danwin1210/hosting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sanitize $system_account to protect against database modification exploits

Browse Source
This commit is contained in:
Daniel Winzen
2020-01-25 21:47:38 +01:00
parent 93dc5b10c4
commit 47fb983557
3 changed files with 131 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
var/www/find_old.php
View File

@ -4,8 +4,14 @@ $db = get_db_instance();
//update quota usage
$stmt=$db->query('SELECT id, system_account FROM users WHERE id NOT IN (SELECT user_id FROM new_account) AND todelete!=1;');
$all_accounts=$stmt->fetchAll(PDO::FETCH_ASSOC);
$update=$db->prepare('UPDATE disk_quota SET quota_size_used = ?, quota_files_used = ? WHERE user_id = ?;');
while($tmp=$stmt->fetch(PDO::FETCH_ASSOC)){
foreach($all_accounts as $tmp){
$system_account = sanitize_system_account($tmp['system_account']);
if($system_account === false){
echo "ERROR: Account $tmp[system_account] looks strange\n";
continue;
}
$quota = shell_exec('quota -pu ' . escapeshellarg($tmp['system_account']));
$quota_array = explode("\n", $quota);
if(!empty($quota_array[2])){
@ -16,9 +22,12 @@ while($tmp=$stmt->fetch(PDO::FETCH_ASSOC)){
}
//delete tmp files older than 24 hours
$stmt=$db->query('SELECT system_account FROM users;');
$all=$stmt->fetchAll(PDO::FETCH_ASSOC);
foreach($all as $tmp){
foreach($all_accounts as $tmp){
$system_account = sanitize_system_account($tmp['system_account']);
if($system_account === false){
echo "ERROR: Account $tmp[system_account] looks strange\n";
continue;
}
exec('find '.escapeshellarg("/home/$tmp[system_account]/tmp").' -path '.escapeshellarg("/home/$tmp[system_account]/tmp/*").' -cmin +1440 -delete');
}
exec("find /var/www/tmp -path '/var/www/tmp/*' -cmin +1440 -delete");
@ -26,10 +35,15 @@ exec("find /var/www/tmp -path '/var/www/tmp/*' -cmin +1440 -delete");
//delete unused accounts older than 30 days
$last_month=time()-60*60*24*30;
$del=$db->prepare('UPDATE users SET todelete=1 WHERE id=?;');
$stmt=$db->prepare('SELECT system_account, id FROM users WHERE dateadded<?;');
$stmt=$db->prepare('SELECT system_account, id FROM users WHERE dateadded<? AND id NOT IN (SELECT user_id FROM new_account) AND todelete!=1;');
$stmt->execute([$last_month]);
$all=$stmt->fetchAll(PDO::FETCH_ASSOC);
foreach($all as $tmp){
$system_account = sanitize_system_account($tmp['system_account']);
if($system_account === false){
echo "ERROR: Account $tmp[system_account] looks strange\n";
continue;
}
//check modification times
if(filemtime("/home/$tmp[system_account]/data/")>$last_month){
continue;