Fix not to quotemeta hardcoded flag #2159

https://github.com/webmin/webmin/issues/2567

CHANGELOG.md

@@ -1,15 +1,54 @@
 ## Changelog
 
+#### 2.520 (October 4, 2025)
+* Fix to make sure the mail URL uses a well-known host name [security]
+* Fix support for other Raspberry Pi sensors [#2545](https://github.com/webmin/webmin/issues/2545)
+* Fix the printing of the bottom button row in the form column table
+* Fix to recommend Perl `Sys::Syslog` module [#2557](https://github.com/webmin/webmin/issues/2557)
+* Fix to avoid using short hostname in HTTPS redirects when an FQDN is available
+* Fix to use _/proc_ sampler instead of `vmstat` for the same output with much lower overhead
+* Fix to query specific fields in FreeBSD memory stats collection, cutting CPU use by 80%
+* Fix to kill Webmin subprocesses during RC stop on FreeBSD and other systems
+* Fix to correctly fetch command version in `PPTP VPN Client` module [#2567](https://github.com/webmin/webmin/issues/2567)
+* Add a complete overhaul of `var_dump` subroutine, which is now fully portable
+* Update the Authentic theme to the latest version with various fixes:
+  - Fix the text color when reading email in the Read User Mail module [webmin#2555](https://github.com/webmin/webmin/issues/2555)
+  - Fix to ensure the selected color palette is correctly stored when changed manually [webmin#2552](https://github.com/webmin/webmin/issues/2552)
+  - Fix a bug when the Webmin version label was missing when copying to clipboard system information from the dashboard
+  - Fix DNS query spike from network stats collection on FreeBSD [webmin#2556](https://github.com/webmin/webmin/issues/2556)
+  - Fix to display the appropriate icon for proxy mode on new Bunny DNS
+  - Fix spinner color in toast messages for dark palette
+  - Fix other bugs and add various small improvements
+
+#### 2.510 (September 16, 2025)
+* Fix to ensure DNSSEC re-signing period is less than 30 days in the BIND DNS module
+* Fix to treat 201 as a valid response code in the internal download function
+* Update the Authentic theme to the latest version with various improvements and fixes:
+  - Add optimizations to dashboard graphs with dynamic trimming to prevent page lagging
+  - Add improvements to how the system cache for the dashboard is updated
+  - Add support to correctly reload the page in proxy mode
+  - Add an option to choose if default page should always load when switching navigation
+  - Fix to ensure the color palette is preserved for the user [webmin#2537](https://github.com/webmin/webmin/issues/2537)
+  - Fix algorithm for calculating rows per page in data table pagination
+  - Fix the alert info box text color for dark mode
+  - Fix critical lags and appearance of Custom Commands module 
+
+#### 2.501 (September 10, 2025)
+* Add support for Raspberry Pi sensors #2539 #2517
+* Add Squid 7 support
+* Update the Authentic theme to the latest version with the following fixes:
+  - Fix broken editor in "Bootup and Shutdown" module
+
 #### 2.500 (September 4, 2025)
 * Add support for the Webmin webserver to work in both HTTP and HTTPS modes at the same time
 * Add distinct warning to the login page if the connection is not secure
-* Add support for timeouts in temporary rules in FirewallD module
+* Add support for timeouts in temporary rules in "FirewallD" module
 * Add support for the new Dovecot version 2.4
 * Add support for MariaDB version 12 #2522
 * Add support for IMAP through a local command for Usermin
 * Add latest SSLeay support for redirects to SSL work
 * Add improvements to "Bootup and Shutdown" module for _systemd_ systems
-* Add field for secondary server key in BIND module
+* Add field for secondary server key in "BIND DNS Server" module
 * Add reversible encryption helpers API
 * Add API to display relative dates
 * Add API to mask sensitive text, like displayed passwords, unless hovered over
@@ -21,7 +60,7 @@
 * Change "Last Logins" on the dashboard to show usernames, relative dates, and all users from the past 3 days
 * Change to always enable HSTS by default
 * Fix MySQL/MariaDB to remove obsolete `set-variable` options that break modern config files #2497
-* Fix download link in table rows in MySQL/MariaDB module
+* Fix download link in table rows in "MySQL/MariaDB Database Server" module
 * Fix module not to fail on old MySQL 5.5
 * Update the Authentic theme to the latest version with various improvements and fixes:
   - Add support to automatically set the color palette based on OS or browser preferences

README-zh.md

@@ -44,7 +44,7 @@ Webmin 可以两种方法安装：
 ### 贡献者
 
 * [Joe Cooper](https://github.com/swelljoe)
-* [Ilia Rostovtsev](https://github.com/iliajie)
+* [Ilia Rostovtsev](https://github.com/iliaross)
 * [Kay Marquardt](https://github.com/gnadelwartz)
 * [Nawawi Jamili](https://github.com/nawawi) + [其他无偿奉献的开发者](https://github.com/webmin/webmin/graphs/contributors)
 

README.md

@@ -48,13 +48,13 @@ For detailed installation instructions check our guide on [webmin.com/download](
 * [Jamie Cameron](https://www.webmin.com/about.html) [![](https://github.com/webmin-devel/webmin/blob/master/media/linkedin-15x15.png?raw=true)](https://www.linkedin.com/in/jamiecameron2)
 
 ### Developers
-* [Ilia Rostovtsev](https://github.com/iliajie)
+* [Ilia Rostovtsev](https://github.com/iliaross)
 * [Joe Cooper](https://github.com/swelljoe)
 
 ### Contributors
 * [Kay Marquardt](https://github.com/gnadelwartz)
 * [Nawawi Jamili](https://github.com/nawawi)
-* [unknown10777](https://github.com/unknown10777) + [90 more..](https://github.com/webmin/webmin/graphs/contributors)
+* [unknown10777](https://github.com/unknown10777) + [90 more...](https://github.com/webmin/webmin/graphs/contributors)
 
 ## License
 

backup-config/edit.cgi

@@ -15,6 +15,8 @@ if ($in{'new'}) {
 	$backup = { 'emode' => 0,
 		    'email' => $gconfig{'webmin_email_to'},
 		    'sched' => 1,
+		    'configfile' => 1,
+		    'nofiles' => 0,
 		    'mins' => 0,
 		    'hours' => 0,
 		    'days' => '*',

bin/disable-twofactor

@@ -116,4 +116,4 @@ Name of the user to disable two-factor authentication for.
 
