vesta/web/edit/user/index.php

<?php
error_reporting(NULL);
ob_start();
$TAB = 'USER';

// Main include
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");


// Check user argument
if (empty($_GET['user'])) {
    header("Location: /list/user/");
    exit;
}

// Edit as someone else?
if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) {
    $user=$_GET['user'];
    $v_username=$_GET['user'];
} else {
    $user=$_SESSION['user'];
    $v_username=$_SESSION['user'];
}

// List user
exec (VESTA_CMD."v-list-user ".escapeshellarg($v_username)." json", $output, $return_var);
check_return_code($return_var,$output);
$data = json_decode(implode('', $output), true);
unset($output);

// Parse user
$v_password = "";
$v_email = $data[$v_username]['CONTACT'];
$v_package = $data[$v_username]['PACKAGE'];
$v_language = $data[$v_username]['LANGUAGE'];
$v_fname = $data[$v_username]['FNAME'];
$v_lname = $data[$v_username]['LNAME'];
$v_shell = $data[$v_username]['SHELL'];
$v_ns = $data[$v_username]['NS'];
$nameservers = explode(",", $v_ns);
$v_ns1 = $nameservers[0];
$v_ns2 = $nameservers[1];
$v_ns3 = $nameservers[2];
$v_ns4 = $nameservers[3];
$v_ns5 = $nameservers[4];
$v_ns6 = $nameservers[5];
$v_ns7 = $nameservers[6];
$v_ns8 = $nameservers[7];

$v_suspended = $data[$v_username]['SUSPENDED'];
if ( $v_suspended == 'yes' ) {
    $v_status =  'suspended';
} else {
    $v_status =  'active';
}
$v_time = $data[$v_username]['TIME'];
$v_date = $data[$v_username]['DATE'];

// List packages
exec (VESTA_CMD."v-list-user-packages json", $output, $return_var);
$packages = json_decode(implode('', $output), true);
unset($output);

// List languages
exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var);
$languages = json_decode(implode('', $output), true);
unset($output);

// List shells
exec (VESTA_CMD."v-list-sys-shells json", $output, $return_var);
$shells = json_decode(implode('', $output), true);
unset($output);

// Are you admin?

// Check POST request
if (!empty($_POST['save'])) {

    // Check token
    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
        header('location: /login/');
        exit();
    }

    // Change password
    if ((!empty($_POST['v_password'])) && (empty($_SESSION['error_msg']))) {
        $v_password = tempnam("/tmp","vst");
        $fp = fopen($v_password, "w");
        fwrite($fp, $_POST['v_password']."\n");
        fclose($fp);
        exec (VESTA_CMD."v-change-user-password ".escapeshellarg($v_username)." ".$v_password, $output, $return_var);
        check_return_code($return_var,$output);
        unset($output);
        unlink($v_password);
        $v_password = escapeshellarg($_POST['v_password']);
    }

    // Change package (admin only)
    if (($v_package != $_POST['v_package']) && ($_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) {
        $v_package = escapeshellarg($_POST['v_package']);
        exec (VESTA_CMD."v-change-user-package ".escapeshellarg($v_username)." ".$v_package, $output, $return_var);
        check_return_code($return_var,$output);
        unset($output);
    }

    // Change language
    if (($v_language != $_POST['v_language']) && (empty($_SESSION['error_msg']))) {
        $v_language = escapeshellarg($_POST['v_language']);
        exec (VESTA_CMD."v-change-user-language ".escapeshellarg($v_username)." ".$v_language, $output, $return_var);
        check_return_code($return_var,$output);
        if (empty($_SESSION['error_msg'])) {
             if ((empty($_GET['user'])) || ($_GET['user'] == $_SESSION['user'])) $_SESSION['language'] = $_POST['v_language'];
        }
        unset($output);
    }

    // Change shell (admin only)
    if (($v_shell != $_POST['v_shell']) && ($_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) {
        $v_shell = escapeshellarg($_POST['v_shell']);
        exec (VESTA_CMD."v-change-user-shell ".escapeshellarg($v_username)." ".$v_shell, $output, $return_var);
        check_return_code($return_var,$output);
        unset($output);
    }

