From 0c5a36741ae3d3b3ec21da1f27c981808bf87cfc Mon Sep 17 00:00:00 2001 From: Eric Schultz Date: Fri, 27 Jan 2017 10:23:44 -0600 Subject: [PATCH] webgui updates for 6.3.0-rc9 --- plugins/dynamix.apcupsd/UPSsettings.page | 10 +-- .../include/update.apcupsd.php | 12 +-- .../DockerContainers.page | 20 ++--- .../include/CreateDocker.php | 41 +++++----- .../include/DockerClient.php | 2 +- .../dynamix.docker.manager/include/Events.php | 4 +- .../dynamix.docker.manager/include/Exec.php | 4 +- .../include/PluginHelpers.php | 2 +- .../include/ShowChanges.php | 2 +- .../scripts/plugincheck | 7 +- plugins/dynamix.vm.manager/VMMachines.page | 9 ++- plugins/dynamix.vm.manager/VMSettings.page | 22 ++--- plugins/dynamix.vm.manager/VMTemplates.page | 6 +- plugins/dynamix.vm.manager/VMedit.php | 6 +- .../templates/Custom.form.php | 36 ++++----- .../templates/LibreELEC.form.php | 28 +++---- .../templates/OpenELEC.form.php | 28 +++---- .../templates/XML_Expert.form.php | 2 +- plugins/dynamix/ArrayOperation.page | 36 ++++----- plugins/dynamix/Browse.page | 16 ++-- plugins/dynamix/DashStats.page | 2 +- plugins/dynamix/DashboardApps.page | 2 +- plugins/dynamix/DateTime.page | 6 +- plugins/dynamix/DeviceAttributes.page | 2 +- plugins/dynamix/DeviceCapabilities.page | 2 +- plugins/dynamix/DeviceIdentify.page | 2 +- plugins/dynamix/DeviceInfo.page | 24 +++--- plugins/dynamix/Diagnostics.page | 4 +- plugins/dynamix/Eth0.page | 6 +- plugins/dynamix/EthX.page | 6 +- plugins/dynamix/FTP.page | 2 +- plugins/dynamix/Identification.page | 6 +- plugins/dynamix/LogButton.page | 2 +- plugins/dynamix/NotificationAgents.page | 10 +-- plugins/dynamix/NotificationsArchive.page | 2 +- plugins/dynamix/OpenDevices.page | 2 +- plugins/dynamix/Registration.page | 10 +-- plugins/dynamix/SMBActiveDirectory.page | 12 +-- plugins/dynamix/SMBExtras.page | 2 +- plugins/dynamix/SMBWorkGroup.page | 2 +- plugins/dynamix/SecurityAFP.page | 10 +-- plugins/dynamix/SecurityNFS.page | 14 ++-- plugins/dynamix/SecuritySMB.page | 12 +-- plugins/dynamix/Selftest.page | 64 +++++++-------- plugins/dynamix/ShareEdit.page | 22 ++--- plugins/dynamix/ShareList.page | 4 +- plugins/dynamix/SmtpSettings.page | 16 ++-- plugins/dynamix/Syslog.page | 6 +- plugins/dynamix/UserEdit.page | 14 ++-- plugins/dynamix/UserList.page | 2 +- plugins/dynamix/Vars.page | 2 +- plugins/dynamix/include/Boot.php | 70 +++++++++++++++- plugins/dynamix/include/CheckPort.php | 2 +- plugins/dynamix/include/DashUpdate.php | 10 +-- plugins/dynamix/include/DefaultPageLayout.php | 27 +++++-- plugins/dynamix/include/DeleteLogFile.php | 8 +- plugins/dynamix/include/DeviceList.php | 10 +-- plugins/dynamix/include/DiskList.php | 6 +- plugins/dynamix/include/Download.php | 11 ++- plugins/dynamix/include/FileTree.php | 10 +-- plugins/dynamix/include/FileUpload.php | 26 ++++-- plugins/dynamix/include/Helpers.php | 2 +- plugins/dynamix/include/InstallKey.php | 2 +- plugins/dynamix/include/Notify.php | 2 +- plugins/dynamix/include/PageBuilder.php | 2 +- plugins/dynamix/include/PortToggle.php | 4 +- plugins/dynamix/include/ProcessStatus.php | 4 +- plugins/dynamix/include/ShareList.php | 6 +- plugins/dynamix/include/SmartInfo.php | 32 ++++---- plugins/dynamix/include/SystemInformation.php | 4 +- plugins/dynamix/include/Wrappers.php | 2 +- plugins/dynamix/include/timezones.key | 1 + plugins/dynamix/include/update.file.php | 2 +- plugins/dynamix/include/update.rules.php | 4 +- plugins/dynamix/scripts/diagnostics | 80 +++++++++---------- plugins/dynamix/scripts/disk_log | 6 +- plugins/dynamix/scripts/monitor | 57 ++++++------- plugins/dynamix/scripts/netconfig | 8 +- plugins/dynamix/scripts/notify | 6 +- plugins/dynamix/scripts/pre | 21 ----- plugins/dynamix/scripts/spindowndelay | 41 ---------- plugins/dynamix/scripts/statuscheck | 7 +- plugins/dynamix/scripts/tail_log | 2 +- reboot.htm | 30 ------- shutdown.htm | 34 -------- 85 files changed, 543 insertions(+), 561 deletions(-) delete mode 100755 plugins/dynamix/scripts/pre delete mode 100755 plugins/dynamix/scripts/spindowndelay delete mode 100644 reboot.htm delete mode 100644 shutdown.htm diff --git a/plugins/dynamix.apcupsd/UPSsettings.page b/plugins/dynamix.apcupsd/UPSsettings.page index 35603dc55..baaca849e 100644 --- a/plugins/dynamix.apcupsd/UPSsettings.page +++ b/plugins/dynamix.apcupsd/UPSsettings.page @@ -75,7 +75,7 @@ UPS cable: > + USB, Simple, Smart, Ether, or Custom to specify a special cable. Custom UPS cable: -: +: > Specify a special cable by model number, only applicable when *UPS cable* is set to Custom. > @@ -106,7 +106,7 @@ UPS type: > + **ModBus** - serial device for use with newest SmartUPS models supporting the MODBUS protocol Device: -: +: > Enter the *device* which correspondes to your situation, only applicable when *UPS type* is not set to USB. > @@ -118,17 +118,17 @@ Device: > + **modbus** - /dev/tty** Battery level to initiate shutdown (%): -: +: > If during a power failure, the remaining battery percentage (as reported by the UPS) is below or equal to *Battery level*, apcupsd will initiate a system shutdown. Runtime left to initiate shutdown (minutes): -: +: > If during a power failure, the remaining runtime in minutes (as calculated internally by the UPS) is below or equal to *minutes*, apcupsd, will initiate a system shutdown. Time on battery before shutdown (seconds): -: +: > If during a power failure, the UPS has run on batteries for *time-out* many seconds or longer; apcupsd will initiate a system shutdown. A value of zero disables this timer. > diff --git a/plugins/dynamix.apcupsd/include/update.apcupsd.php b/plugins/dynamix.apcupsd/include/update.apcupsd.php index 69123b28e..dd9fa4923 100644 --- a/plugins/dynamix.apcupsd/include/update.apcupsd.php +++ b/plugins/dynamix.apcupsd/include/update.apcupsd.php @@ -18,12 +18,12 @@ $cable = $new['UPSCABLE']=='custom' ? $new['CUSTOMUPSCABLE'] : $new['UPSCABLE']; exec("/etc/rc.d/rc.apcupsd stop"); exec("sed -i -e '/^NISIP/c\\NISIP 0.0.0.0' $conf"); -exec("sed -i -e '/^UPSTYPE/c\\UPSTYPE '{$new['UPSTYPE']}'' $conf"); -exec("sed -i -e '/^DEVICE/c\\DEVICE '{$new['DEVICE']}'' $conf"); -exec("sed -i -e '/^BATTERYLEVEL/c\\BATTERYLEVEL '{$new['BATTERYLEVEL']}'' $conf"); -exec("sed -i -e '/^MINUTES/c\\MINUTES '{$new['MINUTES']}'' $conf"); -exec("sed -i -e '/^TIMEOUT/c\\TIMEOUT '{$new['TIMEOUT']}'' $conf"); -exec("sed -i -e '/^UPSCABLE/c\\UPSCABLE '{$cable}'' $conf"); +exec("sed -i -e '/^UPSTYPE/c\\UPSTYPE '".str_replace("'","\\'",$new['UPSTYPE'])."'' $conf"); +exec("sed -i -e '/^DEVICE/c\\DEVICE '".str_replace("'","\\'",$new['DEVICE'])."'' $conf"); +exec("sed -i -e '/^BATTERYLEVEL/c\\BATTERYLEVEL '".str_replace("'","\\'",$new['BATTERYLEVEL'])."'' $conf"); +exec("sed -i -e '/^MINUTES/c\\MINUTES '".str_replace("'","\\'",$new['MINUTES'])."'' $conf"); +exec("sed -i -e '/^TIMEOUT/c\\TIMEOUT '".str_replace("'","\\'",$new['TIMEOUT'])."'' $conf"); +exec("sed -i -e '/^UPSCABLE/c\\UPSCABLE '".str_replace("'","\\'",$cable)."'' $conf"); if ($new['KILLUPS']=='yes' && $new['SERVICE']=='enable') exec("! grep -q apccontrol /etc/rc.d/rc.6 && sed -i -e 's:/sbin/poweroff:/etc/apcupsd/apccontrol killpower; /sbin/poweroff:' /etc/rc.d/rc.6"); diff --git a/plugins/dynamix.docker.manager/DockerContainers.page b/plugins/dynamix.docker.manager/DockerContainers.page index f773647c1..95103004f 100644 --- a/plugins/dynamix.docker.manager/DockerContainers.page +++ b/plugins/dynamix.docker.manager/DockerContainers.page @@ -129,13 +129,13 @@ img.stopped{opacity:0.3;} - +
Container ID:
-
+
By: @@ -149,20 +149,20 @@ img.stopped{opacity:0.3;} update ready"; + echo " update ready"; } elseif ($updateStatus == "true") { echo " up-to-date"; - echo "
force update
"; + echo "
force update
"; } else { echo " not available"; - echo "
force update
"; + echo "
force update
"; } ?> ", $ports); ?> ", $paths); ?> > -
Created
+
Created
@@ -189,16 +189,16 @@ img.stopped{opacity:0.3;} (orphan image) -
Image ID:
+
Image ID:
-
", $image['Tags'])?>
+
", array_map('htmlspecialchars',$image['Tags']))?>
        -
Created
+
Created
@@ -258,7 +258,7 @@ $(function() { $('#docker_containers tr:even').addClass('odd'); context.init({ preventDoubleContext: false }); - + $('.docker_readmore').readmore({maxHeight:48, moreLink: '', lessLink: ''}); }); diff --git a/plugins/dynamix.docker.manager/include/CreateDocker.php b/plugins/dynamix.docker.manager/include/CreateDocker.php index 30bd8860d..be2b51695 100644 --- a/plugins/dynamix.docker.manager/include/CreateDocker.php +++ b/plugins/dynamix.docker.manager/include/CreateDocker.php @@ -37,13 +37,13 @@ function stopContainer($name) { $waitID = mt_rand(); echo "

"; - echo "\n"; + echo "\n"; @flush(); $retval = $DockerClient->stopContainer($name); $out = ($retval === true) ? "Successfully stopped container '$name'" : "Error: ".$retval; - echo "\n"; + echo "\n"; @flush(); } @@ -52,13 +52,13 @@ function removeContainer($name) { $waitID = mt_rand(); echo "