  Copyright 2018 Jamie Cameron <jcameron@webmin.com>
                 Joe Cooper <joe@virtualmin.com>
-                Ilia Rostovtsev <ilia@virtualmin.com>
+                Ilia Ross <ilia@virtualmin.com>

bin/passwd

@@ -260,5 +260,5 @@ Set new user password. Using this option may be unsecure.
 
  Copyright 2018 Jamie Cameron <jcameron@webmin.com>
                 Joe Cooper <joe@virtualmin.com>
-                Ilia Rostovtsev <ilia@virtualmin.com>
+                Ilia Ross <ilia@virtualmin.com>
 

bin/server

@@ -174,5 +174,5 @@ sub root
 
  Copyright 2018 Jamie Cameron <jcameron@webmin.com>
                 Joe Cooper <joe@virtualmin.com>
-                Ilia Rostovtsev <ilia@virtualmin.com>
+                Ilia Ross <ilia@virtualmin.com>
 

bin/webmin

@@ -9,6 +9,13 @@ use Getopt::Long qw(:config permute pass_through);
 use Term::ANSIColor qw(:constants);
 use Pod::Usage;
 
+# Check if root
+if ($> != 0) {
+    die BRIGHT_RED, "Error: ", RESET, BRIGHT_YELLOW,"webmin", RESET, 
+        " command must be run as root\n";
+    exit 1;
+    }
+
 my $a0 = $ARGV[0];
 
 sub main {
@@ -457,5 +464,5 @@ Returns Webmin and other modules and themes versions installed (only those for w
 
  Copyright 2018 Jamie Cameron <jcameron@webmin.com>
                 Joe Cooper <joe@virtualmin.com>
-                Ilia Rostovtsev <ilia@virtualmin.com>
+                Ilia Ross <ilia@virtualmin.com>
 

bind8/bind8-lib.pl

@@ -1135,6 +1135,10 @@ elsif ($type eq "CNAME") {
 	print &ui_table_row($text{'value_CNAME1'},
 	    &ui_textbox("value0", $v[0], 30)." ($text{'edit_cnamemsg'})", 3);
 	}
+elsif ($type eq "ALIAS") {
+	print &ui_table_row($text{'value_ALIAS1'},
+	    &ui_textbox("value0", $v[0], 30)." ($text{'edit_cnamemsg'})", 3);
+	}
 elsif ($type eq "MX") {
 	print &ui_table_row($text{'value_MX2'},
 	    &ui_textbox("value1", $v[1], 30));
@@ -3117,7 +3121,11 @@ $slave_error = $_[0];
 
 sub get_forward_record_types
 {
-return ("A", "NS", "CNAME", "MX", "HINFO", "TXT", "SPF", "DMARC", "WKS", "RP", "PTR", "LOC", "SRV", "KEY", "TLSA", "SSHFP", "CAA", "NAPTR", "NSEC3PARAM", $config{'support_aaaa'} ? ( "AAAA" ) : ( ), @extra_forward);
+return ("A", "NS", "CNAME",
+	$config{'allow_alias'} ? ( "ALIAS" ) : ( ),
+	"MX", "HINFO", "TXT", "SPF", "DMARC", "WKS", "RP", "PTR", "LOC",
+	"SRV", "KEY", "TLSA", "SSHFP", "CAA", "NAPTR", "NSEC3PARAM",
+	$config{'support_aaaa'} ? ( "AAAA" ) : ( ), @extra_forward);
 }
 
 sub get_reverse_record_types

bind8/config-AlmaLinux-6.0-ALL

@@ -52,3 +52,4 @@ stop_cmd=systemctl stop named
 restart_cmd=systemctl reload named
 chroot=
 auto_chroot=
+allow_alias=0

bind8/config-CentOS-Linux-6.0-7.9

@@ -52,3 +52,4 @@ spf_record=0
 dnssec_info=1
 chroot=
 auto_chroot=
+allow_alias=0

bind8/config-CentOS-Linux-8.0-ALL

@@ -52,3 +52,4 @@ stop_cmd=systemctl stop named
 restart_cmd=systemctl reload named
 chroot=
 auto_chroot=
+allow_alias=0

bind8/config-CentOS-Stream-Linux-8.0-ALL

@@ -52,3 +52,4 @@ stop_cmd=systemctl stop named
 restart_cmd=systemctl reload named
 chroot=
 auto_chroot=
+allow_alias=0

bind8/config-CloudLinux-8.0-ALL

@@ -52,3 +52,4 @@ stop_cmd=systemctl stop named
 restart_cmd=systemctl reload named
 chroot=
 auto_chroot=
+allow_alias=0

bind8/config-Oracle-Linux-8.0-ALL

@@ -52,3 +52,4 @@ stop_cmd=systemctl stop named
 restart_cmd=systemctl reload named
 chroot=
 auto_chroot=
+allow_alias=0

bind8/config-Redhat-Enterprise-Linux-6.0-7.9

@@ -50,3 +50,4 @@ tmpl_dnssec_dt=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-Redhat-Enterprise-Linux-8.0-ALL

@@ -52,3 +52,4 @@ stop_cmd=systemctl stop named
 restart_cmd=systemctl reload named
 chroot=
 auto_chroot=
+allow_alias=0

bind8/config-Rocky-Linux-6.0-ALL

@@ -52,3 +52,4 @@ stop_cmd=systemctl stop named
 restart_cmd=systemctl reload named
 chroot=
 auto_chroot=
+allow_alias=0

bind8/config-Scientific-Linux-6.0-ALL

@@ -47,3 +47,4 @@ restart_cmd=service named restart
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-Ubuntu-Linux-18.04-22.99

