Merge remote-tracking branch 'upstream/master' into Fix-zfs-dataset-creation

2026-04-24 11:19:25 -05:00 · 2025-01-26 22:02:45 +00:00
parent 5a7f6692a0 31e5a527fb
commit f1737d2f1d
57 changed files with 689 additions and 348 deletions
@@ -480,10 +480,10 @@ $theme_dark = in_array($display['theme'], ['black', 'gray']);
        </div>
        <div class="content">
            <h1>
-                <?=$var['NAME']?>
+                <?=htmlspecialchars($var['NAME'])?>
            </h1>
            <h2>
-               	<?=$var['COMMENT']?>
+               	<?=htmlspecialchars($var['COMMENT'])?>
            </h2>

            <div class="case">
@@ -306,8 +306,8 @@ $THEME_DARK = in_array($display['theme'],['black','gray']);
        </div>
        <div class="content">
            <header>
-                <h1><?=$var['NAME']?></h1>
-                <h2><?=$var['COMMENT']?></h2>
+                <h1><?=htmlspecialchars($var['NAME'])?></h1>
+                <h2><?=htmlspecialchars($var['COMMENT'])?></h2>
                <p><?=_('Please set a password for the root user account')?>.</p>
                <p><?=_('Max password length is 128 characters')?>.</p>
            </header>
@@ -126,7 +126,7 @@ if ($_POST['vms']) {
    if (!isset($domain_cfg["CONSOLE"])) $vmrcconsole = "web" ; else $vmrcconsole = $domain_cfg["CONSOLE"] ;
    if (!isset($domain_cfg["RDPOPT"])) $vmrcconsole .= ";no" ; else $vmrcconsole .= ";".$domain_cfg["RDPOPT"] ;
    $WebUI = html_entity_decode($arrConfig["template"]["webui"]);
-    $menu = sprintf("onclick=\"addVMContext('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')\"", htmlentities($log,ENT_QUOTES), addslashes($uuid), addslashes($template), $state, addslashes($vmrcurl), strtoupper($vmrcprotocol), htmlentities($log,ENT_QUOTES),addslashes($fstype), $vmrcconsole,false,addslashes(str_replace('"',"'",$WebUI)));
+    $menu = sprintf("onclick=\"addVMContext('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')\"", htmlentities($vm,ENT_QUOTES), addslashes($uuid), addslashes($template), $state, addslashes($vmrcurl), strtoupper($vmrcprotocol), htmlentities($log,ENT_QUOTES),addslashes($fstype), $vmrcconsole,false,addslashes(str_replace('"',"'",$WebUI)));
    $icon = $lv->domain_get_icon_url($res);
    switch ($state) {
    case 'running':
@@ -720,7 +720,7 @@ if (isset($myPage['Load']) && $myPage['Load']>0) echo "\n<script>timers.reload =
 echo "<div class='tabs'>";
 $tab = 1;
 $pages = [];
-if (!empty($myPage['text'])) $pages[$myPage['name']] = $myPage;
+if (!empty($myPage['text']) && page_enabled($myPage)) $pages[$myPage['name']] = $myPage;
 if (_var($myPage,'Type')=='xmenu') $pages = array_merge($pages, find_pages($myPage['name']));
 if (isset($myPage['Tabs'])) $display['tabs'] = strtolower($myPage['Tabs'])=='true' ? 0 : 1;
 $tabbed = $display['tabs']==0 && count($pages)>1;
@@ -728,7 +728,7 @@ $tabbed = $display['tabs']==0 && count($pages)>1;
 foreach ($pages as $page) {
  $close = false;
  if (isset($page['Title'])) {
-    eval("\$title=\"".htmlspecialchars($page['Title'])."\";");
+    eval("\$title=\"{$page['Title']}\";");
    if ($tabbed) {
      echo "<div class='tab'><input type='radio' id='tab{$tab}' name='tabs' onclick='settab(this.id)'><label for='tab{$tab}'>";
      echo tab_title($title,$page['root'],_var($page,'Tag',false));
@@ -745,7 +745,7 @@ foreach ($pages as $page) {
  if (isset($page['Type']) && $page['Type']=='menu') {
    $pgs = find_pages($page['name']);
    foreach ($pgs as $pg) {
-      @eval("\$title=\"".htmlspecialchars($pg['Title'])."\";");
+      @eval("\$title=\"{$pg['Title']}\";");
      $icon = _var($pg,'Icon',"<i class='icon-app PanelIcon'></i>");
      if (substr($icon,-4)=='.png') {
        $root = $pg['root'];
@@ -117,7 +117,7 @@ foreach ($disks as $name => $disk) {
  } else $luks = "";
  echo "<tr><td><a class='view' href=\"/$path/Browse?dir=/mnt/$name\"><i class=\"icon-u-tab\" title=\"",_('Browse')," /mnt/$name\"></i></a>";
  echo "<a class='info nohand' onclick='return false'><i class='fa fa-$orb orb $color-orb'></i><span style='left:18px'>$help</span></a>$luks<a href=\"/$path/Disk?name=$name\" onclick=\"$.cookie('one','tab1')\">$name</a></td>";
-  echo "<td>"._var($disk,'comment')."</td>";
+  echo "<td>",htmlspecialchars(_var($disk,'comment')),"</td>";
  echo "<td>",disk_share_settings(_var($var,'shareSMBEnabled'), $sec[$name]),"</td>";
  echo "<td>",disk_share_settings(_var($var,'shareNFSEnabled'), $sec_nfs[$name]),"</td>";
  $cmd="/webGui/scripts/disk_size&arg1=$name&arg2=ssz2";
@@ -50,7 +50,7 @@ $match    = $_POST['match'];
 $checkbox = $_POST['multiSelect']=='true' ? "<input type='checkbox'>" : "";