"; - echo "\n"; + echo "\n"; @flush(); $retval = $DockerClient->removeContainer($name); $out = ($retval === true) ? "Successfully removed container '$name'" : "Error: ".$retval; - echo "\n"; + echo "\n"; @flush(); } @@ -67,13 +67,13 @@ function removeImage($image) { $waitID = mt_rand(); echo "

"; - echo "\n"; + echo "\n"; @flush(); $retval = $DockerClient->removeImage($image); $out = ($retval === true) ? "Successfully removed image '$image'" : "Error: ".$retval; - echo "\n"; + echo "\n"; @flush(); } @@ -83,7 +83,7 @@ function pullImage($name, $image) { if (!preg_match("/:[\w]*$/i", $image)) $image .= ":latest"; echo "

"; - echo "\n"; + echo "\n"; @flush(); $alltotals = []; @@ -123,7 +123,7 @@ function pullImage($name, $image) { case 'Downloading': if ($laststatus[$id] != $status) { - echo "\n"; + echo "\n"; } $total = $cnt['progressDetail']['total']; $current = $cnt['progressDetail']['current']; @@ -143,7 +143,7 @@ function pullImage($name, $image) { echo "\n"; } if ($laststatus[$id] != $status) { - echo "\n"; + echo "\n"; } break; } @@ -152,7 +152,7 @@ function pullImage($name, $image) { } else { if (strpos($status, 'Status: ') === 0) { - echo "\n"; + echo "\n"; } if (strpos($status, 'Digest: ') === 0) { $DockerUpdate->setUpdateStatus($image, substr($status, 8)); @@ -165,7 +165,7 @@ function pullImage($name, $image) { @flush(); if (!empty($strError)) { - echo "\n"; + echo "\n"; @flush(); return false; } @@ -244,7 +244,6 @@ function postToXML($post, $setOwnership = false) { } function xmlToVar($xml) { - global $var; $xml = (is_file($xml)) ? simplexml_load_file($xml) : simplexml_load_string($xml); $out = []; @@ -335,16 +334,16 @@ function xmlToVar($xml) { if (isset($xml->Environment->Variable)) { $varNum = 0; - foreach ($xml->Environment->Variable as $var) { - if (empty(xml_decode($var->Name))) continue; + foreach ($xml->Environment->Variable as $varitem) { + if (empty(xml_decode($varitem->Name))) continue; $varNum += 1; $out['Config'][] = [ 'Name' => "Key ${varNum}", - 'Target' => xml_decode($var->Name), - 'Default' => xml_decode($var->Value), - 'Value' => xml_decode($var->Value), + 'Target' => xml_decode($varitem->Name), + 'Default' => xml_decode($varitem->Value), + 'Value' => xml_decode($varitem->Value), 'Mode' => '', - 'Description' => 'Container Variable: '.xml_decode($var->Name), + 'Description' => 'Container Variable: '.xml_decode($varitem->Name), 'Type' => 'Variable', 'Display' => 'always', 'Required' => 'false', @@ -493,9 +492,9 @@ if (isset($_POST['contName'])) { // Run dry if ($dry_run) { echo "

XML

"; - echo "
".htmlentities($postXML)."
"; + echo "
".htmlspecialchars($postXML)."
"; echo "

COMMAND:

"; - echo "
".htmlentities($cmd)."
"; + echo "
".htmlspecialchars($cmd)."
"; echo "
"; echo "

"; goto END; @@ -1172,7 +1171,7 @@ $showAdditionalInfo = ''; ?> "; + echo ""; }?> diff --git a/plugins/dynamix.docker.manager/include/DockerClient.php b/plugins/dynamix.docker.manager/include/DockerClient.php index d6399aa60..92d92b7a7 100644 --- a/plugins/dynamix.docker.manager/include/DockerClient.php +++ b/plugins/dynamix.docker.manager/include/DockerClient.php @@ -941,7 +941,7 @@ class DockerClient { $c["ParentId"] = substr(str_replace('sha256:', '', $obj['ParentId']), 0, 12); $c["Size"] = $this->formatBytes($obj['Size']); $c["VirtualSize"] = $this->formatBytes($obj['VirtualSize']); - $c["Tags"] = isset($obj['RepoTags']) ? array_map("htmlentities", $obj['RepoTags']) : array(); + $c["Tags"] = isset($obj['RepoTags']) ? array_map("htmlspecialchars", $obj['RepoTags']) : array(); $c["Repository"] = vsprintf('%1$s/%2$s', preg_split("#[:\/]#", DockerUtil::ensureImageTag($obj['RepoTags'][0]))); $c["usedBy"] = $this->usedBy($c["Id"]); diff --git a/plugins/dynamix.docker.manager/include/Events.php b/plugins/dynamix.docker.manager/include/Events.php index a5e51f774..d7e1caa3f 100644 --- a/plugins/dynamix.docker.manager/include/Events.php +++ b/plugins/dynamix.docker.manager/include/Events.php @@ -86,11 +86,11 @@ switch ($action) { } } - echo ""; + echo ""; @flush(); }; $DockerClient->getContainerLog($container, $echo, $tail, $since); - echo ''; + echo ''; @flush(); exit; } diff --git a/plugins/dynamix.docker.manager/include/Exec.php b/plugins/dynamix.docker.manager/include/Exec.php index 24b22292d..06250294a 100644 --- a/plugins/dynamix.docker.manager/include/Exec.php +++ b/plugins/dynamix.docker.manager/include/Exec.php @@ -28,7 +28,7 @@ if ( isset( $_GET['cmd'] )) { $id = mt_rand(); echo "

"; echo ""; echo ""; @@ -37,7 +37,7 @@ if ( isset( $_GET['cmd'] )) { while ($out = fgets( $pipes[1] )) { $out = preg_replace("%[\t\n\x0B\f\r]+%", '', $out ); @flush(); - echo "\n"; + echo "\n"; @flush(); } $retval = proc_close($proc); diff --git a/plugins/dynamix.plugin.manager/include/PluginHelpers.php b/plugins/dynamix.plugin.manager/include/PluginHelpers.php index d10572136..21a3954c0 100644 --- a/plugins/dynamix.plugin.manager/include/PluginHelpers.php +++ b/plugins/dynamix.plugin.manager/include/PluginHelpers.php @@ -16,7 +16,7 @@ $docroot = $docroot ?: @$_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp'; // Invoke the plugin command with indicated method function plugin($method, $arg = '') { global $docroot; - exec("$docroot/plugins/dynamix.plugin.manager/scripts/plugin $method $arg", $output, $retval); + exec("$docroot/plugins/dynamix.plugin.manager/scripts/plugin ".escapeshellarg($method)." ".escapeshellarg($arg), $output, $retval); if ($retval != 0) return false; return implode("\n", $output); } diff --git a/plugins/dynamix.plugin.manager/include/ShowChanges.php b/plugins/dynamix.plugin.manager/include/ShowChanges.php index 94082dfb3..b05b50756 100644 --- a/plugins/dynamix.plugin.manager/include/ShowChanges.php +++ b/plugins/dynamix.plugin.manager/include/ShowChanges.php @@ -23,7 +23,7 @@ $docroot = $docroot ?: @$_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp'; require_once "$docroot/webGui/include/Markdown.php"; $file = $_GET['file']; -if (file_exists($file)) echo Markdown(file_get_contents($file)); else echo Markdown("*No release notes available!*"); +if (file_exists($file) && strpos(realpath($file), '/tmp/plugins/') === 0 && substr($file, -4) == '.txt') echo Markdown(file_get_contents($file)); else echo Markdown("*No release notes available!*"); ?>
diff --git a/plugins/dynamix.plugin.manager/scripts/plugincheck b/plugins/dynamix.plugin.manager/scripts/plugincheck index ec55aafdd..71c7bf187 100755 --- a/plugins/dynamix.plugin.manager/scripts/plugincheck +++ b/plugins/dynamix.plugin.manager/scripts/plugincheck @@ -16,10 +16,11 @@ $docroot = $docroot ?: @$_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp'; require_once "$docroot/webGui/include/Wrappers.php"; require_once "$docroot/plugins/dynamix.plugin.manager/include/PluginHelpers.php"; -exec("wget -qO /dev/null 127.0.0.1:$(lsof -i -P -sTCP:LISTEN|grep -Pom1 '^emhttp.*:\K\d+')/update.htm?cmdStatus=apply"); +$var = parse_ini_file('/var/local/emhttp/var.ini'); +exec("wget -qO /dev/null 127.0.0.1:$(lsof -i -P -sTCP:LISTEN|grep -Pom1 '^emhttp.*:\K\d+')/update.htm?cmdStatus=apply\&csrf_token={$var['csrf_token']}"); +$var = parse_ini_file('/var/local/emhttp/var.ini'); $current = parse_ini_file('/etc/unraid-version'); -$var = parse_ini_file('/var/local/emhttp/var.ini'); $unraid = parse_plugin_cfg('dynamix', true); $notify = "$docroot/webGui/scripts/notify"; $server = strtoupper($var['NAME']); @@ -35,7 +36,7 @@ foreach (glob("/tmp/plugins/*.plg", GLOB_NOSORT) as $file) { $unRAID = plugin('unRAID', $file); if ($unRAID === false || version_compare($current['version'], $unRAID, '>=')) { $name = basename($file, '.plg'); - exec("$notify -e 'Plugin - $name [$new]' -s 'Notice [$server] - Version update $new' -d 'A new version of $name is available' -i 'normal $output' -x"); + exec("$notify -e ".escapeshellarg("Plugin - $name [$new]")." -s ".escapeshellarg("Notice [$server] - Version update $new")." -d ".escapeshellarg("A new version of $name is available")." -i ".escapeshellarg("normal $output")." -x"); } } } diff --git a/plugins/dynamix.vm.manager/VMMachines.page b/plugins/dynamix.vm.manager/VMMachines.page index 82ab16f07..24a8332bb 100644 --- a/plugins/dynamix.vm.manager/VMMachines.page +++ b/plugins/dynamix.vm.manager/VMMachines.page @@ -43,7 +43,7 @@ if ($action) { $capacity = str_replace(["KB","MB","GB","TB","PB", " ", ","], ["K","M","G","T","P", "", ""], strtoupper($_POST['cap'])); $oldcap = str_replace(["KB","MB","GB","TB","PB", " ", ","], ["K","M","G","T","P", "", ""], strtoupper($_GET['oldcap'])); if (substr($oldcap,0,-1) < substr($capacity,0,-1)){ - shell_exec("qemu-img resize -q " . escapeshellarg($_GET['disk']) . " $capacity"); + shell_exec("qemu-img resize -q ".escapeshellarg($_GET['disk'])." ".escapeshellarg($capacity)); $msg = $domName." disk capacity has been changed to $capacity"; }else { $msg = "Error: disk capacity has to be greater than {$_GET['oldcap']}"; @@ -220,7 +220,8 @@ if ($action) { // Log file if (!empty($log)) { - echo ""; + echo ""; } else { echo ""; } @@ -594,7 +595,7 @@ function addVMContext(name, uuid, template, state, vncurl, log){ if (log !== "") { if (location.pathname.indexOf("/Dashboard") === 0) { - opts.push({text: "Logs", icon: "fa-navicon", action: function(e){ e.preventDefault(); openWindow('/webGui/scripts/tail_log&arg1=' + log + ')', 'Log for: ' + name, 600, 900); } }); + opts.push({text: "Logs", icon: "fa-navicon", action: function(e){ e.preventDefault(); openWindow('/webGui/scripts/tail_log&arg1=' + log, 'Log for: ' + name, 600, 900); } }); } } @@ -662,6 +663,6 @@ $(function() { context.init({ preventDoubleContext: false }); - + }); diff --git a/plugins/dynamix.vm.manager/VMSettings.page b/plugins/dynamix.vm.manager/VMSettings.page index c7b6fa3b8..43e5be94d 100644 --- a/plugins/dynamix.vm.manager/VMSettings.page +++ b/plugins/dynamix.vm.manager/VMSettings.page @@ -103,7 +103,7 @@ foreach ($arrSyslinuxCfg as &$strSyslinuxCfg) {

You must reboot for changes to take effect

- +
Enable VMs:
@@ -132,7 +132,7 @@ foreach ($arrSyslinuxCfg as &$strSyslinuxCfg) {
Libvirt storage location:
-
+

This is the libvirt volume.