@@ -48,3 +48,4 @@ start_cmd=systemctl start bind9.service
 stop_cmd=systemctl stop bind9.service
 restart_cmd=systemctl reload bind9.service
 dnssec_period=21
+allow_alias=0

bind8/config-Ubuntu-Linux-24.04-ALL

@@ -48,3 +48,4 @@ start_cmd=systemctl start named.service
 stop_cmd=systemctl stop named.service
 restart_cmd=systemctl reload named.service
 dnssec_period=21
+allow_alias=0

bind8/config-aix

@@ -38,3 +38,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-cobalt-linux

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-coherent-linux

@@ -44,3 +44,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-corel-linux

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-debian-linux

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-debian-linux-10.0-11.99

@@ -48,3 +48,4 @@ start_cmd=systemctl start bind9.service
 stop_cmd=systemctl stop bind9.service
 restart_cmd=systemctl reload bind9.service
 dnssec_period=21
+allow_alias=0

bind8/config-debian-linux-12.0-ALL

@@ -48,3 +48,4 @@ start_cmd=systemctl start named.service
 stop_cmd=systemctl stop named.service
 restart_cmd=systemctl reload named.service
 dnssec_period=21
+allow_alias=0

bind8/config-debian-linux-2.2

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-debian-linux-3.0

@@ -43,3 +43,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-debian-linux-3.1-9.0

@@ -44,3 +44,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-freebsd-12.0-ALL

@@ -41,3 +41,4 @@ force_random=0
 spf_record=0
 pid_file=/var/run/named/pid
 dnssec_info=1
+allow_alias=0

bind8/config-freebsd-2.1-2.2

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-freebsd-3.0

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-freebsd-3.1-3.5

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-freebsd-4.0-11.0

@@ -41,3 +41,4 @@ force_random=0
 spf_record=0
 pid_file=/var/run/named/pid
 dnssec_info=1
+allow_alias=0

bind8/config-generic-linux

@@ -41,3 +41,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-gentoo-linux

@@ -43,3 +43,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-hpux

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-irix

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-macos

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-macos-1.3-ALL

@@ -41,3 +41,4 @@ pid_file=/var/run/named/named.pid /private/var/run/named/named.pid
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-mandrake-linux

@@ -43,3 +43,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-mandrake-linux-10.2-ALL

@@ -43,3 +43,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-msc-linux

@@ -42,3 +42,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-netbsd

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-open-linux

@@ -42,3 +42,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-openSUSE-Linux-15.0-ALL

@@ -48,3 +48,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-openbsd-2.5-3.1

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-openbsd-3.2-ALL

@@ -41,3 +41,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-openmamba-linux

@@ -42,3 +42,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-openserver

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-osf1

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-pardus-linux

@@ -45,3 +45,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-redhat-linux-7.0-ALL

@@ -52,3 +52,4 @@ stop_cmd=systemctl stop named
 restart_cmd=systemctl reload named
 chroot=
 auto_chroot=
+allow_alias=0

bind8/config-redhat-linux-ALL-6.0

@@ -52,3 +52,4 @@ spf_record=0
 dnssec_info=1
 chroot=
 auto_chroot=
+allow_alias=0

bind8/config-slackware-linux

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-slackware-linux-8.0-ALL

@@ -41,3 +41,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-sol-linux

@@ -43,3 +43,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-solaris

@@ -41,3 +41,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-solaris-10-ALL

@@ -41,3 +41,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-solaris-7-9

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-suse-linux

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-suse-linux-8.2

@@ -45,3 +45,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-suse-linux-9.0-9.2

@@ -46,3 +46,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-suse-linux-9.3-ALL

@@ -48,3 +48,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-syno-linux

@@ -35,3 +35,4 @@ other_slaves=1
 updserial_man=1
 master_ttl=1
 dnssec_info=1
+allow_alias=0

bind8/config-trustix-linux

@@ -47,3 +47,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-trustix-linux-2.1

@@ -47,3 +47,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-trustix-linux-2.2-ALL

@@ -47,3 +47,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-turbo-linux

@@ -40,3 +40,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-united-linux

@@ -43,3 +43,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-unixware

@@ -41,3 +41,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config-windows

@@ -58,3 +58,4 @@ other_slaves=1
 force_random=0
 spf_record=0
 dnssec_info=1
+allow_alias=0

bind8/config.info

@@ -19,6 +19,7 @@ support_aaaa=Support DNS for IPv6 addresses,1,1-Yes,0-No
 allow_comments=Allow comments for records,1,1-Yes,0-No
 allow_wild=Allow wildcards?,1,1-Yes,0-No
 allow_underscore=Allow underscores in record names?,1,1-Yes,0-No
+allow_alias=Allow ALIAS records?,1,1-Yes,0-No
 short_names=Convert record names to canonical form?,1,0-Yes,1-No
 extra_forward=Extra record types for forward zones,0
 extra_reverse=Extra record types for reverse zones,0

bind8/lang/en

@@ -398,6 +398,7 @@ type_A=Address
 type_AAAA=IPv6 Address
 type_NS=Name Server
 type_CNAME=Name Alias
+type_ALIAS=Address Alias
 type_MX=Mail Server
 type_HINFO=Host Information
 type_NSEC3PARAM=DNSSEC Parameters
@@ -420,6 +421,7 @@ edit_A=Address
 edit_AAAA=IPv6 Address
 edit_NS=Name Server
 edit_CNAME=Name Alias
+edit_ALIAS=Address Alias
 edit_MX=Mail Server
 edit_HINFO=Host Information
 edit_TXT=Text
@@ -442,6 +444,7 @@ recs_A=Address
 recs_AAAA=IPv6 Address
 recs_NS=Name Server
 recs_CNAME=Name Alias
+recs_ALIAS=Address Alias
 recs_MX=Mail Server
 recs_HINFO=Host Information
 recs_TXT=Text
@@ -465,6 +468,7 @@ value_A1=Address
 value_AAAA1=IPv6 Address
 value_NS1=Name Server
 value_CNAME1=Real Name
+value_ALIAS1=Copy Address From
 value_MX1=Priority
 value_MX2=Mail Server
 value_HINFO1=Hardware
@@ -1203,6 +1207,7 @@ dnssec_secs=seconds
 dnssec_desc=Zones signed with DNSSEC typically have two keys - a zone key which must be re-generated and signed regularly, and a key signing key which remains constant. This page allows you to configure Webmin to perform this re-signing automatically.
 dnssec_err=Failed to save DNSSEC key re-signing
 dnssec_eperiod=Missing or invalid number of days between re-signs
+dnssec_eperiod30=Number of days between re-signs must be less than 30
 
 dnssectools_title=DNSSEC-Tools Automation
 dt_conf_title=DNSSEC-Tools Automation

bind8/save_dnssec.cgi

@@ -16,6 +16,7 @@ require './bind8-lib.pl';
 $access{'defaults'} || &error($text{'dnssec_ecannot'});
 