 /* Excluded folders to not show in the dropdown in the '/mnt/' directory only. */
-$excludedFolders	= ["RecycleBin", "addons", "remotes", "rootshare", "user0"];
+$excludedFolders	= ["RecycleBin", "addons", "rootshare", "user0"];

 echo "<ul class='jqueryFileTree'>";
 if ($_POST['show_parent']=='true' && is_top($rootdir)) echo "<li class='directory collapsed'>$checkbox<a href='#' rel=\"".htmlspecialchars(dirname($rootdir))."\">..</a></li>";
@@ -288,13 +288,6 @@ function transpose_user_path($path) {
  }
  return $path;
 }
-// custom parse_ini_file/string functions to deal with '#' comment lines
-function my_parse_ini_string($text, $sections=false, $scanner=INI_SCANNER_NORMAL) {
-  return parse_ini_string(preg_replace('/^#/m',';',$text),$sections,$scanner);
-}
-function my_parse_ini_file($file, $sections=false, $scanner=INI_SCANNER_NORMAL) {
-  return my_parse_ini_string(file_get_contents($file),$sections,$scanner);
-}
 function cpu_list() {
  exec('cat /sys/devices/system/cpu/*/topology/thread_siblings_list|sort -nu', $cpus);
  return $cpus;
@@ -417,4 +410,10 @@ function write_logging($value) {
  if (!$debug) return;
  file_put_contents('/tmp/my_mkdir_output', $value, FILE_APPEND);
 }
+
+function device_exists($name)
+{
+  global $disks,$devs;
+  return (array_key_exists($name, $disks) && !str_contains(_var($disks[$name],'status'),'_NP')) || (array_key_exists($name, $devs));
+}
 ?>
@@ -42,8 +42,16 @@ function build_pages($pattern) {
  }
 }

+function page_enabled(&$page)
+{
+  global $var,$disks,$devs,$users,$shares,$sec,$sec_nfs,$name,$display,$pool_devices;
+  $enabled = true;
+  if (isset($page['Cond'])) eval("\$enabled={$page['Cond']};");
+  return $enabled;
+}
+
 function find_pages($item) {
-  global $docroot,$site,$var,$disks,$devs,$users,$shares,$sec,$sec_nfs,$name,$display,$pool_devices;
+  global $site;
  $pages = [];
  foreach ($site as $page) {
    if (empty($page['Menu'])) continue;
@@ -55,9 +63,7 @@ function find_pages($item) {
    while ($menu !== false) {
      [$menu,$rank] = my_explode(':',$menu);
      if ($menu == $item) {
-        $enabled = true;
-        if (isset($page['Cond'])) eval("\$enabled={$page['Cond']};");
-        if ($enabled) $pages["$rank{$page['name']}"] = $page;
+        if (page_enabled($page)) $pages["$rank{$page['name']}"] = $page;
        break;
      }
      $menu = strtok(' ');
@@ -69,6 +75,7 @@ function find_pages($item) {

 function tab_title($title,$path,$tag) {
  global $docroot,$pools;
+  $title=htmlspecialchars(html_entity_decode($title));
  $names = implode('|',array_merge(['disk','parity'],$pools));
  if (preg_match("/^($names)/",$title)) {
    $device = strtok($title,' ');
@@ -17,7 +17,7 @@ function unscript($text) {
 }
 // remove malicious HTML elements
 function untangle($text) {
-  return preg_replace('#<.+?>(.*?)</.+?>#','',html_entity_decode($text));
+  return strip_tags(html_entity_decode($text));
 }
 // remove malicious code appended after string variable
 function unbundle($text) {
@@ -187,7 +187,17 @@ define('LUKS_STATUS_UNENCRYPTED', 2);