@@ -140,7 +140,7 @@ foreach ($arrSyslinuxCfg as &$strSyslinuxCfg) {
Libvirt vdisk size:
-
GB
+
GB

If the system needs to create a new libvirt image file, this is the default size to use specified in GB.

@@ -149,7 +149,7 @@ foreach ($arrSyslinuxCfg as &$strSyslinuxCfg) {
Libvirt storage location:
-
Modify with caution: unable to validate path until Array is Started Path does not exist
+
Modify with caution: unable to validate path until Array is Started Path does not exist

You must specify an image file for Libvirt. The system will automatically create this file when the Libvirt service is first started.

@@ -158,7 +158,7 @@ foreach ($arrSyslinuxCfg as &$strSyslinuxCfg) {
Default VM storage path:
-
Modify with caution: unable to validate path until Array is Started Path does not exist
+
Modify with caution: unable to validate path until Array is Started Path does not exist

Specify a user share that contains all your VM subdirectories with vdisks

@@ -166,7 +166,7 @@ foreach ($arrSyslinuxCfg as &$strSyslinuxCfg) {
Default ISO storage path:
-
Modify with caution: unable to validate path until Array is Started Path does not exist
+
Modify with caution: unable to validate path until Array is Started Path does not exist

Specify a user share that contains all your installation media for operating systems

@@ -202,7 +202,7 @@ foreach ($arrSyslinuxCfg as &$strSyslinuxCfg) { echo mk_option($strMatch, 'manual', 'Manual'); ?> - placeholder="Click to Select"> Download> + placeholder="Click to Select"> Download>
@@ -231,9 +231,9 @@ foreach ($arrSyslinuxCfg as &$strSyslinuxCfg) {
VM shutdown time-out:
- + (int)$var['shutdownTimeout']):?> - exceeds Disk Shutdown s time-out (edit) + exceeds Disk Shutdown s time-out (edit)
@@ -257,14 +257,14 @@ foreach ($arrSyslinuxCfg as &$strSyslinuxCfg) {
-
 
+
 
-

View the log for libvirt: /var/log/libvirt/libvirtd.log

+

View the log for libvirt: /var/log/libvirt/libvirtd.log

diff --git a/plugins/dynamix.vm.manager/VMTemplates.page b/plugins/dynamix.vm.manager/VMTemplates.page index 9e008dd36..8416c4648 100644 --- a/plugins/dynamix.vm.manager/VMTemplates.page +++ b/plugins/dynamix.vm.manager/VMTemplates.page @@ -48,9 +48,9 @@ Cond="(pgrep('libvirtd')!==false)" } ?>
- - -

+ + +

\ No newline at end of file diff --git a/plugins/dynamix.vm.manager/VMedit.php b/plugins/dynamix.vm.manager/VMedit.php index 827d9f41d..ed6873865 100644 --- a/plugins/dynamix.vm.manager/VMedit.php +++ b/plugins/dynamix.vm.manager/VMedit.php @@ -280,14 +280,14 @@ if (!empty($_GET['uuid'])) {
- + @@ -408,7 +408,7 @@ @@ -432,7 +432,7 @@ @@ -538,14 +538,14 @@ echo mk_option($default_option, 'manual', 'Manual'); ?> -
+
@@ -694,14 +694,14 @@
Icon: - - + +
- - - - - - + + + + + + - +
Name:
@@ -226,7 +226,7 @@ - +
Description:
@@ -365,7 +365,7 @@ ?> - +
OS Install ISO: - +
VirtIO Drivers ISO: - +
vDisk Size: - +
unRAID Share: - +
unRAID Mount tag: - +
@@ -888,7 +888,7 @@ Network MAC: - + @@ -956,7 +956,7 @@ if (!empty($arrValidUSBDevices)) { foreach($arrValidUSBDevices as $i => $arrDev) { ?> -
+
-
+
- - - - - + + + + + - - + +
- +
Name:
@@ -453,7 +453,7 @@ - +
Description:
@@ -516,8 +516,8 @@ Config Folder: - - + + @@ -779,7 +779,7 @@ Network MAC: - + @@ -847,7 +847,7 @@ if (!empty($arrValidUSBDevices)) { foreach($arrValidUSBDevices as $i => $arrDev) { ?> -
+
-
+
- - - - - + + + + + - - + +
- +
Name:
@@ -453,7 +453,7 @@ - +
Description:
@@ -516,8 +516,8 @@ Config Folder: - - + + @@ -779,7 +779,7 @@ Network MAC: - + @@ -847,7 +847,7 @@ if (!empty($arrValidUSBDevices)) { foreach($arrValidUSBDevices as $i => $arrDev) { ?> -
+
-
+
- + diff --git a/plugins/dynamix/ArrayOperation.page b/plugins/dynamix/ArrayOperation.page index ff1b24fde..573578909 100644 --- a/plugins/dynamix/ArrayOperation.page +++ b/plugins/dynamix/ArrayOperation.page @@ -89,13 +89,12 @@ function stop_parity(form,text) { form.submit(); } } -function system(cmd) { - var boot = '/webGui/include/Boot.php'; - var page = '/'+cmd+'.htm'; +function shut_down(form,cmd) { + $(form).append(''); if (ask2) { - swal({title:'Proceed?',text:'This will '+cmd+' the system',type:'warning',showCancelButton:true},function(){$.post(boot,{cmd:cmd},function(){location=page;});}); + swal({title:'Proceed?',text:'This will '+cmd+' the system',type:'warning',showCancelButton:true},function(p){if (p) form.submit(); else $('input[name="cmd"]').remove();}); } else { - $.post(boot,{cmd:cmd},function(){location=page;}); + form.submit(); } } parity_status(); @@ -142,7 +141,7 @@ $('div[id=title]:first').append(rbtn); toggle_diskio(true); - + 0 ? 'Disabled -- Parity operation is running' : ''; $mover = file_exists('/var/run/mover.pid') ? 'Disabled -- Mover is running' : ''; @@ -529,10 +528,10 @@ toggle_diskio(true);
+
- @@ -543,20 +542,9 @@ toggle_diskio(true); - - - - - - - - - - -
style="width:80px"> style="width:80px"> Clear Statistics will immediately clear all disk statistics.
Reboot will activate a clean system reset.
Power down will activate a clean power down.
- +
@@ -571,6 +559,16 @@ toggle_diskio(true);
+ +
+ + + + + + +
Reboot will activate a clean system reset.
Power down will activate a clean power down.
+
diff --git a/plugins/dynamix/Browse.page b/plugins/dynamix/Browse.page index 6822e492b..f34a4ae4f 100644 --- a/plugins/dynamix/Browse.page +++ b/plugins/dynamix/Browse.page @@ -67,7 +67,7 @@ function parent_link($text) { return $text; else { $parent = urlencode_path(dirname($dir)); - return "$text"; + return "".htmlspecialchars($text).""; } } @@ -87,13 +87,13 @@ $disk_order=($column=='disk'?$order:'A'); ?> - - - + + + - + - + @@ -113,14 +113,14 @@ $disk_order=($column=='disk'?$order:'A'); $dirs++; $warn = ""; ?> - + - + > diff --git a/plugins/dynamix/DashStats.page b/plugins/dynamix/DashStats.page index eae40fd41..17d8079b5 100644 --- a/plugins/dynamix/DashStats.page +++ b/plugins/dynamix/DashStats.page @@ -436,7 +436,7 @@ function update3() { function update15() { var tag = $('.smb').is(':visible') ? 'smb' : $('.afp').is(':visible') ? 'afp' : $('.nfs').is(':visible') ? 'nfs' : ''; - $.post('',{cmd:'shares',com:tag,names:''},function(data) { + $.post('',{cmd:'shares',com:tag,names:''},function(data) { if (data) $.each(data.split('#'),function(k,v) {$('#share'+(k+1)).html(v);}); setTimeout(update15,15000); }); diff --git a/plugins/dynamix/DashboardApps.page b/plugins/dynamix/DashboardApps.page index 8a7ce432e..a606f24ee 100644 --- a/plugins/dynamix/DashboardApps.page +++ b/plugins/dynamix/DashboardApps.page @@ -323,6 +323,6 @@ $(function() { }); context.init({ preventDoubleContext: false }); - + }); diff --git a/plugins/dynamix/DateTime.page b/plugins/dynamix/DateTime.page index 2e3724501..f56452447 100644 --- a/plugins/dynamix/DateTime.page +++ b/plugins/dynamix/DateTime.page @@ -40,17 +40,17 @@ Use NTP: > We **highly** recommend the use of a network time server, especially if you plan on using Active Directory. NTP server 1: -: +: > This is the primary NTP server to use. Enter a FQDN or an IP address. NTP server 2: -: +: > This is the alternate NTP server to use if NTP Server 1 is down. NTP server 3: -: +: > This is the alternate NTP Server to use if NTP Servers 1 and 2 are both down. diff --git a/plugins/dynamix/DeviceAttributes.page b/plugins/dynamix/DeviceAttributes.page index 7e53139f6..0483edf00 100644 --- a/plugins/dynamix/DeviceAttributes.page +++ b/plugins/dynamix/DeviceAttributes.page @@ -16,7 +16,7 @@ Cond="strpos($disks[$name]['status'],'_NP')===false" ?> diff --git a/plugins/dynamix/NotificationAgents.page b/plugins/dynamix/NotificationAgents.page index 944a6992a..8fb20c698 100644 --- a/plugins/dynamix/NotificationAgents.page +++ b/plugins/dynamix/NotificationAgents.page @@ -115,11 +115,11 @@ foreach ($xml->Agent as $agent) { echo ''; echo ''; $i = 1; - foreach ($agent->Variables->children() as $var) { - $vName = preg_replace('#\[([^\]]*)\]#', '<$1>', (string) $var); - $vDesc = ucfirst(strtolower(preg_replace('#\[([^\]]*)\]#', '<$1>', (String) $var->attributes()->Desc))); - $vDefault = preg_replace('#\[([^\]]*)\]#', '<$1>', (String) $var->attributes()->Default); - $vHelp = preg_replace('#\[([^\]]*)\]#', '<$1>', (String) $var->attributes()->Help); + foreach ($agent->Variables->children() as $v) { + $vName = preg_replace('#\[([^\]]*)\]#', '<$1>', (string) $v); + $vDesc = ucfirst(strtolower(preg_replace('#\[([^\]]*)\]#', '<$1>', (String) $v->attributes()->Desc))); + $vDefault = preg_replace('#\[([^\]]*)\]#', '<$1>', (String) $v->attributes()->Default); + $vHelp = preg_replace('#\[([^\]]*)\]#', '<$1>', (String) $v->attributes()->Help); echo '
'.$vDesc.':
'; if (preg_match('/title|message/', ${vDesc})) { echo '"; + echo "

Share ".htmlspecialchars($name)." has been deleted.