 $in{'period'} =~ /^[1-9]\d*$/ || &error($text{'dnssec_eperiod'});
+$in{'period'} < 30 || &error($text{'dnssec_eperiod30'});
 
 # Create or delete the cron job
 my $job = &get_dnssec_cron_job();

bind8/save_dnssectools.cgi

@@ -48,8 +48,10 @@ $in{'dt_zsklife'} =~ /(\b[0-9]+\b)/  ||
 	&error($text{'dt_conf_ezsklife'});
 $nv{'zsklife'} = $1;
 
-&save_dnssectools_directive($conf, \%nv);
+$in{'period'} =~ /^[1-9]\d*$/ || &error($text{'dnssec_eperiod'});
+$in{'period'} < 30 || &error($text{'dnssec_eperiod30'});
 
+&save_dnssectools_directive($conf, \%nv);
 
 &lock_file($module_config_file);
 $config{'dnssec_period'} = $in{'period'};

bind8/save_record.cgi

@@ -216,6 +216,13 @@ else {
 			$vals .= ".";
 			}
 		}
+	elsif ($in{'type'} eq "ALIAS") {
+		&valname($vals) ||
+			&error(&text('edit_ecname', $vals));
+		if ($vals =~ /\.\Q$in{'origin'}\E$/) {
+			$vals .= ".";
+			}
+		}
 	elsif ($in{'type'} eq "MX") {
 		&valname($in{'value1'}) ||
 			&error(&text('edit_emx', $in{'value1'}));

custom/custom-lib.pl

@@ -647,5 +647,4 @@ else {
 	}
 }
 
-
 1;

custom/help/cmd.html

@@ -1 +1,59 @@
-Jedes Kommando hat eine Beschreibung, die auf der Schaltfläche auf der Hauptseite angezeigt wird, sowie ein auszuführendes Kommando. Kommandos werden von <tt>sh</tt> ausgeführt und können daher Shell-Metazeichen wie <tt>|</tt>, <tt>&gt;</tt> und <tt>&amp;</tt> enthalten. Ebenso können Parameter wie <tt>$foo</tt> verwendet werden, die vor der Ausführung vom/von der Benutzer abgefragt werden.<p>Diese Parameter können in die untenstehende Tabelle eingetragen werden. Für jeden Parameter müssen folgende Angaben gemacht werden:<dl><dt><b>Name</b><dd>Ein eindeutiger Code für den Parameter. Wenn der Name <tt>foo</tt> lautet, wird <tt>$foo</tt> durch diese Eingabe ersetzt, wenn das Kommando ausgeführt wird.<p><dt><b>Beschreibung</b><dd>Diese Beschreibung wird neben den Parametern auf der Hauptseite angezeigt.<p><dt><b>Typ</b><dd>Diese Option bestimmt, wie der Parameter eingegeben wird. Mögliche Optionen sind:<ul><li><b>Text</b><br>Freie Texteingabe<li><b>Benutzer</b><br>Ein:e Benutzer Ihres Systems<li><b>UID</b><br>Die Benutzer-ID eines/einer Benutzer Ihres Systems<li><b>Gruppe</b><br>Ein Gruppenname Ihres Systems<li><b>GID</b><br>Die Gruppen-ID einer Gruppe Ihres Systems<li><b>Datei</b><br>Der vollständige Pfad zu einer Datei<li><b>Verzeichnis</b><br>Der vollständige Pfad zu einem Verzeichnis<li><b>Option</b><br>Eine Ja/Nein-Eingabe, die den Parameter auf den Wert setzt, der im Feld daneben eingetragen ist – aber nur, wenn <tt>JA</tt> ausgewählt wurde.<li><b>Passwort</b><br>Eine vollständig freie Texteingabe, wobei die Eingabe als „<tt>*</tt>“ maskiert wird.<li><b>Menü</b><br>Ein Dropdown-Menü mit Optionen, die aus der Datei entnommen werden, die im Feld daneben angegeben ist.</ul><p><dt><b>Parameter zitieren?</b><dd>Wenn <tt>Ja</tt> ausgewählt ist, werden die Parameter vor der Ausführung in Anführungszeichen (<tt>"</tt>) gesetzt. Dies ermöglicht die Verwendung von Parametern mit Leerzeichen.<p></dl><hr>
+Each command has a description (displayed on the button on the main page),
+and an actual command to execute. This command string can contain shell
+operators like |, &gt; and ; for executing multiple commands and pipelines.
+The string can also contain parameters like <tt>$foo</tt>, which are replaced
+by user inputs when the command is run. <p>
+
+These parameters can be entered into the table at the bottom of the page.
+For each parameter you must enter :
+<dl>
+<dt><b>Name</b>
+<dd>A unique code for this parameter. If the name is <tt>foo</tt>, then
+    <tt>$foo</tt> will be replaced by the parameter value when the command
+    is executed.<p>
+<dt><b>Description</b>
+<dd>The description next to this parameter on the main page.<p>
+<dt><b>Type</b>
+<dd>This option controls how the parameter is input. Available options are :
+	<ul>
+	<li><b>Text</b><br>
+	    A totally free-text input.
+	<li><b>User</b><br>
+	    A username from your system.
+	<li><b>UID</b><br>
+	    The UID of a user from your system.
+	<li><b>Group</b><br>
+	    A group name from your system.
+	<li><b>GID</b><br>
+	    The GID of a group from your system.
+	<li><b>File</b><br>
+	    The full path to a file.
+	<li><b>Directory</b><br>
+	    The full path to a directory.
+	<li><b>Option</b><br>
+	    A Yes/No input that will set the parameter to whatever is in
+	    the field next to the type input only if Yes is chosen.
+	<li><b>Password</b><br>
+	    A totally free-text input, but with the password replaced by *'s.
+	<li><b>Menu</b><br>
+	    A drop-down menu of options, taken from the filename entered into
+	    the text field to it. Or, instead of a filename you can enter a
+	    command with an | at the end, whose output will be used to determine
+	    the available options.
+	<li><b>Upload</b><br>
+	    An input box for selecting a file on the client side, which will be
+	    uploaded to the server when the command is run. This will be be
+	    placed in a temporary file, and the path to that file will be the
+	    value of this parameter when the command is run.
+	<li><b>Textbox</b><br>
+	    A multi-line free text field. When the command is run, any newline
+	    characters in the entered text will be converted into spaces.
+	</ul><p>
+    In most cases, the default value for the parameter will be whatever you
+    enter in the text box next to the parameter type menu.
+<dt><b>Quote parameter?</b>
+<dd>If Yes, the parameter will be quoted with " before substitution, allowing
+    the user to enter values containing whitespaces.<p>
+</dl>
+
+<hr>

