Feature/os 261 add support in monitor to create output for panel backport

emhttp/auth-request.php

@@ -14,8 +14,52 @@
   session_write_close();
 }
 
-// Include JS caching functions
-require_once '/usr/local/emhttp/webGui/include/JSCache.php';
+function isPathInDocroot(string $realPath, string $docroot): bool {
+  return $realPath === $docroot || str_starts_with($realPath, $docroot . '/');
+}
+
+function getCanonicalRequestUri(string $docroot): string {
+  $requestUri = getRequestUriPath();
+
+  $realRequestPath = realpath($docroot . '/' . ltrim($requestUri, '/'));
+  if (!is_string($realRequestPath) || !isPathInDocroot($realRequestPath, $docroot)) {
+    return '';
+  }
+
+  $canonicalRequestUri = substr($realRequestPath, strlen($docroot));
+  return $canonicalRequestUri === '' ? '/' : $canonicalRequestUri;
+}
+
+function isWebComponentsRequest(string $requestUri): bool {
+  $webComponentsDirectory = '/plugins/dynamix.my.servers/unraid-components';
+  return $requestUri === $webComponentsDirectory || str_starts_with($requestUri, $webComponentsDirectory . '/');
+}
+
+function getRequestUriPath(): string {
+  $requestUri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
+  return is_string($requestUri) ? $requestUri : '/';
+}
+
+function getAllowedExternalPublicAssetTargets(): array {
+  return [
+    '/webGui/images/case-model.png' => '/boot/config/plugins/dynamix/case-model.png',
+  ];
+}
+
+function isAllowedPublicAssetRequest(string $requestUri, string $docroot, array $arrWhitelist): bool {
+  if (!in_array($requestUri, $arrWhitelist, true)) {
+    return false;
+  }
+
+  $realRequestPath = realpath($docroot . '/' . ltrim($requestUri, '/'));
+  if (is_string($realRequestPath) && isPathInDocroot($realRequestPath, $docroot)) {
+    return true;
+  }
+
+  $allowedExternalTargets = getAllowedExternalPublicAssetTargets();
+  return isset($allowedExternalTargets[$requestUri]) &&
+    $realRequestPath === $allowedExternalTargets[$requestUri];
+}
 
 // Base whitelist of files
 $arrWhitelist = [
@@ -54,12 +98,22 @@
   '/manifest.json'
 ];
 
-// Whitelist ALL files from the unraid-components directory
-$webComponentsDirectory = '/plugins/dynamix.my.servers/unraid-components/';
-$requestUri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) ?? '/';
+// Use canonical filesystem path checks against the trusted docroot.
+$docroot = '/usr/local/emhttp';
+$requestUri = getRequestUriPath();
+$canonicalRequestUri = getCanonicalRequestUri($docroot);
+
+// Allow explicit public assets with strict target checks.
+if (isAllowedPublicAssetRequest($requestUri, $docroot, $arrWhitelist)) {
+  http_response_code(200);
+  exit;
+}
 
-// Check if the request is for any file in the unraid-components directory
-if (str_starts_with($requestUri, $webComponentsDirectory) || in_array($requestUri, $arrWhitelist)) {
+// Allow canonical requests under unraid-components.
+if (
+  $canonicalRequestUri !== '' &&
+  isWebComponentsRequest($canonicalRequestUri)
+) {
   // authorized
   http_response_code(200);
 } else {

emhttp/plugins/dynamix.docker.manager/javascript/docker.js

@@ -51,6 +51,8 @@ function addDockerContainerContext(container, image, template, started, paused,
   }
   context.destroy('#'+id);
   context.attach('#'+id, opts);
+  $('#dropdown-'+id).css('z-index', 10001)
+    .append('<li class="docker-dropdown-spacer" aria-hidden="true" style="position:absolute;top:100%;left:0;width:1px;height:60px;pointer-events:none;list-style:none"></li>');
 }
 function addDockerImageContext(image, imageTag) {
   var opts = [];