"; return; } @@ -148,12 +148,12 @@ function prepareEdit(form) { function cloneShare() { var data = {}, copied = false; - data.shareAllocator = ''; - data.shareFloor = ''; - data.shareSplitLevel = ''; - data.shareInclude = ''; - data.shareExclude = ''; - data.shareUseCache = ''; + data.shareAllocator = ''; + data.shareFloor = ''; + data.shareSplitLevel = ''; + data.shareInclude = ''; + data.shareExclude = ''; + data.shareUseCache = ''; data.cmdEditShare = 'Apply'; $('select#s3 option').map(function() { if ($(this).prop('selected')==true) { @@ -205,10 +205,10 @@ function cloneShare() {
- + Share name: -: +: > The share name can be up to 40 characters, and is case-sensitive with these restrictions: > @@ -218,7 +218,7 @@ Share name: > We highly recommend to make your life easier and avoid special characters. Comments: -: +: > Anything you like, up to 256 characters. @@ -248,7 +248,7 @@ Allocation method: > Choose the disk that currently has the most free space. Minimum free space: -: +: > The *minimum free space* available to allow writing to any disk belonging to the share.
> diff --git a/plugins/dynamix/ShareList.page b/plugins/dynamix/ShareList.page index 4867ecc27..10ee404e0 100644 --- a/plugins/dynamix/ShareList.page +++ b/plugins/dynamix/ShareList.page @@ -17,7 +17,7 @@ Cond="$var['fsState']=="Started" && $var['shareUser']=='e'" )"> - + User name: -: +: Description: -: +: > Up to 64 characters. @@ -146,7 +146,7 @@ Delete - + Password: : diff --git a/plugins/dynamix/UserList.page b/plugins/dynamix/UserList.page index 79f0fb5f3..8593a8e41 100644 --- a/plugins/dynamix/UserList.page +++ b/plugins/dynamix/UserList.page @@ -19,7 +19,7 @@ if ($submenu) $path = './Users'; ?> -

