mirror of
https://github.com/unraid/webgui.git
synced 2026-05-06 12:21:34 -05:00
logger - ensure params are escaped
This commit is contained in:
ljm42
@@ -1,6 +1,7 @@
|
||||
<?php
|
||||
$docroot = $docroot ?? $_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp';
|
||||
require_once "$docroot/webGui/include/Helpers.php";
|
||||
require_once "$docroot/webGui/include/Wrappers.php";
|
||||
|
||||
// add translations
|
||||
extract(parse_plugin_cfg('dynamix',true));
|
||||
|
||||
@@ -367,7 +367,7 @@ class DockerTemplates {
|
||||
@copy($iconRAM,$icon);
|
||||
}
|
||||
if (!is_file($iconRAM)) {
|
||||
exec("logger -t webGUI -- \"$contName: Could not download icon $imgUrl\"");
|
||||
my_logger('webGUI', "$contName: Could not download icon $imgUrl");
|
||||
}
|
||||
|
||||
return (is_file($iconRAM)) ? str_replace($docroot, '', $iconRAM) : '';
|
||||
|
||||
@@ -6,6 +6,9 @@
|
||||
// Program updates made by Bergware International (April 2020)
|
||||
// Program updates made by Bergware International (June 2022)
|
||||
|
||||
$docroot ??= ($_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp');
|
||||
require_once "$docroot/webGui/include/Wrappers.php";
|
||||
|
||||
$usage = <<<EOF
|
||||
Process language files.
|
||||
|
||||
@@ -148,12 +151,6 @@ function download($url, $name, &$error) {
|
||||
}
|
||||
}
|
||||
|
||||
// Deal with logging message.
|
||||
//
|
||||
function logger($message) {
|
||||
exec("logger -t 'language-manager' -- \"$message\"");
|
||||
}
|
||||
|
||||
// Interpret a language file
|
||||
// Returns TRUE if success, else FALSE and fills in error string.
|
||||
//
|
||||
@@ -314,7 +311,7 @@ if ($method == 'install') {
|
||||
copy($xml_file, $lang_file);
|
||||
symlink($lang_file, $link_file);
|
||||
write("language: $lang language pack installed\n");
|
||||
logger("$lang language pack installed");
|
||||
my_logger('language-manager',"$lang language pack installed");
|
||||
// run hook scripts for post processing
|
||||
post_hooks();
|
||||
done(0);
|
||||
@@ -396,7 +393,7 @@ if ($method == 'update') {
|
||||
copy($xml_file, $lang_file);
|
||||
symlink($lang_file, $link_file);
|
||||
write("language: $lang language pack updated\n");
|
||||
logger("$lang language pack updated");
|
||||
my_logger('language-manager',"$lang language pack updated");
|
||||
// run hook scripts for post processing
|
||||
post_hooks();
|
||||
done(0);
|
||||
@@ -423,7 +420,7 @@ if ($method == 'remove') {
|
||||
done(1);
|
||||
}
|
||||
write("language: $lang language pack removed\n");
|
||||
logger("$lang language pack removed");
|
||||
my_logger('language-manager',"$lang language pack removed");
|
||||
// run hook scripts for post processing
|
||||
post_hooks();
|
||||
done(0);
|
||||
|
||||
@@ -6,6 +6,9 @@
|
||||
// Program updates made by Bergware International (April 2020)
|
||||
// Program updates made by Bergware International (June 2022)
|
||||
|
||||
$docroot ??= ($_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp');
|
||||
require_once "$docroot/webGui/include/Wrappers.php";
|
||||
|
||||
$usage = <<<EOF
|
||||
Process plugin files.
|
||||
|
||||
@@ -281,12 +284,6 @@ function filter_url($url) {
|
||||
return($new_url);
|
||||
}
|
||||
|
||||
// Deal with logging message.