filemin/setfacl.cgi

@@ -50,7 +50,7 @@ if ($action ne '-b' && $action ne '-k') {
         $types .= " ".join(' ', @extra) ;
         }
     }
-my $args = quotemeta($action)." ".$types." ".quotemeta($recursive);
+my $args = quotemeta($action)." ".$types." ".$recursive;
 $args =~ s/\s+/ /g;
 $args = &trim($args);
 foreach my $file (@files) {

forgot.cgi

@@ -14,6 +14,12 @@ $trust_unknown_referers = 1;
 $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'});
 my $timeout = $gconfig{'passreset_timeout'} || 15;
 $remote_user && &error($text{'forgot_elogin'});
+$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 ||
+        &error($text{'forgot_essl'});
+$ENV{'SSL_CN_CERT'} == 1 ||
+	&error(&text('forgot_esslhost',
+		     &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_CN'})))
+			if ($ENV{'HTTPS'} eq 'ON');
 
 # Check that the random ID is valid
 $in{'id'} =~ /^[a-f0-9]+$/i || &error($text{'forgot_eid'});
@@ -23,6 +29,12 @@ my $linkfile = $main::forgot_password_link_dir."/".$in{'id'};
 time() - $link{'time'} > 60*$timeout &&
 	&error(&text('forgot_etime', $timeout));
 
+# Check that the hostname in the original email matches the current hostname
+my ($basehost) = &parse_http_url(&get_webmin_email_url());
+if ($basehost ne $link{'host'}) {
+	&error($text{'forgot_ehost'});
+	}
+
 # Get the Webmin user
 &foreign_require("acl");
 my ($wuser) = grep { $_->{'name'} eq $link{'user'} } &acl::list_users();

forgot_form.cgi

@@ -13,9 +13,16 @@ $trust_unknown_referers = 1;
 &error_setup($text{'forgot_err'});
 $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'});
 $remote_user && &error($text{'forgot_elogin'});
+$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 ||
+        &error($text{'forgot_essl'});
+$ENV{'SSL_CN_CERT'} == 1 ||
+	&error(&text('forgot_esslhost',
+ 		     &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_CN'})))
+		     	if ($ENV{'HTTPS'} eq 'ON');
 
 &ui_print_header(undef, $text{'forgot_title'}, "", undef, undef, 1, 1);
-
+print &ui_alert_box("<b> ⚠ ".$text{'forgot_nossl_warn'}, 'warn')
+        if ($gconfig{'forgot_pass'} == 2 && $ENV{'HTTPS'} ne 'ON');
 print "<center>\n";
 print $text{'forgot_desc'},"<p>\n";
 print &ui_form_start("forgot_send.cgi", "post");

forgot_send.cgi

@@ -12,6 +12,12 @@ $no_acl_check++;
 &error_setup($text{'forgot_err'});
 $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'});
 $remote_user && &error($text{'forgot_elogin'});
+$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 ||
+        &error($text{'forgot_essl'});
+$ENV{'SSL_CN_CERT'} == 1 ||
+	&error(&text('forgot_esslhost',
+ 		     &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_CN'})))
+		     	if ($ENV{'HTTPS'} eq 'ON');
 
 # Lookup the Webmin user
 &foreign_require("acl");
@@ -103,8 +109,11 @@ sleep($maxtries);
 $wuser->{'pass'} eq '*LK*' && &error($text{'forgot_elock'});
 
 # Generate a random ID and tracking file for this password reset
+my $baseurl = &get_webmin_email_url();
+my ($basehost) = &parse_http_url($baseurl);
 my %link = ( 'id' => &acl::generate_random_id(),
 	     'remote' => $ENV{'REMOTE_ADDR'},
+	     'host' => $basehost,
 	     'time' => $now,
 	     'user' => $wuser->{'name'},
 	     'uuser' => $uuser ? $uuser->{'user'} : undef,
@@ -114,7 +123,6 @@ my $linkfile = $main::forgot_password_link_dir."/".$link{'id'};
 &lock_file($linkfile);
 &write_file($linkfile, \%link);
 &unlock_file($linkfile);
-my $baseurl = &get_webmin_email_url();
 my $url = $baseurl.'/forgot.cgi?id='.&urlize($link{'id'});
 my $username = $muser ? $muser->{'user'} :
 	       $uuser ? $uuser->{'user'} : $wuser->{'name'};