+

diff --git a/plugins/dynamix/Vars.page b/plugins/dynamix/Vars.page index 692fdae03..17ad05cdb 100644 --- a/plugins/dynamix/Vars.page +++ b/plugins/dynamix/Vars.page @@ -31,6 +31,6 @@ $pages['Vars']['text'] = '...'; $text = '...'; ksort($site); ksort($GLOBALS); -echo ($display['resize'] ? "
"; echo ""; echo ""; - echo ""; + echo ""; echo ""; } } else { - echo ""; + echo ""; echo ""; echo ""; echo ""; diff --git a/plugins/dynamix/include/Download.php b/plugins/dynamix/include/Download.php index 969ceefd3..77a3dfe18 100644 --- a/plugins/dynamix/include/Download.php +++ b/plugins/dynamix/include/Download.php @@ -15,22 +15,25 @@ $docroot = $docroot ?: @$_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp'; $file = $_POST['file']; switch ($_POST['cmd']) { case 'save': + if (is_file("$docroot/$file") && strpos(realpath("$docroot/$file"), $docroot.'/') !== 0) exit; $source = $_POST['source']; if (pathinfo($source, PATHINFO_EXTENSION) == 'txt') { - exec("zip -qlj $docroot/$file $source"); + exec("zip -qlj ".escapeshellarg("$docroot/$file")." ".escapeshellarg($source)); } else { $tmp = "/var/tmp/".basename($source).".txt"; copy($source, $tmp); - exec("zip -qlj $docroot/$file $tmp"); + exec("zip -qlj ".escapeshellarg("$docroot/$file")." ".escapeshellarg($tmp)); @unlink($tmp); } echo "/$file"; break; case 'delete': - @unlink("$docroot/$file"); + if (strpos(realpath("$docroot/$file"), $docroot.'/') === 0) @unlink("$docroot/$file"); break; case 'diag': - exec("$docroot/webGui/scripts/diagnostics {$_POST['anonymize']} $docroot/$file"); + if (is_file("$docroot/$file") && strpos(realpath("$docroot/$file"), $docroot.'/') !== 0) exit; + $anon = empty($_POST['anonymize']) ? '' : escapeshellarg($_POST['anonymize']); + exec("$docroot/webGui/scripts/diagnostics $anon ".escapeshellarg("$docroot/$file")); echo "/$file"; break; } diff --git a/plugins/dynamix/include/FileTree.php b/plugins/dynamix/include/FileTree.php index 2f4e4307c..b5a35926a 100644 --- a/plugins/dynamix/include/FileTree.php +++ b/plugins/dynamix/include/FileTree.php @@ -45,7 +45,7 @@ echo "
    "; // Parent dirs if ($_POST['show_parent'] == "true" ) { - echo ""; + echo ""; } if( file_exists($postDir) ) { @@ -59,8 +59,8 @@ if( file_exists($postDir) ) { foreach( $files as $file ) { if( file_exists($postDir . $file) && $file != '.' && $file != '..' ) { if( is_dir($postDir . $file) ) { - $htmlRel = htmlentities($returnDir . $file, ENT_QUOTES); - $htmlName = htmlentities((strlen($file) > 33) ? substr($file,0,33).'...' : $file); + $htmlRel = htmlspecialchars($returnDir . $file, ENT_QUOTES); + $htmlName = htmlspecialchars((strlen($file) > 33) ? substr($file,0,33).'...' : $file); echo ""; } @@ -71,8 +71,8 @@ if( file_exists($postDir) ) { foreach( $files as $file ) { if( file_exists($postDir . $file) && $file != '.' && $file != '..' ) { if( !is_dir($postDir . $file) ) { - $htmlRel = htmlentities($returnDir . $file, ENT_QUOTES); - $htmlName = htmlentities($file); + $htmlRel = htmlspecialchars($returnDir . $file, ENT_QUOTES); + $htmlName = htmlspecialchars($file); $ext = strtolower(preg_replace('/^.*\./', '', $file)); foreach ($filters as $filter) { diff --git a/plugins/dynamix/include/FileUpload.php b/plugins/dynamix/include/FileUpload.php index 45e6f828d..73f342e80 100644 --- a/plugins/dynamix/include/FileUpload.php +++ b/plugins/dynamix/include/FileUpload.php @@ -3,21 +3,35 @@ $cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'load'; $path = $_POST['path']; $file = rawurldecode($_POST['filename']); $temp = "/var/tmp"; +$safepaths = ['/boot/config/plugins/dynamix']; +$safeexts = ['.png']; switch ($cmd) { case 'load': if (isset($_POST['filedata'])) { - exec("rm -f $temp/*.png"); - $result = file_put_contents("$temp/$file", base64_decode(str_replace(['data:image/png;base64,',' '],['','+'],$_POST['filedata']))); + if (strpos(realpath("$temp/$file"), $temp) === 0) { + exec("rm -f $temp/*.png"); + $result = file_put_contents("$temp/$file", base64_decode(str_replace(['data:image/png;base64,',' '],['','+'],$_POST['filedata']))); + } } break; case 'save': - exec("mkdir -p $path"); - $result = @rename("$temp/$file", "$path/{$_POST['output']}"); + foreach ($safepaths as $safepath) { + if (strpos(realpath("$path/{$_POST['output']}"), $safepath) === 0 && in_array(substr(realpath("$path/{$_POST['output']}"), -4), $safeexts)) { + exec("mkdir -p ".escapeshellarg(realpath($path))); + $result = @rename("$temp/$file", "$path/{$_POST['output']}"); + break; + } + } break; case 'delete': - exec("rm -f $path/$file"); - $result = true; + foreach ($safepaths as $safepath) { + if (strpos(realpath("$path/$file"), $safepath) === 0 && in_array(substr(realpath("$path/$file"), -4), $safeexts)) { + exec("rm -f ".escapeshellarg(realpath("$path/$file"))); + $result = true; + break; + } + } break; } echo ($result ? 'OK 200' : 'Internal Error 500'); diff --git a/plugins/dynamix/include/Helpers.php b/plugins/dynamix/include/Helpers.php index 0e85a161d..c2e47b664 100644 --- a/plugins/dynamix/include/Helpers.php +++ b/plugins/dynamix/include/Helpers.php @@ -171,7 +171,7 @@ function urlencode_path($path) { return str_replace("%2F", "/", urlencode($path)); } function pgrep($process_name) { - $pid = exec("pgrep $process_name", $output, $retval); + $pid = exec("pgrep ".escapeshellarg($process_name), $output, $retval); return $retval == 0 ? $pid : false; } function input_secure_users($sec) { diff --git a/plugins/dynamix/include/InstallKey.php b/plugins/dynamix/include/InstallKey.php index a49d6bd06..cd51a7854 100644 --- a/plugins/dynamix/include/InstallKey.php +++ b/plugins/dynamix/include/InstallKey.php @@ -21,7 +21,7 @@ $parsed_url = parse_url($_GET['url']); if (($parsed_url['host']=="keys.lime-technology.com")||($parsed_url['host']=="lime-technology.com")) { addLog("Downloading {$_GET['url']} ... "); $key_file = basename($_GET['url']); - exec("/usr/bin/wget -q -O /boot/config/$key_file {$_GET['url']}", $output, $return_var); + exec("/usr/bin/wget -q -O ".escapeshellarg("/boot/config/$key_file")." ".escapeshellarg($_GET['url']), $output, $return_var); if ($return_var === 0) { if ($var['mdState'] == "STARTED") addLog("
    Installing ... Please Stop array to complete key installation.
    "); diff --git a/plugins/dynamix/include/Notify.php b/plugins/dynamix/include/Notify.php index 9527bb958..8cdd3b310 100644 --- a/plugins/dynamix/include/Notify.php +++ b/plugins/dynamix/include/Notify.php @@ -47,7 +47,7 @@ case 'get': echo shell_exec("$notify get"); break; case 'archive': - shell_exec("$notify archive \"{$_POST['file']}\""); + shell_exec("$notify archive ".escapeshellarg($_POST['file'])); break; } ?> diff --git a/plugins/dynamix/include/PageBuilder.php b/plugins/dynamix/include/PageBuilder.php index 056062f69..4ec01d42d 100644 --- a/plugins/dynamix/include/PageBuilder.php +++ b/plugins/dynamix/include/PageBuilder.php @@ -70,7 +70,7 @@ function tab_title($text,$path,$png) { global $docroot; $file = "$path/icons/".($png ? $png : strtolower(str_replace(' ','',$text)).".png"); if (!file_exists("$docroot/$file")) $file = "webGui/icons/default.png"; - return "".my_disk($text); + return "".htmlspecialchars(my_disk($text)); } // hack to embed function output in a quoted string (e.g., in a page Title) diff --git a/plugins/dynamix/include/PortToggle.php b/plugins/dynamix/include/PortToggle.php index 3f8e36df4..ae08dce61 100644 --- a/plugins/dynamix/include/PortToggle.php +++ b/plugins/dynamix/include/PortToggle.php @@ -13,11 +13,11 @@ ' : ''; $wait = 5; while ($wait > 0) { - if (exec("ip link show $port|grep -om1 'UP>'")==$pass) break; + if (exec("ip link show ".escapeshellarg($port)."|grep -om1 'UP>'")==$pass) break; sleep(1); $wait--; } diff --git a/plugins/dynamix/include/ProcessStatus.php b/plugins/dynamix/include/ProcessStatus.php index c1d8d9c9a..fddc6c13b 100644 --- a/plugins/dynamix/include/ProcessStatus.php +++ b/plugins/dynamix/include/ProcessStatus.php @@ -17,7 +17,7 @@ case 'crontab': $pid = file_exists("/boot/config/plugins/{$_POST['plugin']}/{$_POST['job']}.cron"); break; case 'preclear_disk': - $pid = exec("ps -o pid,command --ppid 1|awk -F/ '/$name .*{$_POST['device']}$/{print $1;exit}'"); + $pid = exec("ps -o pid,command --ppid 1|awk -F/ ".escapeshellarg("/$name .*{$_POST['device']}$/{print $1;exit}")); break; case is_numeric($name): $pid = exec("lsof -i:$name -Pn|awk '/\(LISTEN\)/{print $2;exit}'"); @@ -26,7 +26,7 @@ case 'pid': $pid = file_exists("/var/run/{$_POST['plugin']}.pid"); break; default: - $pid = exec("pidof -s -x '$name'"); + $pid = exec("pidof -s -x ".escapeshellarg($name)); break; } if (isset($_POST['update'])) {$span = ""; $_span = "";} diff --git a/plugins/dynamix/include/ShareList.php b/plugins/dynamix/include/ShareList.php index 0cdf9d8c0..f15fcd5e4 100644 --- a/plugins/dynamix/include/ShareList.php +++ b/plugins/dynamix/include/ShareList.php @@ -54,7 +54,7 @@ function shareInclude($name) { } // Compute all user shares -if ($compute=='yes') foreach ($shares as $name => $share) exec("webGui/scripts/share_size \"$name\" \"ssz1\""); +if ($compute=='yes') foreach ($shares as $name => $share) exec("webGui/scripts/share_size ".escapeshellarg($name)." ".escapeshellarg($ssz1)); // global shares include/exclude $myDisks = array_filter(array_diff(array_keys($disks), explode(',',$var['shareUserExclude'])), 'globalInclude'); @@ -102,11 +102,11 @@ foreach ($shares as $name => $share) { echo "
"; echo ""; echo ""; - echo ""; + echo ""; echo ""; } } else { - echo ""; + echo ""; echo ""; echo ""; echo ""; diff --git a/plugins/dynamix/include/SmartInfo.php b/plugins/dynamix/include/SmartInfo.php index 3b902b2a5..7e2a1e1b9 100644 --- a/plugins/dynamix/include/SmartInfo.php +++ b/plugins/dynamix/include/SmartInfo.php @@ -61,7 +61,7 @@ case "attributes": $unraid = parse_plugin_cfg('dynamix',true); $max = $unraid['display']['max']; $hot = $unraid['display']['hot']; - exec("smartctl -A $type /dev/$port|awk 'NR>7'",$output); + exec("smartctl -A $type ".escapeshellarg("/dev/$port")."|awk 'NR>7'",$output); $empty = true; foreach ($output as $line) { if (!$line) continue; @@ -80,7 +80,7 @@ case "attributes": if ($empty) echo ""; break; case "capabilities": - exec("smartctl -c $type /dev/$port|awk 'NR>5'",$output); + exec("smartctl -c $type ".escapeshellarg("/dev/$port")."|awk 'NR>5'",$output); $row = ['','','']; $empty = true; foreach ($output as $line) { @@ -101,8 +101,8 @@ case "capabilities": case "identify": $passed = ['PASSED','OK']; $failed = ['FAILED','NOK']; - exec("smartctl -i $type /dev/$port|awk 'NR>4'",$output); - exec("smartctl -H $type /dev/$port|grep -Pom1 '^SMART.*: [A-Z]+'|sed 's:self-assessment test result::'",$output); + exec("smartctl -i $type ".escapeshellarg("/dev/$port")."|awk 'NR>4'",$output); + exec("smartctl -H $type ".escapeshellarg("/dev/$port")."|grep -Pom1 '^SMART.*: [A-Z]+'|sed 's:self-assessment test result::'",$output); $empty = true; foreach ($output as $line) { if (!strlen($line)) continue; @@ -116,34 +116,36 @@ case "identify": if ($empty) echo ""; break; case "save": - exec("smartctl -a $type /dev/$port >{$_SERVER['DOCUMENT_ROOT']}/{$_POST['file']}"); + exec("smartctl -a $type ".escapeshellarg("/dev/$port")." >".escapeshellarg("{$_SERVER['DOCUMENT_ROOT']}/{$_POST['file']}")); break; case "delete": - @unlink("/var/tmp/{$_POST['file']}"); + if (strpos(realpath("/var/tmp/{$_POST['file']}"), "/var/tmp/") === 0) { + @unlink("/var/tmp/{$_POST['file']}"); + } break; case "short": spindownDelay($port); - exec("smartctl -t short $type /dev/$port"); + exec("smartctl -t short $type ".escapeshellarg("/dev/$port")); break; case "long": spindownDelay($port); - exec("smartctl -t long $type /dev/$port"); + exec("smartctl -t long $type ".escapeshellarg("/dev/$port")); break; case "stop": - exec("smartctl -X $type /dev/$port"); + exec("smartctl -X $type ".escapeshellarg("/dev/$port")); break; case "update": - if (!exec("hdparm -C /dev/$port|grep -Pom1 'active|unknown'")) { + if (!exec("hdparm -C ".escapeshellarg("/dev/$port")."|grep -Pom1 'active|unknown'")) { $cmd = $_POST['type']=='New' ? "cmd=/webGui/scripts/hd_parm&arg1=up&arg2=$name" : "cmdSpinup=$name"; - echo "Unavailable - disk must be spun up"; + echo "Unavailable - disk must be spun up"; break; } - $progress = exec("smartctl -c $type /dev/$port|grep -Pom1 '\d+%'"); + $progress = exec("smartctl -c $type ".escapeshellarg("/dev/$port")."|grep -Pom1 '\d+%'"); if ($progress) { echo " self-test in progress, ".(100-substr($progress,0,-1))."% complete"; break; } - $result = trim(exec("smartctl -l selftest $type /dev/$port|grep -m1 '^# 1'|cut -c26-55")); + $result = trim(exec("smartctl -l selftest $type ".escapeshellarg("/dev/$port")."|grep -m1 '^# 1'|cut -c26-55")); if (!$result) { echo "No self-tests logged on this disk"; break; @@ -159,10 +161,10 @@ case "update": echo "Errors occurred - Check SMART report"; break; case "selftest": - echo shell_exec("smartctl -l selftest $type /dev/$port|awk 'NR>5'"); + echo shell_exec("smartctl -l selftest $type ".escapeshellarg("/dev/$port")."|awk 'NR>5'"); break; case "errorlog": - echo shell_exec("smartctl -l error $type /dev/$port|awk 'NR>5'"); + echo shell_exec("smartctl -l error $type ".escapeshellarg("/dev/$port")."