    // Change contact email
    if (($v_email != $_POST['v_email']) && (empty($_SESSION['error_msg']))) {
        if (!filter_var($_POST['v_email'], FILTER_VALIDATE_EMAIL)) {
            $_SESSION['error_msg'] = __('Please enter valid email address.');
        } else {
            $v_email = escapeshellarg($_POST['v_email']);
            exec (VESTA_CMD."v-change-user-contact ".escapeshellarg($v_username)." ".$v_email, $output, $return_var);
            check_return_code($return_var,$output);
            unset($output);
        }
    }

    // Change full name
    if (($v_fname != $_POST['v_fname']) || ($v_lname != $_POST['v_lname']) && (empty($_SESSION['error_msg']))) {
        $v_fname = escapeshellarg($_POST['v_fname']);
        $v_lname = escapeshellarg($_POST['v_lname']);
        exec (VESTA_CMD."v-change-user-name ".escapeshellarg($v_username)." ".$v_fname." ".$v_lname, $output, $return_var);
        check_return_code($return_var,$output);
        unset($output);
        $v_fname = $_POST['v_fname'];
        $v_lname = $_POST['v_lname'];
    }

    // Change NameServers
    if (($v_ns1 != $_POST['v_ns1']) || ($v_ns2 != $_POST['v_ns2']) || ($v_ns3 != $_POST['v_ns3']) || ($v_ns4 != $_POST['v_ns4']) || ($v_ns5 != $_POST['v_ns5'])
 || ($v_ns6 != $_POST['v_ns6']) || ($v_ns7 != $_POST['v_ns7']) || ($v_ns8 != $_POST['v_ns8']) && (empty($_SESSION['error_msg']))) {
        $v_ns1 = escapeshellarg($_POST['v_ns1']);
        $v_ns2 = escapeshellarg($_POST['v_ns2']);
        $v_ns3 = escapeshellarg($_POST['v_ns3']);
        $v_ns4 = escapeshellarg($_POST['v_ns4']);
        $v_ns5 = escapeshellarg($_POST['v_ns5']);
        $v_ns6 = escapeshellarg($_POST['v_ns6']);
        $v_ns7 = escapeshellarg($_POST['v_ns7']);
        $v_ns8 = escapeshellarg($_POST['v_ns8']);
        $ns_cmd = VESTA_CMD."v-change-user-ns ".escapeshellarg($v_username)." ".$v_ns1." ".$v_ns2;
        if (!empty($_POST['v_ns3'])) $ns_cmd = $ns_cmd." ".$v_ns3;
        if (!empty($_POST['v_ns4'])) $ns_cmd = $ns_cmd." ".$v_ns4;
        if (!empty($_POST['v_ns5'])) $ns_cmd = $ns_cmd." ".$v_ns5;
        if (!empty($_POST['v_ns6'])) $ns_cmd = $ns_cmd." ".$v_ns6;
        if (!empty($_POST['v_ns7'])) $ns_cmd = $ns_cmd." ".$v_ns7;
        if (!empty($_POST['v_ns8'])) $ns_cmd = $ns_cmd." ".$v_ns8;
        exec ($ns_cmd, $output, $return_var);
        check_return_code($return_var,$output);
        unset($output);

        $v_ns1 = str_replace("'","", $v_ns1);
        $v_ns2 = str_replace("'","", $v_ns2);
        $v_ns3 = str_replace("'","", $v_ns3);
        $v_ns4 = str_replace("'","", $v_ns4);
        $v_ns5 = str_replace("'","", $v_ns5);
        $v_ns6 = str_replace("'","", $v_ns6);
        $v_ns7 = str_replace("'","", $v_ns7);
        $v_ns8 = str_replace("'","", $v_ns8);
    }

    // Set success message
    if (empty($_SESSION['error_msg'])) {
        $_SESSION['ok_msg'] = __('Changes has been saved.');
    }
}

// Render page
render_page($user, $TAB, 'edit_user');

