mirror of
https://github.com/myronblair/novacpx
synced 2026-06-30 17:50:41 -05:00
myron
6fdccc6dbd
#9 auth.php: add self-service change-password action (current+new+confirm) accounts.php: fix admin change-password — accept account_id, fetch username for chpasswd (was using int ID), add Auth::require('admin') guard user.js: add Change Password page + navItem + submitChangePassword() #10 EmailManager: store AES-256-CBC enc_password alongside SHA512-CRYPT hash webmail.php: rewrite login-url to use webmail_sso_tokens table novacpx-sso.php: Roundcube SSO bridge (validate token, decrypt, autosubmit) Migration 005: add enc_password column + webmail_sso_tokens table #11 opendkim: installed, configured (/etc/opendkim.conf, signing.table, key.table, trusted.hosts), socket at /var/spool/postfix/opendkim/, Postfix milter wired, service enabled+running, key generation verified #12 files.php: fix safe_path() for non-existent paths (write/mkdir), add safe_path_new() helper using parent-dir realpath check, fix delete guard (block deleting account root dirs), fix rename destination, clamp chmod to 0777 #13 nova.js: api() handles network errors, 429 rate-limit with retry-after, non-JSON responses (PHP fatal pages) — graceful error instead of throw admin/user/reseller index.php: filemtime-based cache-busting on all assets Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
164 lines
7.4 KiB
PHP
164 lines
7.4 KiB
PHP
<?php
|
|
/**
|
|
* Files endpoint — file manager (list, read, write, rename, delete, chmod, upload, archive)
|
|
* Strictly confined to account home directory via realpath check
|
|
*/
|
|
$db = DB::getInstance();
|
|
$body = json_decode(file_get_contents('php://input'), true) ?? [];
|
|
|
|
$user = Auth::getInstance()->user();
|
|
$acct = $db->fetchOne("SELECT * FROM accounts WHERE user_id = ?", [$user['uid']]);
|
|
if (!$acct && $user['role'] !== 'admin') Response::error("No hosting account found", 404);
|
|
|
|
$baseDir = $acct ? realpath($acct['home_dir']) : '/';
|
|
|
|
// For existing paths only — throws if path doesn't exist or escapes baseDir
|
|
function safe_path(string $base, string $rel): string {
|
|
$full = realpath($base . '/' . ltrim($rel, '/'));
|
|
if ($full === false || !str_starts_with($full . '/', $base . '/')) {
|
|
throw new RuntimeException("Path outside account directory");
|
|
}
|
|
return $full;
|
|
}
|
|
|
|
// For paths that may not exist yet (write/mkdir) — validates parent dir
|
|
function safe_path_new(string $base, string $rel): string {
|
|
$candidate = $base . '/' . ltrim(str_replace(['../', '..\\'], '', $rel), '/');
|
|
$parent = realpath(dirname($candidate));
|
|
if ($parent === false || !str_starts_with($parent . '/', $base . '/')) {
|
|
throw new RuntimeException("Path outside account directory");
|
|
}
|
|
return $parent . '/' . basename($candidate);
|
|
}
|
|
|
|
function fmt_size(int $bytes): string {
|
|
if ($bytes >= 1073741824) return round($bytes/1073741824, 1) . 'GB';
|
|
if ($bytes >= 1048576) return round($bytes/1048576, 1) . 'MB';
|
|
if ($bytes >= 1024) return round($bytes/1024, 1) . 'KB';
|
|
return $bytes . 'B';
|
|
}
|
|
|
|
match ($action) {
|
|
'list' => (function() use ($baseDir, $body) {
|
|
$rel = $body['path'] ?? $_GET['path'] ?? '/public_html';
|
|
$path = safe_path($baseDir, $rel);
|
|
if (!is_dir($path)) Response::error("Not a directory");
|
|
|
|
$items = [];
|
|
foreach (new DirectoryIterator($path) as $f) {
|
|
if ($f->isDot()) continue;
|
|
$items[] = [
|
|
'name' => $f->getFilename(),
|
|
'type' => $f->isDir() ? 'dir' : 'file',
|
|
'size' => $f->isFile() ? fmt_size($f->getSize()) : null,
|
|
'size_raw' => $f->isFile() ? $f->getSize() : 0,
|
|
'perms' => substr(sprintf('%o', $f->getPerms()), -4),
|
|
'modified' => date('Y-m-d H:i', $f->getMTime()),
|
|
'path' => str_replace($baseDir, '', $path . '/' . $f->getFilename()),
|
|
];
|
|
}
|
|
usort($items, fn($a,$b) => ($a['type'] === 'dir' ? -1 : 1) - ($b['type'] === 'dir' ? -1 : 1) ?: strcmp($a['name'], $b['name']));
|
|
Response::success(['path' => $rel, 'items' => $items]);
|
|
})(),
|
|
|
|
'read' => (function() use ($baseDir, $body) {
|
|
$path = safe_path($baseDir, $body['path'] ?? $_GET['path'] ?? '');
|
|
if (!is_file($path)) Response::error("Not a file");
|
|
