cyberPanel + "/plogical/virtualHostUtilities.py"
 
                 execPath = execPath + " installWordPress --virtualHostName " + domainName + " --virtualHostUser " + externalApp + " --path " + finalPath + " --dbName " + dbName + " --dbUser " + dbUser + " --dbPassword " + dbPassword
@@ -1213,6 +1218,13 @@ def installJoomla(request):
                 else:
                     finalPath = "/home/" + domainName + "/public_html/"
 
+
+                if finalPath.find("..") > -1:
+                    data_ret = {'installStatus': 0,
+                                'error_message': "Specified path must be inside virtual host home!"}
+                    json_data = json.dumps(data_ret)
+                    return HttpResponse(json_data)
+
                 try:
                     website = ChildDomains.objects.get(domain=domainName)
                     externalApp = website.master.externalApp