// Flush session messages
unset($_SESSION['error_msg']);
unset($_SESSION['ok_msg']);
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00			`<?php`
			`error_reporting(NULL);`
			`ob_start();`
			`$TAB = 'USER';`
Improved code formating 2014-07-30 15:34:34 +03:00
Separate scripts from html & New rendering function 2016-07-02 19:51:56 +09:00			`// Main include`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00			`include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");`


Improved code formating 2014-07-30 15:34:34 +03:00			`// Check user argument`
			`if (empty($_GET['user'])) {`
			`header("Location: /list/user/");`
			`exit;`
			`}`

			`// Edit as someone else?`
			`if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) {`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$user=$_GET['user'];`
			`$v_username=$_GET['user'];`
Improved code formating 2014-07-30 15:34:34 +03:00			`} else {`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$user=$_SESSION['user'];`
			`$v_username=$_SESSION['user'];`
Improved code formating 2014-07-30 15:34:34 +03:00			`}`

			`// List user`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`exec (VESTA_CMD."v-list-user ".escapeshellarg($v_username)." json", $output, $return_var);`
			`check_return_code($return_var,$output);`
			`$data = json_decode(implode('', $output), true);`
			`unset($output);`
Improved code formating 2014-07-30 15:34:34 +03:00
			`// Parse user`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$v_password = "";`
Improved code formating 2014-07-30 15:34:34 +03:00			`$v_email = $data[$v_username]['CONTACT'];`
			`$v_package = $data[$v_username]['PACKAGE'];`
			`$v_language = $data[$v_username]['LANGUAGE'];`
			`$v_fname = $data[$v_username]['FNAME'];`
			`$v_lname = $data[$v_username]['LNAME'];`
			`$v_shell = $data[$v_username]['SHELL'];`
			`$v_ns = $data[$v_username]['NS'];`
nameservers separated by comma 2016-06-24 17:40:50 +03:00			`$nameservers = explode(",", $v_ns);`
Improved code formating 2014-07-30 15:34:34 +03:00			`$v_ns1 = $nameservers[0];`
			`$v_ns2 = $nameservers[1];`
			`$v_ns3 = $nameservers[2];`
			`$v_ns4 = $nameservers[3];`
file manager stuff 2015-09-28 02:01:19 +03:00			`$v_ns5 = $nameservers[4];`
			`$v_ns6 = $nameservers[5];`
			`$v_ns7 = $nameservers[6];`
			`$v_ns8 = $nameservers[7];`

Improved code formating 2014-07-30 15:34:34 +03:00			`$v_suspended = $data[$v_username]['SUSPENDED'];`
			`if ( $v_suspended == 'yes' ) {`
			`$v_status = 'suspended';`
			`} else {`
			`$v_status = 'active';`
			`}`
			`$v_time = $data[$v_username]['TIME'];`
			`$v_date = $data[$v_username]['DATE'];`

			`// List packages`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`exec (VESTA_CMD."v-list-user-packages json", $output, $return_var);`
			`$packages = json_decode(implode('', $output), true);`
			`unset($output);`
Improved code formating 2014-07-30 15:34:34 +03:00
Fix minor typo. 2015-11-23 19:55:16 +09:00			`// List languages`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var);`
			`$languages = json_decode(implode('', $output), true);`
			`unset($output);`
Improved code formating 2014-07-30 15:34:34 +03:00
			`// List shells`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`exec (VESTA_CMD."v-list-sys-shells json", $output, $return_var);`
			`$shells = json_decode(implode('', $output), true);`
			`unset($output);`
Improved code formating 2014-07-30 15:34:34 +03:00
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00			`// Are you admin?`

Improved code formating 2014-07-30 15:34:34 +03:00			`// Check POST request`
			`if (!empty($_POST['save'])) {`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00
UI update 2015-06-03 02:31:03 +03:00			`// Check token`
			`if ((!isset($_POST['token'])) \|\| ($_SESSION['token'] != $_POST['token'])) {`
			`header('location: /login/');`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`exit();`
UI update 2015-06-03 02:31:03 +03:00			`}`