|awk 'NR>5'"); break; } ?> diff --git a/plugins/dynamix/include/SystemInformation.php b/plugins/dynamix/include/SystemInformation.php index ce3fe6c06..954f14d54 100644 --- a/plugins/dynamix/include/SystemInformation.php +++ b/plugins/dynamix/include/SystemInformation.php @@ -160,7 +160,7 @@ foreach ($sPorts as $port) { echo "$port: ".exec("grep -Pom1 '^Bonding Mode: \K.+' /proc/net/bonding/bond0").", mtu $mtu"; } else { unset($info); - exec("ethtool $port|grep -Po '^\s+(Speed|Duplex|Link\sdetected): \K[^U\\n]+'",$info); + exec("ethtool ".escapeshellarg($port)."|grep -Po '^\s+(Speed|Duplex|Link\sdetected): \K[^U\\n]+'",$info); echo (array_pop($info)=='yes' && $info[0]) ? "$port: ".str_replace(['M','G'],[' M',' G'],$info[0]).", ".strtolower($info[1])." duplex, mtu $mtu" : "$port: not connected"; } } @@ -178,7 +178,7 @@ foreach ($sPorts as $port) { diff --git a/plugins/dynamix/include/Wrappers.php b/plugins/dynamix/include/Wrappers.php index 980bc8380..b73db61c2 100644 --- a/plugins/dynamix/include/Wrappers.php +++ b/plugins/dynamix/include/Wrappers.php @@ -38,7 +38,7 @@ function agent_fullname($agent, $state) { function get_plugin_attr($attr, $file) { global $docroot; - exec("$docroot/plugins/dynamix.plugin.manager/scripts/plugin $attr $file", $result, $error); + exec("$docroot/plugins/dynamix.plugin.manager/scripts/plugin ".escapeshellarg($attr)." ".escapeshellarg($file), $result, $error); if ($error===0) return $result[0]; } diff --git a/plugins/dynamix/include/timezones.key b/plugins/dynamix/include/timezones.key index 3eec2a8a3..a68c34e42 100644 --- a/plugins/dynamix/include/timezones.key +++ b/plugins/dynamix/include/timezones.key @@ -54,6 +54,7 @@ Asia/Tehran|(UTC+03:30) Tehran Asia/Dubai|(UTC+04:00) Abu Dhabi, Muscat Asia/Baku|(UTC+04:00) Baku Indian/Mauritius|(UTC+04:00) Port Louis +Europe/Saratov|(UTC+04:00) Saratov Asia/Yerevan|(UTC+04:00) Yerevan Asia/Kabul|(UTC+04:30) Kabul Asia/Yekaterinburg|(UTC+05:00) Ekaterinburg diff --git a/plugins/dynamix/include/update.file.php b/plugins/dynamix/include/update.file.php index 256913854..810e31502 100644 --- a/plugins/dynamix/include/update.file.php +++ b/plugins/dynamix/include/update.file.php @@ -13,7 +13,7 @@ $mac) { if ($name[0]=='#') continue; - $row = exec("grep -n '$mac' $cfg|cut -d: -f1"); - if ($row) exec("sed -ri '{$row}s/(NAME=\")[^\"]+/\\1{$name}/' $cfg"); + $row = exec("grep -n '$mac' ".escapeshellarg($cfg)."|cut -d: -f1"); + if ($row) exec("sed -ri '{$row}s/(NAME=\")[^\"]+/\\1{$name}/' ".escapeshellarg($cfg)); } exec("touch /tmp/network-rules.tmp"); $save = false; diff --git a/plugins/dynamix/scripts/diagnostics b/plugins/dynamix/scripts/diagnostics index 5e74bf397..544b4a6ab 100755 --- a/plugins/dynamix/scripts/diagnostics +++ b/plugins/dynamix/scripts/diagnostics @@ -31,7 +31,7 @@ function anonymize($text,$select) { foreach ($rows as &$row) { if (!preg_match("/\b(disk|cache|parity|flash)\d*\b/", $row)) { $row = preg_replace("/^(\s*\[\S).*(\S\])( => Array)$/","$1..$2$3",$row); - $row = preg_replace("/^(\s*\[(name|nameOrig|comment|flashGUID|regGUID|regTo|readList|writeList)\] => \S).*(\S)$/","$1..$3",$row); + $row = preg_replace("/^(\s*\[(name|nameOrig|comment|flashGUID|regGUID|regTo|readList|writeList|csrf_token)\] => \S).*(\S)$/","$1..$3",$row); } } return implode("\n", $rows); @@ -63,7 +63,7 @@ if ($cli) { $date = "{$split[2]}-{$split[3]}"; } // create folder structure -exec("mkdir -p /$diag/system /$diag/config /$diag/logs /$diag/shares /$diag/smart /$diag/qemu"); +exec("mkdir -p ".escapeshellarg("/$diag/system")." ".escapeshellarg("/$diag/config")." ".escapeshellarg("/$diag/logs")." ".escapeshellarg("/$diag/shares")." ".escapeshellarg("/$diag/smart")." ".escapeshellarg("/$diag/qemu")); // make unRAID version reference $unraid = parse_ini_file('/etc/unraid-version'); file_put_contents("/$diag/unRAID-".$unraid['version'].".txt",$unraid['version']); @@ -74,41 +74,41 @@ foreach (glob("$get/*.ini") as $file) { if ($all || $ini != "users") file_put_contents("/$diag/system/vars.txt",preg_replace(["/\n/","/^Array/"],["\r\n",$ini],anonymize(print_r(parse_ini_file($file,true),true),1)),FILE_APPEND); } // individual commands execution (suppress errors) -exec("lsscsi -vgl 2>/dev/null|todos >/$diag/system/lsscsi.txt"); -exec("lspci -knn 2>/dev/null|todos >/$diag/system/lspci.txt"); -exec("free -mt 2>/dev/null|todos >/$diag/system/memory.txt"); -exec("ps -ef 2>/dev/null|todos >/$diag/system/ps.txt"); -exec("lsof -Pni 2>/dev/null|todos >/$diag/system/lsof.txt"); -exec("lsmod 2>/dev/null|todos >/$diag/system/lsmod.txt"); -exec("df -h 2>/dev/null|todos >/$diag/system/df.txt"); +exec("lsscsi -vgl 2>/dev/null|todos >".escapeshellarg("/$diag/system/lsscsi.txt")); +exec("lspci -knn 2>/dev/null|todos >".escapeshellarg("/$diag/system/lspci.txt")); +exec("free -mt 2>/dev/null|todos >".escapeshellarg("/$diag/system/memory.txt")); +exec("ps -ef 2>/dev/null|todos >".escapeshellarg("/$diag/system/ps.txt")); +exec("lsof -Pni 2>/dev/null|todos >".escapeshellarg("/$diag/system/lsof.txt")); +exec("lsmod 2>/dev/null|todos >".escapeshellarg("/$diag/system/lsmod.txt")); +exec("df -h 2>/dev/null|todos >".escapeshellarg("/$diag/system/df.txt")); exec("ifconfig -a -s 2>/dev/null|grep -Po '^(eth|bond)[0-9]+'", $ports); // create ethernet information information (suppress errors) foreach ($ports as $port) { - exec("ethtool $port 2>/dev/null|todos >>/$diag/system/ethtool.txt"); + exec("ethtool ".escapeshellarg($port)." 2>/dev/null|todos >>".escapeshellarg("/$diag/system/ethtool.txt")); file_put_contents("/$diag/system/ethtool.txt", "\r\n", FILE_APPEND); - exec("ethtool -i $port 2>/dev/null|todos >>/$diag/system/ethtool.txt"); + exec("ethtool -i ".escapeshellarg($port)." 2>/dev/null|todos >>".escapeshellarg("/$diag/system/ethtool.txt")); file_put_contents("/$diag/system/ethtool.txt", "--------------------------------\r\n", FILE_APPEND); } -exec("ifconfig -a 2>/dev/null|todos >/$diag/system/ifconfig.txt"); +exec("ifconfig -a 2>/dev/null|todos >".escapeshellarg("/$diag/system/ifconfig.txt")); // create system information (suppress errors) -exec("find /sys/kernel/iommu_groups/ -type l 2>/dev/null|todos >/$diag/system/iommu_groups.txt"); -exec("todos /$diag/system/cmdline.txt"); +exec("find /sys/kernel/iommu_groups/ -type l 2>/dev/null|todos >".escapeshellarg("/$diag/system/iommu_groups.txt")); +exec("todos ".escapeshellarg("/$diag/system/cmdline.txt")); // create folder structure listing $dest = "/$diag/system/folders.txt"; foreach ($folders as $folder) { - if (is_dir($folder)) exec("echo -ne \"\r\n$folder\r\n\" >>$dest;ls -l $folder|todos >>$dest"); else exec("echo -ne \"\r\n$folder\r\nfolder does not exist\r\n\" >>$dest"); + if (is_dir($folder)) exec("echo -ne ".escapeshellarg("\r\n$folder\r\n")." >>".escapeshellarg($dest).";ls -l ".escapeshellarg($folder)."|todos >>".escapeshellarg("$dest")); else exec("echo -ne ".escapeshellarg("\r\n$folder\r\nfolder does not exist\r\n")." >>".escapeshellarg("$dest")); } // copy configuration files (suppress errors) -exec("cp /boot/config/*.{cfg,conf,dat} /boot/config/go /$diag/config 2>/dev/null"); +exec("cp /boot/config/*.{cfg,conf,dat} /boot/config/go ".escapeshellarg("/$diag/config")." 2>/dev/null"); // anonymize configuration files -if (!$all) exec("sed -ri 's/^((disk|flash)(Read|Write)List.*=\")[^\"]+/\\1.../' /$diag/config/*.cfg 2>/dev/null"); +if (!$all) exec("sed -ri 's/^((disk|flash)(Read|Write)List.*=\")[^\"]+/\\1.../' ".escapeshellarg("/$diag/config/*.cfg")." 2>/dev/null"); // copy share information (anonymize if applicable) $files = glob("/boot/config/shares/*.cfg"); foreach ($files as $file) { $dest = anonymize("/$diag/shares/".basename($file),2); @copy($file, $dest); - if (!$all) exec("sed -ri 's/^(share(Comment|ReadList|WriteList)=\")[^\"]+/\\1.../' '$dest' 2>/dev/null"); + if (!$all) exec("sed -ri 's/^(share(Comment|ReadList|WriteList)=\")[^\"]+/\\1.../' ".escapeshellarg($dest)." 2>/dev/null"); } // create default user shares information $shares = file_exists("$get/shares.ini") ? parse_ini_file("$get/shares.ini", true) : []; @@ -120,51 +120,51 @@ foreach ($shares as $share) { $max = 2*1024*1024; //=2MB foreach (glob("/var/log/syslog*") as $file) { $log = "/$diag/logs/".basename($file); - exec("todos <$file >$log.txt"); + exec("todos <".escapeshellarg($file)." >".escapeshellarg("$log.txt")); if (!$all) { unset($titles,$rows); - exec("grep -Po 'logger: moving \"\K[^\"]+' $log.txt 2>/dev/null|sort|uniq", $titles); - exec("sed -ri 's|\b\S+@\S+\.\S+\b|xxx@removed.com|;s|\b(username\|password)([=:])\S+\b|\\1\\2xxx|;s|(GUID: \S)\S+(\S) |\\1..\\2 |;s|(moving \"\S\|\"/mnt/user/\S).*(\S)\"|\\1..\\2\"|' $log.txt"); + exec("grep -Po 'logger: moving \"\K[^\"]+' ".escapeshellarg("$log.txt")." 2>/dev/null|sort|uniq", $titles); + exec("sed -ri 's|\b\S+@\S+\.\S+\b|xxx@removed.com|;s|\b(username\|password)([=:])\S+\b|\\1\\2xxx|;s|(GUID: \S)\S+(\S) |\\1..\\2 |;s|(moving \"\S\|\"/mnt/user/\S).*(\S)\"|\\1..\\2\"|' ".escapeshellarg("$log.txt")); foreach ($titles as $mover) { $title = "/{$mover[0]}..".substr($mover,-1)."/..."; - exec("sed -ri 's|(logger: [.>cr].*)[ /]$mover/.*$|\\1 file: $title|' $log.txt 2>/dev/null"); + exec("sed -ri 's|(logger: [.>cr].*)[ /]$mover/.*$|\\1 file: $title|' ".escapeshellarg("$log.txt")." 2>/dev/null"); } - exec("grep -n ' cache_dirs: -' $log.txt 2>/dev/null|cut -d: -f1", $rows); - for ($i = 0; $i < count($rows); $i += 2) for ($row = $rows[$i]+1; $row < $rows[$i+1]; $row++) exec("sed -ri '$row s|(cache_dirs: \S).*(\S)|\\1..\\2|' $log.txt 2>/dev/null"); + exec("grep -n ' cache_dirs: -' ".escapeshellarg("$log.txt")." 2>/dev/null|cut -d: -f1", $rows); + for ($i = 0; $i < count($rows); $i += 2) for ($row = $rows[$i]+1; $row < $rows[$i+1]; $row++) exec("sed -ri '$row s|(cache_dirs: \S).*(\S)|\\1..\\2|' ".escapeshellarg("$log.txt")." 2>/dev/null"); } - if (basename($file)=='syslog' && filesize($file)>=$max) exec("tail -n 200 $log.txt >$log.last200.txt"); - exec("truncate -s '<$max' $log.txt"); + if (basename($file)=='syslog' && filesize($file)>=$max) exec("tail -n 200 ".escapeshellarg("$log.txt")." >".escapeshellarg("$log.last200.txt")); + exec("truncate -s '<$max' ".escapeshellarg("$log.txt")); } // copy docker information (if existing) $max = 1*1024*1024; //=1MB $docker = "/var/log/docker.log"; if (file_exists($docker)) { $log = "/$diag/logs/docker"; - exec("todos <$docker >$log.txt"); + exec("todos <$docker >".escapeshellarg("$log.txt")); if (filesize($docker)>=$max) { - exec("tail -n 200 $log.txt >$log.last200.txt"); - exec("truncate -s '<$max' $log.txt"); + exec("tail -n 200 ".escapeshellarg("$log.txt")." >".escapeshellarg("$log.last200.txt")); + exec("truncate -s '<$max' ".escapeshellarg("$log.txt")); } } // copy libvirt information (if existing) $libvirtd = "/var/log/libvirt/libvirtd.log"; if (file_exists($libvirtd)) { $log = "/$diag/logs/libvirt"; - exec("todos <$libvirtd >$log.txt"); + exec("todos <$libvirtd >".escapeshellarg("$log.txt")); if (filesize($libvirtd)>=$max) { - exec("tail -n 200 $log.txt >$log.last200.txt"); - exec("truncate -s '<$max' $log.txt"); + exec("tail -n 200 ".escapeshellarg("$log.txt")." >".escapeshellarg("$log.last200.txt")); + exec("truncate -s '<$max' ".escapeshellarg("$log.txt")); } } // copy VMs information (if existing) $qemu = glob("/var/log/libvirt/qemu/*.log*"); if ($qemu) { foreach ($qemu as $file) { - $log = "/$diag/qemu/".escapeshellarg(basename($file,'.log')); - exec("todos <".escapeshellarg($file)." >$log.txt"); + $log = "/$diag/qemu/".basename($file,'.log'); + exec("todos <".escapeshellarg($file)." >".escapeshellarg("$log.txt")); if (filesize($file)>=$max) { - exec("tail -n 200 $log.txt >$log.last200.txt"); - exec("truncate -s '<$max' $log.txt"); + exec("tail -n 200 ".escapeshellarg("$log.txt")." >".escapeshellarg("$log.last200.txt")); + exec("truncate -s '<$max' ".escapeshellarg("$log.txt")); } } } else @@ -194,14 +194,14 @@ foreach ($devices as $device) { break; } } - exec("smartctl -a $type /dev/$dev 2>/dev/null|todos >/$diag/smart/$name-$date.txt"); + exec("smartctl -a ".escapeshellarg($type)." ".escapeshellarg("/dev/$dev")." 2>/dev/null|todos >".escapeshellarg("/$diag/smart/$name-$date.txt")); } // create cache pool information if (is_dir('/mnt/cache') && $disks['cache']['fsType']=='btrfs') { - exec("/sbin/btrfs filesystem show /mnt/cache 2>/dev/null|todos >/$diag/system/btrfs-show.txt"); - exec("/sbin/btrfs filesystem df /mnt/cache 2>/dev/null|todos >/$diag/system/btrfs-df.txt"); + exec("/sbin/btrfs filesystem show /mnt/cache 2>/dev/null|todos >".escapeshellarg("/$diag/system/btrfs-show.txt")); + exec("/sbin/btrfs filesystem df /mnt/cache 2>/dev/null|todos >".escapeshellarg("/$diag/system/btrfs-df.txt")); } // create resulting zip file and remove temp folder -exec("zip -qmr $zip /$diag"); +exec("zip -qmr ".escapeshellarg($zip)." ".escapeshellarg("/$diag")); if ($cli) echo "done.\nZIP file '$zip' created.\n"; ?> diff --git a/plugins/dynamix/scripts/disk_log b/plugins/dynamix/scripts/disk_log index d675f3974..9501ff861 100755 --- a/plugins/dynamix/scripts/disk_log +++ b/plugins/dynamix/scripts/disk_log @@ -17,15 +17,15 @@ echo "