|
||||
//
|
||||
function logger($message) {
|
||||
exec("logger -t 'plugin-manager' -- \"$message\"");
|
||||
}
|
||||
|
||||
// Interpret a plugin file
|
||||
// Returns TRUE if success, else FALSE and fills in error string.
|
||||
//
|
||||
@@ -382,12 +379,12 @@ function plugin($method, $plugin_file, &$error) {
|
||||
// If file already exists, check the SHA256/MD5 (if supplied)
|
||||
if (file_exists($name)) {
|
||||
if ($file->SHA256) {
|
||||
logger("checking: $name - SHA256");
|
||||
my_logger('plugin-manager',"checking: $name - SHA256");
|
||||
if (hash_file('sha256', $name) != $file->SHA256) {
|
||||
unlink($name);
|
||||
}
|
||||
} elseif ($file->MD5) {
|
||||
logger("checking: $name - MD5");
|
||||
my_logger('plugin-manager',"checking: $name - MD5");
|
||||
if (md5_file($name) != $file->MD5) {
|
||||
unlink($name);
|
||||
}
|
||||
@@ -396,12 +393,12 @@ function plugin($method, $plugin_file, &$error) {
|
||||
// If file already exists, do not overwrite
|
||||
//
|
||||
if (file_exists($name)) {
|
||||
logger("skipping: $name already exists");
|
||||
my_logger('plugin-manager',"skipping: $name already exists");
|
||||
} elseif ($file->LOCAL) {
|
||||
// Create the file
|
||||
//
|
||||
// for local file, just copy it
|
||||
logger("creating: $name - copying LOCAL file $file->LOCAL");
|
||||
my_logger('plugin-manager',"creating: $name - copying LOCAL file $file->LOCAL");
|
||||
if (!copy($file->LOCAL, $name)) {
|
||||
$error = "unable to copy LOCAL file: $name";
|
||||
@unlink($name);
|
||||
@@ -409,10 +406,10 @@ function plugin($method, $plugin_file, &$error) {
|
||||
}
|
||||
} elseif ($file->INLINE) {
|
||||
// for inline file, create with inline contents
|
||||
logger("creating: $name - from INLINE content");
|
||||
my_logger('plugin-manager',"creating: $name - from INLINE content");
|
||||
$contents = trim($file->INLINE).PHP_EOL;
|
||||
if ($file->attributes()->Type == 'base64') {
|
||||
logger("decoding: $name as base64");
|
||||
my_logger('plugin-manager',"decoding: $name as base64");
|
||||
$contents = base64_decode($contents);
|
||||
if ($contents === false) {
|
||||
$error = "unable to decode inline base64: $name";
|
||||
@@ -426,20 +423,20 @@ function plugin($method, $plugin_file, &$error) {
|
||||
}
|
||||
} elseif ($file->URL) {
|
||||
// for download file, download and maybe verify the file MD5
|
||||
logger("creating: $name - downloading from URL $file->URL");
|
||||
my_logger('plugin-manager',"creating: $name - downloading from URL $file->URL");
|
||||
if ( (download($file->URL, $name, $error) === false) && (download(filter_url($file->URL), $name, $error) === false) ) {
|
||||
@unlink($name);
|
||||
return false;
|
||||
}
|
||||
if ($file->SHA256) {
|
||||
logger("checking: $name - SHA256");
|
||||
my_logger('plugin-manager',"checking: $name - SHA256");
|
||||
if (hash_file('sha256', $name) != $file->SHA256) {
|
||||
$error = "bad file SHA256: $name";
|
||||
unlink($name);
|
||||
return false;
|
||||
}
|
||||
} elseif ($file->MD5) {
|
||||
logger("checking: $name - MD5");
|
||||
my_logger('plugin-manager',"checking: $name - MD5");
|
||||
if (md5_file($name) != $file->MD5) {