Improved code formating 2014-07-30 15:34:34 +03:00			`// Change password`
UI improvements 2015-05-29 19:51:24 +03:00			`if ((!empty($_POST['v_password'])) && (empty($_SESSION['error_msg']))) {`
password transmission via tmp files 2015-03-31 00:01:44 +03:00			`$v_password = tempnam("/tmp","vst");`
			`$fp = fopen($v_password, "w");`
			`fwrite($fp, $_POST['v_password']."\n");`
			`fclose($fp);`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`exec (VESTA_CMD."v-change-user-password ".escapeshellarg($v_username)." ".$v_password, $output, $return_var);`
			`check_return_code($return_var,$output);`
			`unset($output);`
password transmission via tmp files 2015-03-31 00:01:44 +03:00			`unlink($v_password);`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$v_password = escapeshellarg($_POST['v_password']);`
Improved code formating 2014-07-30 15:34:34 +03:00			`}`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00
Improved code formating 2014-07-30 15:34:34 +03:00			`// Change package (admin only)`
			`if (($v_package != $_POST['v_package']) && ($_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) {`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$v_package = escapeshellarg($_POST['v_package']);`
			`exec (VESTA_CMD."v-change-user-package ".escapeshellarg($v_username)." ".$v_package, $output, $return_var);`
			`check_return_code($return_var,$output);`
			`unset($output);`
Improved code formating 2014-07-30 15:34:34 +03:00			`}`
i18n backend support 2013-01-24 12:49:22 +02:00
Improved code formating 2014-07-30 15:34:34 +03:00			`// Change language`
			`if (($v_language != $_POST['v_language']) && (empty($_SESSION['error_msg']))) {`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$v_language = escapeshellarg($_POST['v_language']);`
			`exec (VESTA_CMD."v-change-user-language ".escapeshellarg($v_username)." ".$v_language, $output, $return_var);`
			`check_return_code($return_var,$output);`
Fix for language change 2014-10-20 13:08:48 +03:00			`if (empty($_SESSION['error_msg'])) {`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`if ((empty($_GET['user'])) \|\| ($_GET['user'] == $_SESSION['user'])) $_SESSION['language'] = $_POST['v_language'];`
Fix for language change 2014-10-20 13:08:48 +03:00			`}`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`unset($output);`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00			`}`