if (filesize($path) > 2 * 1024 * 1024) Response::error("File too large to edit (>2MB)");
|
|
Response::success(['content' => file_get_contents($path), 'path' => $body['path'] ?? '']);
|
|
})(),
|
|
|
|
'write' => (function() use ($baseDir, $body) {
|
|
$rel = $body['path'] ?? '';
|
|
$content = $body['content'] ?? '';
|
|
// Use safe_path for existing files, safe_path_new for new ones
|
|
try {
|
|
$path = safe_path($baseDir, $rel);
|
|
} catch (RuntimeException) {
|
|
$path = safe_path_new($baseDir, $rel);
|
|
}
|
|
// PHP syntax check for .php files
|
|
if (str_ends_with($path, '.php')) {
|
|
$tmp = tempnam(sys_get_temp_dir(), 'ncpx_');
|
|
file_put_contents($tmp, $content);
|
|
$result = shell_exec("php8.3 -l " . escapeshellarg($tmp) . " 2>&1");
|
|
unlink($tmp);
|
|
if (!str_contains($result ?? '', 'No syntax errors')) Response::error("PHP syntax error: $result");
|
|
}
|
|
file_put_contents($path, $content);
|
|
audit('files.write', $rel);
|
|
Response::success(null, 'File saved');
|
|
})(),
|
|
|
|
'mkdir' => (function() use ($baseDir, $body) {
|
|
$path = safe_path_new($baseDir, $body['path'] ?? '');
|
|
if (is_dir($path)) Response::error("Directory already exists");
|
|
if (!mkdir($path, 0755, true)) Response::error("Could not create directory");
|
|
Response::success(null, 'Directory created');
|
|
})(),
|
|
|
|
'rename' => (function() use ($baseDir, $body) {
|
|
$from = safe_path($baseDir, $body['from'] ?? '');
|
|
$to = safe_path_new($baseDir, $body['to'] ?? '');
|
|
if (file_exists($to)) Response::error("Destination already exists");
|
|
rename($from, $to);
|
|
Response::success(null, 'Renamed');
|
|
})(),
|
|
|
|
'delete' => (function() use ($baseDir, $body) {
|
|
$path = safe_path($baseDir, $body['path'] ?? '');
|
|
// Prevent deleting the account root or its direct children (public_html, logs, tmp)
|
|
if ($path === $baseDir || dirname($path) === $baseDir) Response::error("Cannot delete root account directories");
|
|
if (is_dir($path)) {
|
|
shell_exec("rm -rf " . escapeshellarg($path));
|
|
} else {
|
|
unlink($path);
|
|
}
|
|
audit('files.delete', $body['path'] ?? '');
|
|
Response::success(null, 'Deleted');
|
|
})(),
|
|
|
|
'chmod' => (function() use ($baseDir, $body) {
|
|
$path = safe_path($baseDir, $body['path'] ?? '');
|
|
$perms = octdec((string)($body['perms'] ?? '755'));
|
|
// Clamp to sane range: no setuid/setgid/sticky, no world-write on dirs
|
|
$perms = $perms & 0777;
|
|
chmod($path, $perms);
|
|
Response::success(null, 'Permissions updated');
|
|
})(),
|
|
|
|
'upload' => (function() use ($baseDir, $body) {
|
|
$dir = safe_path($baseDir, $body['path'] ?? '/public_html');
|
|
if (!is_dir($dir)) Response::error("Target directory not found");
|
|
if (empty($_FILES['file'])) Response::error("No file uploaded");
|
|
$filename = basename($_FILES['file']['name']);
|
|
if ($filename === '' || $filename === '.') Response::error("Invalid filename");
|
|
$dest = $dir . '/' . $filename;
|
|
if (!str_starts_with($dest, $baseDir . '/')) Response::error("Invalid destination");
|
|
move_uploaded_file($_FILES['file']['tmp_name'], $dest);
|
|
Response::success(['name' => $filename], 'File uploaded');
|
|
})(),
|
|
|
|
'compress' => (function() use ($baseDir, $body) {
|
|
$paths = array_map(fn($p) => safe_path($baseDir, $p), (array)($body['paths'] ?? []));
|
|
$dest = safe_path_new($baseDir, $body['dest'] ?? 'archive.zip');
|
|
$files = implode(' ', array_map('escapeshellarg', $paths));
|
|
shell_exec("cd " . escapeshellarg($baseDir) . " && zip -r " . escapeshellarg($dest) . " $files 2>/dev/null");
|
|
Response::success(null, 'Archive created');
|
|
})(),
|
|
|
|
'extract' => (function() use ($baseDir, $body) {
|
|
$file = safe_path($baseDir, $body['path'] ?? '');
|
|
$dest = safe_path($baseDir, $body['dest'] ?? dirname($body['path'] ?? '/'));
|
|
$ext = strtolower(pathinfo($file, PATHINFO_EXTENSION));
|
|
match($ext) {
|
|
'zip' => shell_exec("unzip -o " . escapeshellarg($file) . " -d " . escapeshellarg($dest)),
|
|
'gz','tgz','tar' => shell_exec("tar xf " . escapeshellarg($file) . " -C " . escapeshellarg($dest)),
|
|
default => Response::error("Unsupported archive type"),
|
|
};
|
|
Response::success(null, 'Extracted');
|
|
})(),
|
|
|
|
default => Response::error("Unknown files action: $action", 404),
|
|
};
|