ht: More restrictive directory names

config.ini

@@ -47,6 +47,7 @@ cat_path = "/usr/bin/cat"
 rm_path = "/usr/bin/rm"
 mkdir_path = "/usr/bin/mkdir"
 
+sftpgo_user = "sftpgo"
 sftpgo_group = "sftpgo"
 
 ; Will be shown to users

fn/ht.php

@@ -16,7 +16,7 @@ function listFsDirs($username) {
 	$absoluteDirs = glob(CONF['ht']['ht_path'] . '/' . $username . '/*/', GLOB_ONLYDIR);
 	$dirs = [];
 	foreach ($absoluteDirs as $absoluteDir)
-		if (preg_match('/^[\p{L}\p{N}_-]{1,64}$/Du', basename($absoluteDir)))
+		if (preg_match('/^[a-zA-Z0-9_-]{1,64}$/D', basename($absoluteDir)))
 			array_push($dirs, basename($absoluteDir));
 	return $dirs;
 }
@@ -32,14 +32,16 @@ function addSite($username, $siteDir, $domain, $domainType, $protocol) {
 	]);
 }
 
-function dirsStatuses($username, $domainType, $protocol) {
+function dirsStatuses($domainType, $protocol) {
+	if (isset($_SESSION['username']) !== true)
+		return [];
 	$dbDirs = query('select', 'sites', [
-		'username' => $username,
+		'username' => $_SESSION['username'],
 		'domain_type' => $domainType,
 		'protocol' => $protocol,
 	], 'site_dir');
 	$dirs = [];
-	foreach (listFsDirs($username) as $fsDir)
+	foreach (listFsDirs($_SESSION['username']) as $fsDir)
 		$dirs[$fsDir] = in_array($fsDir, $dbDirs);
 	return $dirs;
 }

pages/auth/unregister.php

@@ -30,7 +30,7 @@ if (processForm()) {
 
 	removeDirectory(CONF['ht']['tor_config_path'] . '/' . $_SESSION['username']);
 
-	exec(CONF['ht']['sudo_path'] . ' ' . CONF['ht']['rm_path'] . ' --recursive ' . CONF['ht']['ht_path'] . '/' . $_SESSION['username'], result_code: $code);
+	exec(CONF['ht']['sudo_path'] . ' -u ' . CONF['ht']['sftpgo_user'] .  ' ' . CONF['ht']['rm_path'] . ' --recursive ' . CONF['ht']['ht_path'] . '/' . $_SESSION['username'], result_code: $code);
 	if ($code !== 0)
 		output(500, 'Can\'t remove user\'s directory.');
 

pages/ht/add-http-dns.php

@@ -1,14 +1,9 @@
 <?php
 
-if (isset($_SESSION['username']))
-	$dirsStatuses = dirsStatuses($_SESSION['username'], 'dns', 'http');
-else
-	$dirsStatuses = [];
-
 if (processForm()) {
 	$_POST['domain'] = formatDomain($_POST['domain']);
 
-	if ($dirsStatuses[$_POST['dir']] !== false)
+	if (dirsStatuses('dns', 'http')[$_POST['dir']] !== false)
 		output(403, 'Wrong value for <code>dir</code>.');
 
 	if (query('select', 'sites', ['domain' => $_POST['domain']], 'domain') !== [])
@@ -65,6 +60,8 @@ if (processForm()) {
 	output(200, 'Accès HTTP par domaine ajouté sur ce dossier !');
 }
 
+$dirsStatuses = dirsStatuses('onion', 'http');
+
 $proof = getAuthToken();
 
 ?>

pages/ht/add-http-onion.php

@@ -1,12 +1,7 @@
 <?php
 
-if (isset($_SESSION['username']))
-	$dirsStatuses = dirsStatuses($_SESSION['username'], 'onion', 'http');
-else
-	$dirsStatuses = [];
-
 if (processForm()) {
-	if ($dirsStatuses[$_POST['dir']] !== false)
+	if (dirsStatuses('onion', 'http')[$_POST['dir']] !== false)
 		output(403, 'Wrong value for <code>dir</code>.');
 
 	rateLimit();
@@ -53,6 +48,8 @@ if (processForm()) {
 	output(200, 'L\'adresse de votre service Onion HTTP est : <a href="http://' . $onion . '/"><code>http://' . $onion . '/</code></a>');
 }
 
+$dirsStatuses = dirsStatuses('onion', 'http');
+
 ?>
 
 <p>

pages/ht/del-http-dns.php

@@ -1,12 +1,7 @@
 <?php
 
-if (isset($_SESSION['username']))
-	$dirsStatuses = dirsStatuses($_SESSION['username'], 'dns', 'http');
-else
-	$dirsStatuses = [];
-
 if (processForm()) {
-	if ($dirsStatuses[$_POST['dir']] !== true)
+	if (dirsStatuses('dns', 'http')[$_POST['dir']] !== true)
 		output(403, 'Wrong value for <code>dir</code>.');
 
 	htDeleteSite($_POST['dir'], domainType: 'dns', protocol: 'http');
@@ -14,6 +9,8 @@ if (processForm()) {
 	output(200, 'Accès retiré.');
 }
 
+$dirsStatuses = dirsStatuses('onion', 'http');
+
 ?>
 
 <p>

pages/ht/del-http-onion.php

@@ -1,12 +1,7 @@
 <?php
 
-if (isset($_SESSION['username']))
-	$dirsStatuses = dirsStatuses($_SESSION['username'], 'onion', 'http');
-else
-	$dirsStatuses = [];
-
 if (processForm()) {
-	if ($dirsStatuses[$_POST['dir']] !== true)
+	if (dirsStatuses('onion', 'http')[$_POST['dir']] !== true)
 		output(403, 'Wrong value for <code>dir</code>.');
 
 	htDeleteSite($_POST['dir'], domainType: 'onion', protocol: 'http');
@@ -14,6 +9,8 @@ if (processForm()) {
 	output(200, 'Accès retiré.');
 }
 
+$dirsStatuses = dirsStatuses('onion', 'http');
+
 ?>
 
 <p>

pages/ht/index.php

@@ -30,6 +30,12 @@ else {
 
 </section>
 
+<section>
+	<h2>Ajouter un accès de site</h2>
+
+	<p>Pour pouvoir y ajouter un accès par ce service, un site doit auparavent être téléversé dans un sous-dossier direct de l'espace SFTP. Le nom de ce sous-dossier ne peut contenir que <abbr title="abcdefghijklmnopqrstuvwxyz"><code>a</code>-<code>z</code></abbr>, <abbr title="ABCDEFGHIJKLMNOPQRSTUVWXYZ"><code>A</code>-<code>Z</code></abbr>, <abbr title="0123456789"><code>0</code>-<code>9</code></abbr>, <code>_</code> et <code>-</code>.</p>
+</section>
+
 <section>
 	<h2>SFTP</h2>