 // Build table
 $row = 0;
+
+/* Get the first pool if needed. */
+$firstPool = $pools_check[0] ?? "";
 foreach ($shares as $name => $share) {
+	/* Correct a situation in previous Unraid versions where an array only share has a useCache defined. */
+	if ((!$poolsOnly) && ($share['useCache'] == "no")) {
+		$share['cachePool'] = "";
+	} else if (($poolsOnly) && (!$share['cachePool'])) {
+		$share['cachePool']	= $firstPool;
+	}
+
 	/* Is cachePool2 defined? If it is we need to show the cache pool 2 device name instead of 'Array'. */
 	if ($share['cachePool2']) {
 		$array		= compress(my_disk($share['cachePool2'],$display['raw']));
@@ -214,8 +224,8 @@ foreach ($shares as $name => $share) {
 		$share_valid	= true;
 	}

-	/* When there is no array, all pools are treated as 'only' cache. If useCache is "no" with an array, this is invalid and useCache has to be 'only'. */
-	if ((($poolsOnly) && (! $share['cachePool2'])) || ((! $poolsOnly) && ($share['cachePool']) && ($share['useCache'] == "no"))) {
+	/* When there is no array, all pools are treated as 'only' cache. */
+	if (($poolsOnly) && (! $share['cachePool2'])) {
 		$share['useCache'] = 'only';
 	}

@@ -261,10 +271,10 @@ foreach ($shares as $name => $share) {
 		}
 	}

-	echo "<tr><td><a class='view' href=\"/$path/Browse?dir=/mnt/user/", rawurlencode($name), "\"><i class=\"icon-u-tab\" title=\"", _('Browse'), " /mnt/user/" . rawurlencode($name), "\"></i></a>";
+	echo "<tr><td><a class='view' href=\"/$path/Browse?dir=/mnt/user/", htmlspecialchars($name), "\"><i class=\"icon-u-tab\" title=\"", _('Browse'), " /mnt/user/" . htmlspecialchars($name), "\"></i></a>";
 	echo "<a class='info nohand' onclick='return false'><i class='fa fa-$orb orb $color-orb'></i><span style='left:18px'>$help</span></a>$luks<a href=\"/$path/Share?name=";
 	echo rawurlencode($name), "\" onclick=\"$.cookie('one','tab1')\">$name</a></td>";
-	echo "<td>{$share['comment']}</td>";
+        echo "<td>", htmlspecialchars(_var($share,'comment')), "</td>";
 	echo "<td>", user_share_settings($var['shareSMBEnabled'], $sec[$name]), "</td>";
 	echo "<td>", user_share_settings($var['shareNFSEnabled'], $sec_nfs[$name]), "</td>";

@@ -39,12 +39,19 @@ function file_put_contents_atomic($filename,$data) {
  }
  return strlen($data);
 }
+// custom parse_ini_file/string functions to deal with '#' comment lines and remove html/php tags
+function my_parse_ini_string($text, $sections=false, $scanner=INI_SCANNER_NORMAL) {
+  return parse_ini_string(strip_tags(html_entity_decode(preg_replace('/^#.*$/m','',$text))),$sections,$scanner);
+}
+function my_parse_ini_file($file, $sections=false, $scanner=INI_SCANNER_NORMAL) {
+  return my_parse_ini_string(file_get_contents($file),$sections,$scanner);
+}
 function parse_plugin_cfg($plugin, $sections=false, $scanner=INI_SCANNER_NORMAL) {
  global $docroot;
  $ram = "$docroot/plugins/$plugin/default.cfg";
  $rom = "/boot/config/plugins/$plugin/$plugin.cfg";
-  $cfg = file_exists($ram) ? parse_ini_file($ram, $sections, $scanner) : [];
-  return file_exists($rom) ? array_replace_recursive($cfg, parse_ini_file($rom, $sections, $scanner)) : $cfg;
+  $cfg = file_exists($ram) ? my_parse_ini_file($ram, $sections, $scanner) : [];
+  return file_exists($rom) ? array_replace_recursive($cfg, my_parse_ini_file($rom, $sections, $scanner)) : $cfg;
 }
 function parse_cron_cfg($plugin, $job, $text = "") {
  $cron = "/boot/config/plugins/$plugin/$job.cron";
@@ -25,9 +25,7 @@ setlocale(LC_ALL,'en_US.UTF-8');
 date_default_timezone_set(substr(readlink('/etc/localtime'),20));
 $secure = array_key_exists('HTTPS', $_SERVER);
 ini_set("session.use_strict_mode", "1");
-// Safari bug prevents use of 'Strict'
-// ini_set("session.cookie_samesite", $secure?'Strict':'Lax');
-ini_set("session.cookie_samesite", 'Lax');
+ini_set("session.cookie_samesite", 'Strict');
 if (array_key_exists('HTTP_HOST', $_SERVER)) {
  session_name("unraid_".md5(strstr($_SERVER['HTTP_HOST'].':', ':', true)));
 }
@@ -17,7 +17,7 @@ require_once "$docroot/webGui/include/Wrappers.php";

 $vfio = '/boot/config/vfio-pci.cfg';
 $old  = is_file($vfio) ? rtrim(file_get_contents($vfio)) : '';
-$new  = _var($_GET,'cfg');
+$new  = _var($_POST,'cfg');

 $reply = 0;
 if ($new != $old) {