bug fix: security

2025-11-07 13:56:01 +01:00 · 2022-01-26 12:49:07 +05:00
parent c40c452a7f
commit c10c3b7861
4 changed files with 34 additions and 16 deletions
--- a/filemanager/filemanager.py
+++ b/filemanager/filemanager.py
@@ -595,19 +595,7 @@ class FileManager:
            finalData['uploadStatus'] = 1
            finalData['answer'] = 'File transfer completed.'

-            ### Check if upload path tmp dir is not available
-
-            UploadPath = '/usr/local/CyberCP/tmp/'
-
-            if not os.path.exists(UploadPath):
-                command = 'mkdir %s' % (UploadPath)
-                ProcessUtilities.executioner(command)
-
-            command = 'chown cyberpanel:cyberpanel %s' % (UploadPath)
-            ProcessUtilities.executioner(command)
-
-            command = 'chmod 711 %s' % (UploadPath)
-            ProcessUtilities.executioner(command)
+            ACLManager.CreateSecureDir()

            ## Random file name

--- a/loginSystem/views.py
+++ b/loginSystem/views.py
@@ -141,7 +141,6 @@ def verifyLogin(request):
            json_data = json.dumps(data)
            return HttpResponse(json_data)

-
@ensure_csrf_cookie
 def loadLoginPage(request):
    try:
--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -1,5 +1,8 @@
 #!/usr/local/CyberCP/bin/python
 import os,sys
+
+from .processUtilities import ProcessUtilities
+
 sys.path.append('/usr/local/CyberCP')
 import django
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "CyberCP.settings")
@@ -831,5 +834,20 @@ class ACLManager:
            domainName = Websites.objects.get(domain=domain)
            return domainName.externalApp

+    @staticmethod
+    def CreateSecureDir():
+        ### Check if upload path tmp dir is not available
+
+        UploadPath = '/usr/local/CyberCP/tmp/'
+
+        if not os.path.exists(UploadPath):
+            command = 'mkdir %s' % (UploadPath)
+            ProcessUtilities.executioner(command)
+
+        command = 'chown cyberpanel:cyberpanel %s' % (UploadPath)
+        ProcessUtilities.executioner(command)
+
+        command = 'chmod 711 %s' % (UploadPath)
+        ProcessUtilities.executioner(command)


--- a/plogical/vhost.py
+++ b/plogical/vhost.py
@@ -852,14 +852,27 @@ class vhost:
    def finalizeDomainCreation(virtualHostUser, path):
        try:

+            ACLManager.CreateSecureDir()
+
+            RanddomFileName = str(randint(1000, 9999))
+
+            FullPath = '%s/%s' % ('/usr/local/CyberCP/tmp', RanddomFileName)
+
            FNULL = open(os.devnull, 'w')

-            shutil.copy("/usr/local/CyberCP/index.html", path + "/index.html")
+            #shutil.copy("/usr/local/CyberCP/index.html", path + "/index.html")

-            command = "chown " + virtualHostUser + ":" + virtualHostUser + " " + path + "/index.html"
+            shutil.copy("/usr/local/CyberCP/index.html", FullPath)
+
+            command = "chown " + virtualHostUser + ":" + virtualHostUser + " " + FullPath
            cmd = shlex.split(command)
            subprocess.call(cmd, stdout=FNULL, stderr=subprocess.STDOUT)

+            command = 'sudo -u %s cp %s %s/index.html' % (virtualHostUser, FullPath, path)
+            ProcessUtilities.normalExecutioner(command)
+
+            os.remove(FullPath)
+
            vhostPath = vhost.Server_root + "/conf/vhosts"
            command = "chown -R " + "lsadm" + ":" + "lsadm" + " " + vhostPath
            cmd = shlex.split(command)