|
||||
$error = "bad file MD5: $name";
|
||||
unlink($name);
|
||||
@@ -452,7 +449,7 @@ function plugin($method, $plugin_file, &$error) {
|
||||
if ($file->attributes()->Mode) {
|
||||
// if file has 'Mode' attribute, apply it
|
||||
$mode = $file->attributes()->Mode;
|
||||
logger("setting: $name - mode to $mode");
|
||||
my_logger('plugin-manager',"setting: $name - mode to $mode");
|
||||
if (!chmod($name, octdec($mode))) {
|
||||
$error = "chmod failure: $name";
|
||||
return false;
|
||||
@@ -464,13 +461,13 @@ function plugin($method, $plugin_file, &$error) {
|
||||
if ($file->attributes()->Run) {
|
||||
$command = $file->attributes()->Run;
|
||||
if ($name) {
|
||||
logger("running: $command $name");
|
||||
my_logger('plugin-manager',"running: $command $name");
|
||||
$retval = run("$command $name");
|
||||
} elseif ($file->LOCAL) {
|
||||
logger("running: $command $file->LOCAL");
|
||||
my_logger('plugin-manager',"running: $command $file->LOCAL");
|
||||
$retval = run("$command $file->LOCAL");
|
||||
} elseif ($file->INLINE) {
|
||||
logger("running: 'anonymous'");
|
||||
my_logger('plugin-manager',"running: 'anonymous'");
|
||||
$name = '/tmp/inline.sh';
|
||||
file_put_contents($name, $file->INLINE);
|
||||
$retval = run("$command $name");
|
||||
@@ -718,10 +715,10 @@ if ($method == 'install') {
|
||||
if ($target != $plugin_file) copy($plugin_file, $target);
|
||||
symlink($target, $symlink);
|
||||
write("plugin: $plugin installed\n");
|
||||
logger("$plugin installed");
|
||||
my_logger('plugin-manager',"$plugin installed");
|
||||
} else {
|
||||
write("script: $plugin executed\n");
|
||||
logger("script: $plugin executed");
|
||||
my_logger('plugin-manager',"script: $plugin executed");
|
||||
}
|
||||
// run hook scripts for post processing
|
||||
post_hooks();
|
||||
@@ -835,7 +832,7 @@ if ($method == 'update') {
|
||||
copy($plugin_file, $target);
|
||||
symlink($target, $symlink);
|
||||
write("plugin: $plugin updated\n");
|
||||
logger("$plugin updated");
|
||||
my_logger('plugin-manager',"$plugin updated");
|
||||
// run hook scripts for post processing
|
||||
post_hooks();
|
||||
done(0);
|
||||
@@ -867,7 +864,7 @@ if ($method == 'remove') {
|
||||
// remove the plugin file
|
||||
move($installed_plugin_file, "$boot-removed");
|
||||
write("plugin: $plugin removed\n");
|
||||
logger("$plugin removed");
|
||||
my_logger('plugin-manager',"$plugin removed");
|
||||
exec("/usr/local/sbin/update_cron");
|
||||
// run hook scripts for post processing
|
||||
post_hooks();
|
||||
|
||||
@@ -119,12 +119,12 @@ function verifyTwoFactorToken(string $username, string $token): bool {
|
||||
// This should accept 200 or 204 status codes
|
||||
if ($httpCode !== 200 && $httpCode !== 204) {
|
||||
// Log error to syslog
|
||||
exec("logger -t webGUI -- \"2FA code for {$username} is invalid, blocking access!\"");
|
||||
my_logger('webGUI', "2FA code for {$username} is invalid, blocking access!");
|
||||
return false;
|
||||
}
|
||||
|
||||
// Log success to syslog
|
||||
exec("logger -t webGUI -- \"2FA code for {$username} is valid, allowing login!\"");
|
||||