emhttp/plugins/dynamix.plugin.manager/scripts/language

@@ -86,6 +86,26 @@ function run($command) {
   return pclose($run);
 }
 
+function remove_tree(string $dir): bool {
+  if (!is_dir($dir)) return false;
+  $items = scandir($dir);
+  if ($items === false) return false;
+  foreach ($items as $item) {
+    if ($item === '.' || $item === '..') continue;
+    $entry = "$dir/$item";
+    if (is_dir($entry) && !is_link($entry)) {
+      if (!remove_tree($entry)) return false;
+    } elseif (!@unlink($entry)) {
+      return false;
+    }
+  }
+  return @rmdir($dir);
+}
+
+function valid_language_pack_name($name): bool {
+  return is_string($name) && $name !== '' && preg_match('/^[A-Za-z0-9._$-]+$/', $name);
+}
+
 // Run hooked scripts before correct execution of "method"
 // method = install, update, remove, check
 // hook programs receives three parameters: type=language and method and language-name
@@ -159,7 +179,11 @@ function language($method, $xml_file, &$error) {
   switch ($method) {
   case 'install':
     $url = $xml->LanguageURL;
-    $name = $xml->LanguagePack;
+    $name = (string)$xml->LanguagePack;
+    if (!valid_language_pack_name($name)) {
+      $error = "invalid language pack";
+      return false;
+    }
     $save = "$boot/dynamix/lang-$name.zip";
     if (!file_exists($save)) {
       if ($url) {
@@ -173,22 +197,54 @@ function language($method, $xml_file, &$error) {
       }
     }
     $path = "$docroot/languages/$name";
-    exec("mkdir -p $path");
+    if (!is_dir($path) && !@mkdir($path, 0777, true)) {
+      $error = "failed to create language directory";
+      return false;
+    }
     @unlink("$docroot/webGui/javascript/translate.$name.js");
-    foreach (glob("$path/*.dot",GLOB_NOSORT) as $dot_file) unlink($dot_file);
-    exec("unzip -qqLjo -d $path $save", $dummy, $err);
+    foreach (['*.dot', '*.txt', '*.json'] as $pattern) {
+      foreach (glob("$path/$pattern", GLOB_NOSORT) as $lang_file) @unlink($lang_file);
+    }
+    $err = 0;
+    $zip = new ZipArchive();
+    if ($zip->open($save) === true) {
+      for ($i = 0; $i < $zip->numFiles; $i++) {
+        $entry = $zip->getNameIndex($i);
+        if ($entry === false) continue;
+        if (substr($entry, -1) === '/') continue;
+        $content = $zip->getFromIndex($i);
+        if ($content === false) {
+          $err = 2;
+          break;
+        }
+        $entryName = strtolower(basename($entry));
+        if ($entryName === '') continue;
+        if (!preg_match('/\.(dot|txt|json)$/', $entryName)) continue;
+        if (file_put_contents("$path/$entryName", $content) === false) {
+          $err = 2;
+          break;
+        }
+      }
+      $zip->close();
+    } else {
+      $err = 2;
+    }
     if ($err > 1) {
       @unlink($save);
-      exec("rm -rf $path");
+      remove_tree($path);
       $error = "unzip failed. Error code $err";
       return false;
     }
     return true;
   case 'remove':
-    $name = $xml->LanguagePack;
+    $name = (string)$xml->LanguagePack;
     if ($name) {
+      if (!valid_language_pack_name($name)) {
+        $error = "invalid language pack";
+        return false;
+      }
       $path = "$docroot/languages/$name";
-      exec("rm -rf $path");
+      if (is_dir($path)) remove_tree($path);
       @unlink("$docroot/webGui/javascript/translate.$name.js");
       @unlink("$boot/lang-$name.xml");
       @unlink("$plugins/lang-$name.xml");

emhttp/plugins/dynamix.vm.manager/VMMachines.page

@@ -503,7 +503,12 @@ function tableHeaderResize() {
 $(function() {
 <?if ($msg):?>
   <?$color = strpos($msg, "rror:")!==false ? 'red-text':'green-text'?>
-  $('#countdown').html("<span class='<?=$color?>'><?=_($msg)?></span>");
+  $('#countdown').empty().append(
+    $('<span/>', {
+      class: '<?=$color?>',
+      text: <?=json_encode(_($msg), JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_APOS|JSON_HEX_QUOT)?>
+    })
+  );
 <?endif;?>
   $('#btnAddVM').click(function AddVMEvent(){$('.tab>input#tab2').click();});
   $.removeCookie('lockbutton');

emhttp/plugins/dynamix/include/FileUpload.php

@@ -21,6 +21,28 @@
 $safeexts  = ['.png'];
 $result    = false;
 
+function in_safe_path(string $path, string $base): bool {
+  $path = rtrim($path, '/').'/';
+  $base = rtrim($base, '/').'/';
+  return strpos($path, $base) === 0;
+}
+
+function remove_tree(string $dir): bool {
+  if (!is_dir($dir)) return false;
+  $items = scandir($dir);
+  if ($items === false) return false;
+  foreach ($items as $item) {
+    if ($item === '.' || $item === '..') continue;
+    $entry = "$dir/$item";
+    if (is_dir($entry) && !is_link($entry)) {
+      if (!remove_tree($entry)) return false;
+    } elseif (!@unlink($entry)) {
+      return false;
+    }
+  }
+  return @rmdir($dir);
+}
+
 require_once "$docroot/webGui/include/Helpers.php";
 