gray-theme/unauthenticated/gray-theme.css

@@ -891,3 +891,15 @@ body > .mode > b[data-mode="server-manager"] > a > .ff-cloudmin {
   field-sizing: content !important;
   min-width: 40px !important;
 }
+.text-danger {
+  color: #bc0303;
+}
+.text-success {
+  color: #3c763d;
+}
+.text-warning {
+  color: #b58900;
+}
+.text-info {
+  color: #108eda;
+}

lang/en

@@ -159,6 +159,7 @@ forgot_erandom=Failed to generate random ID!
 forgot_eid=Missing or invalid-looking reset ID!
 forgot_eid2=Reset ID is not valid!
 forgot_etime=Password reset email is more than $1 minutes old.
+forgot_ehost=Hostname mismatch in reset email
 forgot_newpass=New password for user $1
 forgot_newpass2=New password again
 forgot_passok=Change Password
@@ -182,6 +183,10 @@ forgot_eunixlock=User user's password is locked!
 forgot_elogin=Forgotten password pages cannot be used when you are already logged in to Webmin!
 forgot_erate=Too many password reset attempts for $1! Please try again later.
 forgot_eremote=Webmin server on this system is not running or is not configured to allow forgotten password recovery.
+forgot_essl=Forgotten password recovery can only be used over an SSL connection unless explicitly allowed
+forgot_nossl=Yes, and allow over insecure connection
+forgot_esslhost=Forgotten password recovery cannot be used with invalid SSL hostname $1
+forgot_nossl_warn=Warning: This password reset is being sent over an insecure, not-encrypted connection and is vulnerable to man-in-the-middle (MITM) and header-injection attacks.
 
 pam_header=Login to Webmin
 pam_mesg=You must respond to the question below to login to Webmin server on $1.

logviewer/lang/en

@@ -21,6 +21,7 @@ journal_since0=Latest available
 journal_since1=Real-time follow
 journal_since2=Current boot
 journal_since2-1=Last boot
+journal_since30=30 days ago
 journal_since3=7 days ago
 journal_since4=24 hours ago
 journal_since5=8 hours ago

logviewer/logviewer-lib.pl

@@ -36,6 +36,7 @@ return [
         { "--follow" => $text{'journal_since1'} },
         { "--boot" => $text{'journal_since2'} },
         { "--boot -1" => $text{'journal_since2-1'} },
+        { "--since '30 days ago'" => $text{'journal_since30'} },
         { "--since '7 days ago'" => $text{'journal_since3'} },
         { "--since '24 hours ago'" => $text{'journal_since4'} },
         { "--since '8 hours ago'" => $text{'journal_since5'} },

makedebian.pl

@@ -109,7 +109,7 @@ if ($product eq "webmin") {
 $size = int(`du -sk $tmp_dir`);
 @deps = ( "perl", "libnet-ssleay-perl", "openssl", "libauthen-pam-perl", "libpam-runtime", "libio-pty-perl", "unzip", "shared-mime-info", "tar", "libdigest-sha-perl", "libdigest-md5-perl", "gzip" );
 $deps = join(", ", @deps);
-@recommends = ( "libdatetime-perl", "libdatetime-timezone-perl", "libdatetime-locale-perl", "libtime-piece-perl", "libencode-detect-perl", "libtime-hires-perl", "libsocket6-perl", "html2text", "qrencode", "libdbi-perl", "libdbd-mysql-perl", "libjson-xs-perl" );
+@recommends = ( "libdatetime-perl", "libdatetime-timezone-perl", "libdatetime-locale-perl", "libtime-piece-perl", "libencode-detect-perl", "libtime-hires-perl", "libsocket6-perl", "html2text", "qrencode", "libdbi-perl", "libdbd-mysql-perl", "libjson-xs-perl", "libsys-syslog-perl" );
 $recommends = join(", ", @recommends);
 open(CONTROL, ">$control_file");
 print CONTROL <<EOF;

makemodulerpm.pl

@@ -34,7 +34,7 @@ my $allow_overwrite = 0;
 
 my ($force_theme, $no_prefix, $set_prefix,
     $obsolete_wbm, $vendor, $url, $force_usermin, $final_mod, $sign, $keyname,
-    $epoch, $dir, $ver, @exclude,
+    $epoch, $dir, $ver, @exclude, $copy_tar,
 
     $rpmdepends, $norpmdepends, $rpmrecommends, $norpmrecommends,
     $no_requires, $no_recommends, $no_suggests, $no_conflicts, $no_provides,
@@ -136,6 +136,9 @@ while(@ARGV) {
 	elsif ($a eq "--mod-list") {
 		$mod_list = shift(@ARGV);
 		}
+	elsif ($a eq "--copy-tar") {
+		$copy_tar = 1;
+		}
 	elsif ($a =~ /^\-\-/) {
 		print STDERR "Unknown option $a\n";
 		exit(1);
@@ -556,6 +559,15 @@ fi
 EOF
 close($SPEC);
 
+# Put the tar in /tmp too if tar package is requested
+my $tar_release_file;
+if ($copy_tar) {
+	my $tar_release = $release;
+	$tar_release =~ s/^[0-9]+//;
+	$tar_release_file = "$prefix$mod-$ver$tar_release.tar.gz";
+	system("cp $rpm_source_dir/$mod.tar.gz /tmp/$tar_release_file");
+	}
+
 # Build the actual RPM
 my $cmd = -x "/usr/bin/rpmbuild" ? "/usr/bin/rpmbuild" : "/bin/rpm";
 system("$cmd -ba $spec_dir/$prefix$mod.spec") && exit;
@@ -570,10 +582,20 @@ if ($sign) {
 if ($target_dir =~ /:/) {
 	# scp to dest
 	system("scp $rpm_dir/$prefix$mod-$ver-$release.noarch.rpm $target_dir/$prefix$mod-$ver-$release.noarch.rpm");
+	# scp the tar too if requested
+	if ($copy_tar) {
+		system("scp /tmp/$tar_release_file $target_dir/$tar_release_file");
+		unlink("/tmp/$tar_release_file");
+		}
 	}
 elsif ($rpm_dir ne $target_dir) {
 	# Just copy
 	system("/bin/cp $rpm_dir/$prefix$mod-$ver-$release.noarch.rpm $target_dir/$prefix$mod-$ver-$release.noarch.rpm");
+	# Copy the tar too if requested
+	if ($copy_tar) {
+		system("/bin/cp /tmp/$tar_release_file $target_dir/$tar_release_file");
+		unlink("/tmp/$tar_release_file");
+		}
 	}
 