my_logger('webGUI', "2FA code for {$username} is valid, allowing login!");
|
||||
|
||||
// Success
|
||||
return true;
|
||||
@@ -199,7 +199,7 @@ if (!empty($username) && !empty($password)) {
|
||||
|
||||
// Check if we're limited
|
||||
if ($failCount >= $maxFails) {
|
||||
if ($failCount == $maxFails) exec("logger -t webGUI -- \"Ignoring login attempts for {$username} from {$remote_addr}\"");
|
||||
if ($failCount == $maxFails) my_logger('webGUI', "Ignoring login attempts for {$username} from {$remote_addr}");
|
||||
throw new Exception(_('Too many invalid login attempts'));
|
||||
}
|
||||
|
||||
@@ -216,7 +216,7 @@ if (!empty($username) && !empty($password)) {
|
||||
$_SESSION['unraid_user'] = $username;
|
||||
session_regenerate_id(true);
|
||||
session_write_close();
|
||||
exec("logger -t webGUI -- \"Successful login user {$username} from {$remote_addr}\"");
|
||||
my_logger('webGUI', "Successful login user {$username} from {$remote_addr}");
|
||||
|
||||
// Redirect the user to the start page
|
||||
header("Location: /".$start_page);
|
||||
@@ -226,7 +226,7 @@ if (!empty($username) && !empty($password)) {
|
||||
$error = $exception->getMessage();
|
||||
|
||||
// Log error to syslog
|
||||
exec("logger -t webGUI -- \"Unsuccessful login user {$username} from {$remote_addr}\"");
|
||||
my_logger('webGUI', "Unsuccessful login user {$username} from {$remote_addr}");
|
||||
appendToFile($failFile, $time."\n");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -36,7 +36,7 @@ if (!empty($_POST['password']) && !empty($_POST['confirmPassword'])) {
|
||||
}
|
||||
|
||||
// Error when attempting to set password
|
||||
exec("logger -t webGUI -- \"{$VALIDATION_MESSAGES['saveError']} [REMOTE_ADDR]: {$REMOTE_ADDR}\"");
|
||||
my_logger('webGUI', "{$VALIDATION_MESSAGES['saveError']} [REMOTE_ADDR]: {$REMOTE_ADDR}");
|
||||
return $POST_ERROR = $VALIDATION_MESSAGES['saveError'];
|
||||
}
|
||||
|
||||
|
||||
@@ -12,6 +12,7 @@
|
||||
?>
|
||||
<?
|
||||
require_once "$docroot/webGui/include/MarkdownExtra.inc.php";
|
||||
require_once "$docroot/webGui/include/Wrappers.php";
|
||||
|
||||
function get_ini_key($key,$default) {
|
||||
$x = strpos($key, '[');
|
||||
@@ -32,7 +33,7 @@ function build_pages($pattern) {
|
||||
foreach (glob($pattern,GLOB_NOSORT) as $entry) {
|
||||
[$header, $content] = my_explode("\n---\n",file_get_contents($entry));
|
||||
$page = @parse_ini_string($header);
|
||||
if (!$page) {exec("logger -t webGUI -- \"Invalid .page format: $entry\""); continue;}
|
||||
if (!$page) {my_logger('webGUI', "Invalid .page format: $entry"); continue;}
|
||||
$page['file'] = $entry;
|
||||
$page['root'] = dirname($entry);
|
||||
$page['name'] = basename($entry, '.page');
|
||||
|
||||
@@ -3,10 +3,11 @@
|
||||
function SysDriverslog($m, $type='NOTICE') {
|
||||
if ($type == 'DEBUG') return;
|
||||
$m = str_replace(["\n",'"'],[" ","'"],print_r($m,true));
|
||||
exec("logger -t sysDrivers -- \"$m\"");
|
||||
my_logger('sysDrivers', "$m");
|
||||
}
|
||||
|
||||
$docroot ??= ($_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp');
|
||||
require_once "$docroot/webGui/include/Wrappers.php";
|
||||