Error".htmlentities($line)."\n"; + echo "<$span>".htmlspecialchars($line)."\n"; } ?> \ No newline at end of file diff --git a/plugins/dynamix/scripts/monitor b/plugins/dynamix/scripts/monitor index c708c4a98..ff8b74a7d 100755 --- a/plugins/dynamix/scripts/monitor +++ b/plugins/dynamix/scripts/monitor @@ -12,10 +12,11 @@ */ ?> $last) { - exec("$notify -e \"unRAID $text temperature\" -s \"".ucfirst($warn)." [$server] - $text ".($warn=='alert'?'overheated (':'is hot (').my_temp($temp).")\" -d \"$info\" -i \"$warn\""); + exec("$notify -e ".escapeshellarg("unRAID $text temperature")." -s ".escapeshellarg(ucfirst($warn)." [$server] - $text ".($warn=='alert'?'overheated (':'is hot (').my_temp($temp).")")." -d ".escapeshellarg("$info")." -i \"$warn\""); $saved[$item][$name] = $max>0 && $temp<=$max ? $max : $temp; } } else { if ($last) { - exec("$notify -e \"unRAID $text message\" -s \"Notice [$server] - $text returned to normal temperature\" -d \"$info\""); + exec("$notify -e ".escapeshellarg("unRAID $text message")." -s ".escapeshellarg("Notice [$server] - $text returned to normal temperature")." -d ".escapeshellarg("$info")); unset($saved[$item][$name]); } } @@ -126,7 +127,7 @@ function check_smart($name,$port,$text,$info) { } } $file = "/var/local/emhttp/smart/$name"; - exec("awk 'NR>7{print $1,$2,$4,$6,$9,$10}' $file 2>/dev/null", $codes); + exec("awk 'NR>7{print $1,$2,$4,$6,$9,$10}' ".escapeshellarg($file)." 2>/dev/null", $codes); $item = 'smart'; foreach ($codes as $code) { if (!$code) continue; @@ -141,13 +142,13 @@ function check_smart($name,$port,$text,$info) { $last = isset($saved[$item][$attr]) ? $saved[$item][$attr]*$level : 0; if ($raw>0 || $fail) { if ($raw>$last) { - exec("$notify -e \"unRAID $text SMART health [$id]\" -s \"Warning [$server] - $word is $raw\" -d \"$info\" -i \"warning\""); + exec("$notify -e ".escapeshellarg("unRAID $text SMART health [$id]")." -s ".escapeshellarg("Warning [$server] - $word is $raw")." -d ".escapeshellarg("$info")." -i \"warning\""); $saved[$item][$attr] = $raw; unset($saved[$item][$ack]); } } else { if ($last>0) { - exec("$notify -e \"unRAID $text SMART message [$id]\" -s \"Notice [$server] - $word returned to normal value\" -d \"$info\""); + exec("$notify -e ".escapeshellarg("unRAID $text SMART message [$id]")." -s ".escapeshellarg("Notice [$server] - $word returned to normal value")." -d ".escapeshellarg("$info")); unset($saved[$item][$attr]); unset($saved[$item][$ack]); } @@ -158,13 +159,13 @@ function check_smart($name,$port,$text,$info) { $last = isset($saved[$item][$attr]) ? $saved[$item][$attr] : 255; if (($thres>0 && $value<=$thres*$level) || $fail) { if ($value*($value>$thres?$level:1)<$last) { - exec("$notify -e \"unRAID $text SMART health [$id]\" -s \"Warning [$server] - $word is $value\" -d \"$info\" -i \"warning\""); + exec("$notify -e ".escapeshellarg("unRAID $text SMART health [$id]")." -s ".escapeshellarg("Warning [$server] - $word is $value")." -d ".escapeshellarg("$info")." -i \"warning\""); $saved[$item][$attr] = $value; unset($saved[$item][$ack]); } } else { if ($last<255) { - exec("$notify -e \"unRAID $text SMART message [$id]\" -s \"Notice [$server] - $word returned to normal value\" -d \"$info\""); + exec("$notify -e ".escapeshellarg("unRAID $text SMART message [$id]")." -s ".escapeshellarg("Notice [$server] - $word returned to normal value")." -d ".escapeshellarg("$info")); unset($saved[$item][$attr]); unset($saved[$item][$ack]); } @@ -173,7 +174,7 @@ function check_smart($name,$port,$text,$info) { } } $file .= '.ssa'; - if (!file_exists($file) || (time()-filemtime($file)>=$var['poll_attributes'])) exec("smartctl -n standby -H $type /dev/$port|grep -Pom1 '^SMART.*: \K[A-Z]+'|tr -d '\n' > $file"); + if (!file_exists($file) || (time()-filemtime($file)>=$var['poll_attributes'])) exec("smartctl -n standby -H ".escapeshellarg($type)." ".escapeshellarg("/dev/$port")."|grep -Pom1 '^SMART.*: \K[A-Z]+'|tr -d '\n' > ".escapeshellarg($file)); } function check_usage($name,$used,$text,$info) { global $notify,$disks,$saved,$unraid,$server; @@ -186,12 +187,12 @@ function check_usage($name,$used,$text,$info) { $last = isset($saved[$item][$name]) ? $saved[$item][$name] : 0; if ($warn) { if ($used>$last) { - exec("$notify -e \"unRAID $text disk utilization\" -s \"".ucfirst($warn)." [$server] - $text is ".($warn=='alert'?'low on space':'high on usage')." (${used}%)\" -d \"$info\" -i \"$warn\""); + exec("$notify -e ".escapeshellarg("unRAID $text disk utilization")." -s ".escapeshellarg(ucfirst($warn)." [$server] - $text is ".($warn=='alert'?'low on space':'high on usage')." (${used}%)")." -d ".escapeshellarg("$info")." -i \"$warn\""); $saved[$item][$name] = $critical>0 && $used<=$critical ? $critical : $used; } } else { if ($last) { - exec("$notify -e \"unRAID $text message\" -s \"Notice [$server] - $text returned to normal utilization level\" -d \"$info\""); + exec("$notify -e ".escapeshellarg("unRAID $text message")." -s ".escapeshellarg("Notice [$server] - $text returned to normal utilization level")." -d ".escapeshellarg("$info")); unset($saved[$item][$name]); } } @@ -217,20 +218,20 @@ foreach ($disks as $disk) { case 'red': if ($warn!=$last) { $status = strtolower(str_replace(['NP_','_'],['',' '],$disk['status'])); - exec("$notify -e \"unRAID $text error\" -s \"Alert [$server] - $text in error state ($status)\" -d \"$info\" -i \"alert\""); + exec("$notify -e ".escapeshellarg("unRAID $text error")." -s ".escapeshellarg("Alert [$server] - $text in error state ($status)")." -d ".escapeshellarg("$info")." -i \"alert\""); $saved[$item][$name] = $warn; } break; case 'yellow': if ($warn!=$last) { $status = $name=='parity' ? "parity-sync in progress" : "drive not ready, content being reconstructed"; - exec("$notify -e \"unRAID $text error\" -s \"Warning [$server] - $text, $status\" -d \"$info\" -i \"warning\""); + exec("$notify -e ".escapeshellarg("unRAID $text error")." -s ".escapeshellarg("Warning [$server] - $text, $status")." -d ".escapeshellarg("$info")." -i \"warning\""); $saved[$item][$name] = $warn; } break; default: if ($last) { - exec("$notify -e \"unRAID $text message\" -s \"Notice [$server] - $text returned to normal operation\" -d \"$info\""); + exec("$notify -e ".escapeshellarg("unRAID $text message")." -s ".escapeshellarg("Notice [$server] - $text returned to normal operation")." -d ".escapeshellarg("$info")); unset($saved[$item][$name]); } break;} @@ -242,14 +243,14 @@ foreach ($disks as $disk) { $attr = 'missing'; if (exec("/sbin/btrfs filesystem show {$disk['uuid']} 2>/dev/null|grep -c 'missing'")>0) { if (empty($saved[$item][$attr])) { - exec("$notify -e \"unRAID $text message\" -s \"Warning [$server] - Cache pool BTRFS missing device(s)\" -d \"$info\" -i \"warning\""); + exec("$notify -e ".escapeshellarg("unRAID $text message")." -s ".escapeshellarg("Warning [$server] - Cache pool BTRFS missing device(s)")." -d ".escapeshellarg("$info")." -i \"warning\""); $saved[$item][$attr] = 1; } } elseif (isset($saved[$item][$attr])) unset($saved[$item][$attr]); $attr = 'profile'; if (exec("/sbin/btrfs filesystem df /mnt/cache 2>/dev/null|grep -c '^Data'")>1) { if (empty($saved[$item][$attr])) { - exec("$notify -e \"unRAID $text message\" -s \"Warning [$server] - Cache pool BTRFS too many profiles\" -d \"$info\" -i \"warning\""); + exec("$notify -e ".escapeshellarg("unRAID $text message")." -s ".escapeshellarg("Warning [$server] - Cache pool BTRFS too many profiles")." -d ".escapeshellarg("$info")." -i \"warning\""); $saved[$item][$attr] = 1; } } elseif (isset($saved[$item][$attr])) unset($saved[$item][$attr]); @@ -261,8 +262,8 @@ foreach ($devs as $dev) { $name = $dev['device']; if (empty($name)) continue; $smart = "/var/local/emhttp/smart/$name"; - if (!file_exists($smart) || (time()-filemtime($smart)>=$var['poll_attributes'])) exec("smartctl -n standby -A /dev/$name > $smart"); - $temp = exec("awk '\$1==190||\$1==194{print \$10;exit}' $smart"); + if (!file_exists($smart) || (time()-filemtime($smart)>=$var['poll_attributes'])) exec("smartctl -n standby -A ".escapeshellarg("/dev/$name")." > ".escapeshellarg($smart)); + $temp = exec("awk '\$1==190||\$1==194{print \$10;exit}' ".escapeshellarg($smart)); $text = "device $name"; $info = !empty($dev['id']) ? "{$dev['id']} ($name)": "No device identification ($name)"; // process disk temperature notifications @@ -280,12 +281,12 @@ $info = "Array has $warn disk".($warn==1 ? "" : "s")." with read errors"; if ($warn>0) { if ($warn<>$last) { $message = implode('\n', $errors); - exec("$notify -e \"unRAID array errors\" -s \"Warning [$server] - array has errors\" -d \"$info\" -m \"$message\" -i \"warning\""); + exec("$notify -e \"unRAID array errors\" -s ".escapeshellarg("Warning [$server] - array has errors")." -d ".escapeshellarg("$info")." -m ".escapeshellarg("$message")." -i \"warning\""); $saved[$item][$name] = $warn; } } else { if ($last) { - exec("$notify -e \"unRAID array errors\" -s \"Notice [$server] - array turned good\" -d \"$info\""); + exec("$notify -e \"unRAID array errors\" -s ".escapeshellarg("Notice [$server] - array turned good")." -d ".escapeshellarg("$info")); unset($saved[$item][$name]); } } @@ -305,7 +306,7 @@ if ($var['mdResync']>0) { $last = 'Parity check'; } $info = "Size: ".my_scale($var['mdResyncSize']*1024, $unit)." $unit"; - exec("$notify -e \"unRAID $last\" -s \"Notice [$server] - $last started\" -d \"$info\" -i \"warning\""); + exec("$notify -e ".escapeshellarg("unRAID $last")." -s ".escapeshellarg("Notice [$server] - $last started")." -d ".escapeshellarg("$info")." -i \"warning\""); $saved[$item][$name] = $last; } } else { @@ -316,7 +317,7 @@ if ($var['mdResync']>0) { list($entry,$duration,$speed,$status,$error) = explode('|', read_write_parity_log($var['sbSynced2'],$duration,$speed,$status,$var['sbSyncErrs'])); $info = $status==0 ? "Duration: ".my_check($duration, $speed) : ($status==-4 ? "Canceled" : "Error code: $status"); $level = ($status==0 && $var['sbSyncErrs']==0) ? "normal" : "warning"; - exec("$notify -e \"unRAID $last\" -s \"Notice [$server] - $last finished ($error errors)\" -d \"$info\" -i \"$level\""); + exec("$notify -e ".escapeshellarg("unRAID $last")." -s ".escapeshellarg("Notice [$server] - $last finished ($error errors)")." -d ".escapeshellarg("$info")." -i \"$level\""); unset($saved[$item][$name]); } } @@ -328,12 +329,12 @@ $warn = exec("grep -Pom1 '/boot \S+ \K\S{2}' /proc/mounts"); $info = "{$disks['flash']['id']} ({$disks['flash']['device']})"; if ($warn!="rw") { if ($warn!=$last) { - exec("$notify -e \"USB flash drive failure\" -s \"Alert [$server] - USB drive is not read-write\" -d \"$info\" -i \"alert\""); + exec("$notify -e \"USB flash drive failure\" -s ".escapeshellarg("Alert [$server] - USB drive is not read-write")." -d ".escapeshellarg("$info")." -i \"alert\""); $saved[$item][$name] = $warn; } } else { if ($last) { - exec("$notify -e \"USB flash drive operation\" -s \"Notice [$server] - USB drive returned to normal operation\" -d \"$info\""); + exec("$notify -e \"USB flash drive operation\" -s ".escapeshellarg("Notice [$server] - USB drive returned to normal operation")." -d ".escapeshellarg("$info")); unset($saved[$item][$name]); } } @@ -353,17 +354,17 @@ if ($retval===0) { $warn = exec("df /var/lib/docker|awk '/^\//{print $5*1}'"); if ($warn>=$high1 && $high1>0) { if ($warn>$last) { - exec("$notify -e \"Docker critical image disk utilization\" -s \"Alert [$server] - Docker image disk utilization of ${warn}%\" -d \"$info\" -i \"alert\""); + exec("$notify -e \"Docker critical image disk utilization\" -s ".escapeshellarg("Alert [$server] - Docker image disk utilization of ${warn}%")." -d ".escapeshellarg("$info")." -i \"alert\""); $saved[$item][$name] = $warn; } } elseif ($warn>=$high2 && $high2>0) { if ($warn>$last) { - exec("$notify -e \"Docker high image disk utilization\" -s \"Warning [$server] - Docker image disk utilization of ${warn}%\" -d \"$info\" -i \"warning\""); + exec("$notify -e \"Docker high image disk utilization\" -s ".escapeshellarg("Warning [$server] - Docker image disk utilization of ${warn}%")." -d ".escapeshellarg("$info")." -i \"warning\""); $saved[$item][$name] = $warn; } } else { if ($last) { - exec("$notify -e \"Docker image disk utilization\" -s \"Notice [$server] - Docker image disk utilization returned to normal level\" -d \"$info\""); + exec("$notify -e \"Docker image disk utilization\" -s ".escapeshellarg("Notice [$server] - Docker image disk utilization returned to normal level")." -d ".escapeshellarg("$info")); unset($saved[$item][$name]); } } diff --git a/plugins/dynamix/scripts/netconfig b/plugins/dynamix/scripts/netconfig index f977b57f2..8823f0f03 100755 --- a/plugins/dynamix/scripts/netconfig +++ b/plugins/dynamix/scripts/netconfig @@ -40,7 +40,7 @@ if ($run && file_exists($cfg)) { // stop interface with existing (old) configuration // don't execute when only interface description has changed -if ($run) exec("/etc/rc.d/rc.inet1 {$ifname}_stop >/dev/null"); +if ($run) exec("/etc/rc.d/rc.inet1 ".escapeshellarg("{$ifname}_stop")." >/dev/null"); if ($bonding = $ini['eth0']['BONDING']=='yes') { $ini['eth0']['BONDNICS'] = str_replace(',',' ',$ini['eth0']['BONDNICS']); @@ -48,7 +48,7 @@ if ($bonding = $ini['eth0']['BONDING']=='yes') { // ensure additional NICs in bond are set free if ($run && $set=='eth0') foreach ($bond0 as $nic) { if (isset($old['SYSNICS'])) $nic = ifname($nic); - if ($nic && $nic!=$ifname) exec("/etc/rc.d/rc.inet1 {$nic}_stop >/dev/null"); + if ($nic && $nic!=$ifname) exec("/etc/rc.d/rc.inet1 ".escapeshellarg("{$nic}_stop")." >/dev/null"); } } @@ -58,7 +58,7 @@ if ($bridging = $ini['eth0']['BRIDGING']=='yes') { // ensure additional NICs in bridge are set free if ($run && $set=='eth0' && !$bonding) foreach ($br0 as $nic) { if (isset($old['SYSNICS'])) $nic = ifname($nic); - if ($nic && $nic!=$ifname) exec("/etc/rc.d/rc.inet1 {$nic}_stop >/dev/null"); + if ($nic && $nic!=$ifname) exec("/etc/rc.d/rc.inet1 ".escapeshellarg("{$nic}_start")." >/dev/null"); } } @@ -93,6 +93,6 @@ $new[] = "SYSNICS=\"$i\""; file_put_contents($cfg,implode("\r\n",$new)."\r\n"); // start interface with updated (new) configuration // don't execute when only interface description has changed -if ($run) exec("/etc/rc.d/rc.inet1 {$ifname}_start >/dev/null"); +if ($run) exec("/etc/rc.d/rc.inet1 ".escapeshellarg("{$ifname}_start")." >/dev/null"); exit(0); ?> diff --git a/plugins/dynamix/scripts/notify b/plugins/dynamix/scripts/notify index 9c3507412..94d0f0ea8 100755 --- a/plugins/dynamix/scripts/notify +++ b/plugins/dynamix/scripts/notify @@ -192,7 +192,7 @@ case 'add': if (!$mailtest) file_put_contents($archive,"timestamp=$timestamp\nevent=$event\nsubject=$subject\ndescription=$description\nimportance=$importance\n".($message ? "message=".str_replace('\n','
',$message)."\n" : "")); if (($entity & 1)==1 && !$mailtest) file_put_contents($unread,"timestamp=$timestamp\nevent=$event\nsubject=$subject\ndescription=$description\nimportance=$importance\n"); if (($entity & 2)==2 || $mailtest) if (!generate_email($event, $subject, str_replace('
','. ',$description), $importance, $message)) exit(1); - if (($entity & 4)==4 && !$mailtest) { if (is_array($agents)) {foreach ($agents as $agent) {exec("TIMESTAMP='$timestamp' EVENT='$event' SUBJECT='$subject' DESCRIPTION='$description' IMPORTANCE='$importance' CONTENT='$message' ".$agent);};}}; + if (($entity & 4)==4 && !$mailtest) { if (is_array($agents)) {foreach ($agents as $agent) {exec("TIMESTAMP='$timestamp' EVENT=".escapeshellarg($event)." SUBJECT=".escapeshellarg($subject)." DESCRIPTION=".escapeshellarg($description)." IMPORTANCE=".escapeshellarg($importance)." CONTENT=".escapeshellarg($message)." ".$agent);};}}; break; case 'get': @@ -220,7 +220,9 @@ case 'get': case 'archive': if ($argc != 3) exit(usage()); - @unlink("$unread/{$argv[2]}"); + if (strpos(realpath("$unread/{$argv[2]}"), $unread.'/') === 0) { + @unlink("$unread/{$argv[2]}"); + } break; } diff --git a/plugins/dynamix/scripts/pre b/plugins/dynamix/scripts/pre deleted file mode 100755 index df5bcdce3..000000000 --- a/plugins/dynamix/scripts/pre +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -# usage: pre -# Executes , wrapping it's output in 