 # read_file(file, &assoc, [&order], [lowercase])

makerpm.pl

@@ -88,7 +88,7 @@ Release: $rel
 Provides: %{name}-%{version} perl(WebminCore)
 Requires(pre): /usr/bin/perl
 Requires: /bin/sh /usr/bin/perl perl(lib) perl(open) perl(Net::SSLeay) perl(Time::Local) perl(Data::Dumper) perl(File::Path) perl(File::Basename) perl(Digest::SHA) perl(Digest::MD5) openssl unzip tar gzip
-Recommends: perl(DateTime) perl(DateTime::TimeZone) perl(DateTime::Locale) perl(Time::Piece) perl(Encode::Detect) perl(Time::HiRes) perl(Socket6) html2text shared-mime-info perl-File-Basename perl-File-Path perl-JSON-XS qrencode perl(DBI) perl(DBD::mysql)
+Recommends: perl(DateTime) perl(DateTime::TimeZone) perl(DateTime::Locale) perl(Time::Piece) perl(Encode::Detect) perl(Time::HiRes) perl(Socket6) perl(Sys::Syslog) html2text shared-mime-info perl-File-Basename perl-File-Path perl-JSON-XS qrencode perl(DBI) perl(DBD::mysql)
 AutoReq: 0
 License: BSD-3-Clause
 Group: System/Tools

miniserv.pl

@@ -941,7 +941,9 @@ while(1) {
 					    (ord($byte) & 0x80))) {
 						($ssl_con,
 						 $ssl_certfile,
-						 $ssl_keyfile) =
+						 $ssl_keyfile,
+						 $ssl_cn,
+						 $ssl_alts) =
 							&ssl_connection_for_ip(
 							    SOCK, $ipv6fhs{$s});
 						print DEBUG "ssl_con returned ".
@@ -1379,26 +1381,48 @@ $method = $page = $request_uri = undef;
 print DEBUG "handle_request reqline=$reqline\n";
 alarm(0);
 if (!$use_ssl && $config{'ssl'} && $config{'ssl_enforce'}) {
-	# This is an http request when https must be enforced
-	local $urlhost = $config{'musthost'} || $host;
-	$urlhost = "[".$urlhost."]" if (&check_ip6address($urlhost));
-	local $wantport = $port;
-	if ($wantport == 80 &&
-	    &indexof(443, @listening_on_ports) >= 0) {
-		# Connection was to port 80, but since we are also
-		# accepting on port 443, redirect to that
-		$wantport = 443;
+	# This is an HTTP request when HTTPS should be enforced
+	my $musthost = $config{'musthost'};
+	my $hostheader;
+	if (!$musthost) {
+		# Read host HTTP header because we want one earlier
+		alarm(10);
+		local $SIG{'ALRM'} = sub { die "timeout" };
+		while (defined(my $line = &read_line())) {
+			$line =~ s/\r|\n//g;
+			last if $line eq '';
+			if ($line =~ /^host:\s*(.*)$/i) {
+				$hostheader = "https://$1";
+				last;
+				}
+			}
+		alarm(0);
 		}
-	local $url = $wantport == 443
-		? "https://$urlhost/"
-		: "https://$urlhost:$wantport/";
+	# Host header must already contain full URL
+	my $url = $hostheader;
+	if (!$url) {
+		# No host header
+		local $urlhost = $musthost || $host;
+		$urlhost = "[".$urlhost."]" if (&check_ip6address($urlhost));
+		local $wantport = $port;
+		if ($wantport == 80 &&
+		&indexof(443, @listening_on_ports) >= 0) {
+			# Connection was to port 80, but since we are also
+			# accepting on port 443, redirect to that
+			$wantport = 443;
+			}
+		$url = $wantport == 443
+			? "https://$urlhost/"
+			: "https://$urlhost:$wantport/";
+		}
+	# Enforce HTTPS
 	&write_data("HTTP/1.0 302 Moved Temporarily\r\n");
 	&write_data("Date: $datestr\r\n");
 	&write_data("Server: @{[&server_info()]}\r\n");
 	&write_data("Location: $url\r\n");
 	&write_keep_alive(0);
 	&write_data("\r\n");
-	&log_error("Redirecting HTTP request to HTTPS for $acptip");
+	&log_error("Redirecting HTTP request to $url");
 	&log_request($loghost, $authuser, $reqline, 302, 0);
 	return 0;
 	}
@@ -2500,6 +2524,11 @@ if (&get_type($full) eq "internal/cgi" && $validated != 4) {
 	$ENV{"MINISERV_CONFIG"} = $config_file;
 	$ENV{"HTTPS"} = $use_ssl ? "ON" : "";
 	$ENV{"SSL_HSTS"} = $config{"ssl_hsts"};
+	if ($use_ssl) {
+		$ENV{"SSL_CN"} = $ssl_cn;
+		$ENV{"SSL_CN_CERT"} =
+			&ssl_hostname_match($header{'host'}, $ssl_alts);
+		}
 	$ENV{"MINISERV_PID"} = $miniserv_main_pid;
 	if ($use_ssl) {
 		$ENV{"MINISERV_CERTFILE"} = $ssl_certfile;
@@ -4776,11 +4805,18 @@ if ($config{'ssl_honorcipherorder'}) {
 eval 'Net::SSLeay::CTX_set_options($ssl_ctx,
         &Net::SSLeay::OP_NO_RENEGOTIATION)';
 