require_once "$docroot/webGui/include/Helpers.php";
|
||||
require_once "$docroot/webGui/include/SysDriversHelpers.php";
|
||||
require_once "$docroot/plugins/dynamix.plugin.manager/include/PluginHelpers.php";
|
||||
|
||||
@@ -145,4 +145,8 @@ function my_date($fmt, $time) {
|
||||
$legacy = ['%c' => 'D j M Y h:i A','%A' => 'l','%Y' => 'Y','%B' => 'F','%e' => 'j','%d' => 'd','%m' => 'm','%I' => 'h','%H' => 'H','%M' => 'i','%S' => 's','%p' => 'a','%R' => 'H:i', '%F' => 'Y-m-d', '%T' => 'H:i:s'];
|
||||
return date(strtr($fmt,$legacy), $time);
|
||||
}
|
||||
// ensure params passed to logger are properly escaped
|
||||
function my_logger($tag, $message) {
|
||||
exec('logger -t '.escapeshellarg($tag).' -- '.escapeshellarg($message));
|
||||
}
|
||||
?>
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
// auto_prepend_file="/usr/local/emhttp/webGui/include/local_prepend.php"
|
||||
|
||||
function csrf_terminate($reason) {
|
||||
exec("logger -t webGUI -- \"error: {$_SERVER['REQUEST_URI']} - {$reason} csrf_token\"");
|
||||
exec('logger -t webGUI -- '.escapeshellarg("error: {$_SERVER['REQUEST_URI']} - {$reason} csrf_token"));
|
||||
exit;
|
||||
}
|
||||
|
||||
|
||||
@@ -11,13 +11,16 @@
|
||||
*/
|
||||
?>
|
||||
<?
|
||||
$docroot ??= ($_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp');
|
||||
require_once "$docroot/webGui/include/Wrappers.php";
|
||||
|
||||
function curl_socket($socket, $url, $message='') {
|
||||
$com = curl_init($url);
|
||||
curl_setopt_array($com, [CURLOPT_UNIX_SOCKET_PATH => $socket, CURLOPT_RETURNTRANSFER => 1]);
|
||||
if ($message) curl_setopt_array($com, [CURLOPT_POSTFIELDS => $message, CURLOPT_POST => 1]);
|
||||
$reply = curl_exec($com);
|
||||
curl_close($com);
|
||||
if ($reply===false) exec("logger -t curl_socket -- 'curl to $url failed'");
|
||||
if ($reply===false) my_logger('curl_socket', "curl to $url failed");
|
||||
return $reply;
|
||||
}
|
||||
|
||||
@@ -32,7 +35,7 @@ function publish($endpoint, $message, $len=1) {
|
||||
]);
|
||||
$reply = curl_exec($com);
|
||||
curl_close($com);
|
||||
if ($reply===false) exec("logger -t publish -- 'curl to $endpoint failed'");
|
||||
if ($reply===false) my_logger('publish', "curl to $endpoint failed");
|
||||
return $reply;
|
||||
}
|
||||
?>
|
||||
|
||||
@@ -12,6 +12,9 @@
|
||||
*/
|
||||
?>
|
||||
<?
|
||||
$docroot ??= ($_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp');
|
||||
require_once "$docroot/webGui/include/Wrappers.php";
|
||||
|
||||
$set = $ifname = $argv[1];
|
||||
$run = $set != 'none';
|
||||
$ini = parse_ini_file('/var/local/emhttp/network.ini',true); ksort($ini,SORT_NATURAL);
|
||||
@@ -25,7 +28,7 @@ function update_wireguard($ifname) {
|
||||
$vtun = basename($wg,'.conf');
|
||||
// interface has changed?
|
||||
if (exec("grep -Pom1 ' dev $nic ' $wg")=='') {
|
||||
exec("logger -t netconfig -- \"updated wireguard $vtun configuration\"");
|
||||
my_logger('netconfig', "updated wireguard $vtun configuration");
|
||||
exec("sed -ri 's/ dev (br0|bond0|eth0) / dev $nic /' $wg");
|
||||
}
|
||||
// restart active wireguard tunnels
|
||||
|
||||
Reference in New Issue
Block a user