 tags.
-# Also redirects stderr to stdout, and generates syslog entry if  exit status > 0
-# per WeeboTech (thanks!).
-# 
-
-exec 2>&1
-
-echo '
'
-eval "$@"
-RC=$?
-echo '
'
-
-if [ ${RC} -gt 0 ] 
-   then logger -t$0 -puser.err <<-EOF
-pre $@: exit status:${RC}
-EOF
-fi
-exit ${RC}
diff --git a/plugins/dynamix/scripts/spindowndelay b/plugins/dynamix/scripts/spindowndelay
deleted file mode 100755
index 2004a0d7c..000000000
--- a/plugins/dynamix/scripts/spindowndelay
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/usr/bin/php -q
-
-
 
diff --git a/plugins/dynamix/scripts/tail_log b/plugins/dynamix/scripts/tail_log
index b34f37a99..1661843ea 100755
--- a/plugins/dynamix/scripts/tail_log
+++ b/plugins/dynamix/scripts/tail_log
@@ -23,7 +23,7 @@ while (!feof($handle)) {
   if (strpos($line,'tail_log')!==false) continue;
   $span = "span";
   foreach ($match as $type) foreach ($type['text'] as $text) if (preg_match("/$text/i",$line)) {$span = "span class='{$type['class']}'"; break 2;}
-  echo "<$span>".htmlentities($line)."";
+  echo "<$span>".htmlspecialchars($line)."";
   flush();
 }
 pclose($handle);
diff --git a/reboot.htm b/reboot.htm
deleted file mode 100644
index 10ec60eda..000000000
--- a/reboot.htm
+++ /dev/null
@@ -1,30 +0,0 @@
-
-
-
-
-
-
-
-
-
RebootSystem is going down... 0

-
diff --git a/shutdown.htm b/shutdown.htm
deleted file mode 100644
index 3b827fe8b..000000000
--- a/shutdown.htm
+++ /dev/null
@@ -1,34 +0,0 @@
-
-
-
-
-
-
-
-
-
ShutdownSystem is going down... 0

-


   
TypeNameSize">Type">Name">Size
 Location">Location
 Last Modified">Last Modified
   

 
   

       
     
>>
       ".my_scale($sharesize*1024, $unit)." $unit".my_scale($disk['fsFree']*1024, $unit)." $unit
Compute...Compute...".my_scale($disk['fsFree']*1024, $unit)." $unit
Compute...Compute...".my_scale($share['free']*1024, $unit)." $unit
Can not read attributes
Can not read identification