 switch ($_POST['cmd'] ?? 'load') {
@@ -47,20 +69,37 @@
 case 'save':
   // move uploaded file ($verifiedPNG) to final destination
   $verifiedPNG = "$temp/".basename($file);
-  $path = $_POST['path'];
+  $path = $_POST['path'] ?? '';
+  $outputRaw = $_POST['output'] ?? '';
+  $output = basename($outputRaw);
+  $outputExt = strtolower(substr($output, -4));
+  $isValidFilename = $output !== '' && $output === $outputRaw && preg_match('/^[A-Za-z0-9._$-]+$/', $output);
   foreach ($safepaths as $safepath) {
-    if (strpos(dirname("$path/{$_POST['output']}"),$safepath)===0 && in_array(substr(basename($_POST['output']),-4),$safeexts)) {
-      exec("mkdir -p ".escapeshellarg(realpath($path)));
-      $result = @rename($verifiedPNG, "$path/{$_POST['output']}");
+    $safeBase = realpath($safepath);
+    $targetDir = realpath($path);
+    if (!$targetDir && $safeBase) {
+      $parentDir = realpath(dirname($path));
+      if ($parentDir && in_safe_path($parentDir, $safeBase) && @mkdir($path, 0777, true)) {
+        $targetDir = realpath($path);
+      }
+    }
+    if ($targetDir && $safeBase && in_safe_path($targetDir, $safeBase) && $isValidFilename && in_array($outputExt, $safeexts, true)) {
+      if (is_dir($targetDir)) {
+        $result = @rename($verifiedPNG, "$targetDir/$output");
+      }
       break;
     }
   }
   break;
 case 'delete':
-  $path = $_POST['path'];
+  $path = $_POST['path'] ?? '';
+  $file = basename($file);
+  $targetFile = realpath("$path/$file");
+  $targetExt = $targetFile ? strtolower(substr($targetFile, -4)) : '';
   foreach ($safepaths as $safepath) {
-    if (strpos(realpath("$path/$file"), $safepath) === 0 && in_array(substr(realpath("$path/$file"), -4), $safeexts)) {
-      exec("rm -f ".escapeshellarg(realpath("$path/$file")));
+    $safeBase = realpath($safepath);
+    if ($targetFile && $safeBase && in_safe_path($targetFile, $safeBase) && in_array($targetExt, $safeexts, true)) {
+      @unlink($targetFile);
       $result = true;
       break;
     }
@@ -70,14 +109,37 @@
   $file = basename($file);
   $path = "$docroot/languages/$file";
   $save = "/tmp/lang-$file.zip";
-  exec("mkdir -p $path");
+  if (!is_dir($path) && !@mkdir($path, 0777, true)) break;
   if ($result = file_put_contents($save,base64_decode(preg_replace('/^data:.*;base64,/','',$_POST['filedata'])))) {
     @unlink("$docroot/webGui/javascript/translate.$file.js");
     foreach (glob("$path/*.dot",GLOB_NOSORT) as $dot_file) unlink($dot_file);
-    exec("unzip -qqjLo -d $path $save", $dummy, $err);
+    $err = 0;
+    $zip = new ZipArchive();
+    if ($zip->open($save) === true) {
+      for ($i = 0; $i < $zip->numFiles; $i++) {
+        $entry = $zip->getNameIndex($i);
+        if ($entry === false) continue;
+        if (substr($entry, -1) === '/') continue;
+        $content = $zip->getFromIndex($i);
+        if ($content === false) {
+          $err = 2;
+          break;
+        }
+        $name = strtolower(basename($entry));
+        if ($name === '') continue;
+        if (!preg_match('/\.(dot|txt|json)$/', $name)) continue;
+        if (file_put_contents("$path/$name", $content) === false) {
+          $err = 2;
+          break;
+        }
+      }
+      $zip->close();
+    } else {
+      $err = 2;
+    }
     @unlink($save);
     if ($err > 1) {
-      exec("rm -rf $path");
+      remove_tree($path);
       $result = false;
       break;
     }
@@ -101,7 +163,7 @@
   $file = basename($file);
   $path = "$docroot/languages/$file";
   if ($result = is_dir($path)) {
-    exec("rm -rf $path");
+    $result = remove_tree($path);
     @unlink("$docroot/webGui/javascript/translate.$file.js");
     @unlink("$boot/lang-$file.xml");
     @unlink("$plugins/lang-$file.xml");

emhttp/plugins/dynamix/include/ToggleState.php

@@ -19,7 +19,7 @@
 $action = $_POST['action']??'';
 
 function emcmd($cmd) {
-  exec("emcmd '$cmd'");
+  exec("emcmd ".escapeshellarg($cmd));
 }
 switch ($device) {
 case 'New':