Improved code formating 2014-07-30 15:34:34 +03:00			`// Change shell (admin only)`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`if (($v_shell != $_POST['v_shell']) && ($_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) {`
			`$v_shell = escapeshellarg($_POST['v_shell']);`
			`exec (VESTA_CMD."v-change-user-shell ".escapeshellarg($v_username)." ".$v_shell, $output, $return_var);`
			`check_return_code($return_var,$output);`
			`unset($output);`
Improved code formating 2014-07-30 15:34:34 +03:00			`}`
i18n backend support 2013-01-24 12:49:22 +02:00
Improved code formating 2014-07-30 15:34:34 +03:00			`// Change contact email`
			`if (($v_email != $_POST['v_email']) && (empty($_SESSION['error_msg']))) {`
			`if (!filter_var($_POST['v_email'], FILTER_VALIDATE_EMAIL)) {`
			`$_SESSION['error_msg'] = __('Please enter valid email address.');`
			`} else {`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$v_email = escapeshellarg($_POST['v_email']);`
			`exec (VESTA_CMD."v-change-user-contact ".escapeshellarg($v_username)." ".$v_email, $output, $return_var);`
			`check_return_code($return_var,$output);`
			`unset($output);`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00			`}`
Improved code formating 2014-07-30 15:34:34 +03:00			`}`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00
humanize_usage update 2015-09-07 16:45:18 +03:00			`// Change full name`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`if (($v_fname != $_POST['v_fname']) \|\| ($v_lname != $_POST['v_lname']) && (empty($_SESSION['error_msg']))) {`
			`$v_fname = escapeshellarg($_POST['v_fname']);`
			`$v_lname = escapeshellarg($_POST['v_lname']);`
			`exec (VESTA_CMD."v-change-user-name ".escapeshellarg($v_username)." ".$v_fname." ".$v_lname, $output, $return_var);`
			`check_return_code($return_var,$output);`
			`unset($output);`
humanize_usage update 2015-09-07 16:45:18 +03:00			`$v_fname = $_POST['v_fname'];`
			`$v_lname = $_POST['v_lname'];`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00			`}`
i18n + service manager + web updater 2013-01-29 00:18:09 +02:00
Improved code formating 2014-07-30 15:34:34 +03:00			`// Change NameServers`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`if (($v_ns1 != $_POST['v_ns1']) \|\| ($v_ns2 != $_POST['v_ns2']) \|\| ($v_ns3 != $_POST['v_ns3']) \|\| ($v_ns4 != $_POST['v_ns4']) \|\| ($v_ns5 != $_POST['v_ns5'])`
			`\|\| ($v_ns6 != $_POST['v_ns6']) \|\| ($v_ns7 != $_POST['v_ns7']) \|\| ($v_ns8 != $_POST['v_ns8']) && (empty($_SESSION['error_msg']))) {`
			`$v_ns1 = escapeshellarg($_POST['v_ns1']);`
			`$v_ns2 = escapeshellarg($_POST['v_ns2']);`
			`$v_ns3 = escapeshellarg($_POST['v_ns3']);`
			`$v_ns4 = escapeshellarg($_POST['v_ns4']);`
			`$v_ns5 = escapeshellarg($_POST['v_ns5']);`
			`$v_ns6 = escapeshellarg($_POST['v_ns6']);`
			`$v_ns7 = escapeshellarg($_POST['v_ns7']);`
			`$v_ns8 = escapeshellarg($_POST['v_ns8']);`
			`$ns_cmd = VESTA_CMD."v-change-user-ns ".escapeshellarg($v_username)." ".$v_ns1." ".$v_ns2;`
			`if (!empty($_POST['v_ns3'])) $ns_cmd = $ns_cmd." ".$v_ns3;`
			`if (!empty($_POST['v_ns4'])) $ns_cmd = $ns_cmd." ".$v_ns4;`
			`if (!empty($_POST['v_ns5'])) $ns_cmd = $ns_cmd." ".$v_ns5;`
			`if (!empty($_POST['v_ns6'])) $ns_cmd = $ns_cmd." ".$v_ns6;`
			`if (!empty($_POST['v_ns7'])) $ns_cmd = $ns_cmd." ".$v_ns7;`
			`if (!empty($_POST['v_ns8'])) $ns_cmd = $ns_cmd." ".$v_ns8;`
			`exec ($ns_cmd, $output, $return_var);`
			`check_return_code($return_var,$output);`
			`unset($output);`

			`$v_ns1 = str_replace("'","", $v_ns1);`
			`$v_ns2 = str_replace("'","", $v_ns2);`
			`$v_ns3 = str_replace("'","", $v_ns3);`
			`$v_ns4 = str_replace("'","", $v_ns4);`
			`$v_ns5 = str_replace("'","", $v_ns5);`
			`$v_ns6 = str_replace("'","", $v_ns6);`
			`$v_ns7 = str_replace("'","", $v_ns7);`
			`$v_ns8 = str_replace("'","", $v_ns8);`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00			`}`

Improved code formating 2014-07-30 15:34:34 +03:00			`// Set success message`
check_return_code function 2013-10-29 00:34:26 +02:00			`if (empty($_SESSION['error_msg'])) {`
Improved code formating 2014-07-30 15:34:34 +03:00			`$_SESSION['ok_msg'] = __('Changes has been saved.');`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00			`}`
Improved code formating 2014-07-30 15:34:34 +03:00			`}`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00
Separate scripts from html & New rendering function 2016-07-02 19:51:56 +09:00			`// Render page`
Challenging routing on render_page 2016-07-02 21:40:46 +09:00			`render_page($user, $TAB, 'edit_user');`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00
Improved code formating 2014-07-30 15:34:34 +03:00			`// Flush session messages`
			`unset($_SESSION['error_msg']);`
			`unset($_SESSION['ok_msg']);`