+# Get the hostnames each cert is valid for
+my $info = &cert_names($certfile);
+my @hosts;
+push(@hosts, $info->{'cn'}) if ($info->{'cn'});
+push(@hosts, @{$info->{'alt'}}) if ($info->{'alt'});
+
 return { 'keyfile' => $keyfile,
 	 'keytime' => $kst[9],
 	 'certfile' => $certfile,
 	 'certtime' => $cst[9],
 	 'extracas' => $extracas,
+	 'hosts' => \@hosts,
 	 'ctx' => $ssl_ctx };
 }
 
@@ -4816,8 +4852,9 @@ alarm(0);
 return undef if (!$ok);
 
 # Check for a per-hostname SSL context and use that instead
+my $h;
 if (defined(&Net::SSLeay::get_servername)) {
-	my $h = Net::SSLeay::get_servername($ssl_con);
+	$h = Net::SSLeay::get_servername($ssl_con);
 	if ($h) {
 		my $c = $ssl_contexts{$h} ||
 			$h =~ /^[^\.]+\.(.*)$/ && $ssl_contexts{"*.$1"};
@@ -4826,7 +4863,8 @@ if (defined(&Net::SSLeay::get_servername)) {
 			}
 		}
 	}
-return ($ssl_con, $ssl_ctx->{'certfile'}, $ssl_ctx->{'keyfile'});
+return ($ssl_con, $ssl_ctx->{'certfile'}, $ssl_ctx->{'keyfile'}, $h,
+	$ssl_ctx->{'hosts'});
 }
 
 # parse_websockets_config()
@@ -4873,8 +4911,7 @@ print DEBUG "in reload_config_file\n";
 &build_config_mappings();
 &read_webmin_crons();
 &precache_files();
-&setup_ssl_contexts()
-	if ($use_ssl);
+&setup_ssl_contexts() if ($use_ssl);
 &parse_websockets_config();
 if ($config{'session'}) {
 	dbmclose(%sessiondb);
@@ -5507,6 +5544,9 @@ foreach my $pe (split(/\t+/, $config{'expires_paths'})) {
 
 # Reset cache of sudo checks
 undef(%sudocache);
+
+# Reset cache of cert files
+undef(%cert_names_cache);
 }
 
 # is_group_member(&uinfo, groupname)
@@ -6995,3 +7035,75 @@ if (!$sig) {
 	}
 return $sig;
 }
+
+=head2 cert_names($file)
+
+Extract Common Name and Subject Alternative Names from an X.509 certificate
+file. Supports both PEM and DER certificates. Returns undef if file cannot be
+read or parsed. Cache results for speed.
+
+=cut
+sub cert_names
+{
+my ($file) = @_;
+return $cert_names_cache{$file} if ($cert_names_cache{$file});
+return undef if (!$file || !-r $file);
+my %rv;
+my $cert;
+
+# Try PEM first
+my $bio = Net::SSLeay::BIO_new_file($file, 'r');
+if ($bio) {
+	$cert = Net::SSLeay::PEM_read_bio_X509($bio);
+	Net::SSLeay::BIO_free($bio);
+	}
+
+# Try DER if PEM failed
+if (!$cert) {
+	my $bio = Net::SSLeay::BIO_new_file($file, 'rb');
+	if ($bio) {
+		$cert = Net::SSLeay::d2i_X509_bio($bio);
+		Net::SSLeay::BIO_free($bio);
+		}
+	}
+
+# Certificate not found
+return undef if !$cert;
+
+# Subject
+my $subject = Net::SSLeay::X509_get_subject_name($cert);
+if ($subject) {
+	# commonName
+	my $cn = Net::SSLeay::X509_NAME_get_text_by_NID($subject, 13);
+	$rv{cn} = $cn if defined $cn && $cn ne '' && $cn ne '-1';
+	}
+
+# subjectAltName
+my @alts = Net::SSLeay::X509_get_subjectAltNames($cert);
+if (@alts) {
+	my @dns;
+	while (my ($type, $val) = splice(@alts, 0, 2)) {
+		push @dns, $val if $type == 2;
+		}
+	$rv{alt} = \@dns if @dns;
+	}
+
+Net::SSLeay::X509_free($cert);
+$cert_names_cache{$file} = \%rv;
+return \%rv;
+}
+
+# ssl_hostname_match(hostname, &hosts-list)
+# Does a hostname match a list of hostnames for an SSL cert?
+sub ssl_hostname_match
+{
+my ($h, $hosts) = @_;
+$h =~ s/:\d+$//;
+foreach my $p (@$hosts) {
+	return 1 if (lc($p) eq lc($h));
+	return 1 if ($p =~ /^\*\.(\S+)$/ &&
+		     (lc($h) eq lc($1) || $h =~ /^([^\.]+)\.\Q$1\E$/i));
+	return 2 if ($p eq "*");
+	}
+return 0;
+}

pptp-client/index.cgi

@@ -22,7 +22,7 @@ if (!&has_command($config{'pptp'})) {
 	}
 elsif (!$vers) {
 	# The PPP daemon is not installed
-	print "<p>",&text('index_epppd', "<tt>pppd</tt>"),"<p>\n";
+	print "<p>",&text('index_eppp', "<tt>pppd</tt>"),"<p>\n";
 	}
 else {
 	# Show icons

pptp-client/pptp-client-lib.pl

@@ -258,7 +258,7 @@ return 0;
 # get_pppd_version(&out)
 sub get_pppd_version
 {
-local $out = `pppd --help 2>&1`;
+local $out = `pppd --version 2>&1`;
 ${$_[0]} = $out;
 return $out =~ /version\s+(\S+)/i ? $1 : undef;
 }

proc/freebsd-lib.pl

@@ -101,7 +101,16 @@ ioctl($ttyfh, 536900705, 0);
 sub get_memory_info
 {
 my $sysctl = {};
-my $sysctl_output = &backquote_command("/sbin/sysctl -a 2>/dev/null");
+# Get only the specific values we need not all with -a
+my @needed = qw(
+	hw.physmem
+	hw.pagesize
+	vm.stats.vm.v_inactive_count
+	vm.stats.vm.v_cache_count
+	vm.stats.vm.v_free_count
+	);
+my $sysctl_output = &backquote_command("/sbin/sysctl " .
+	join(" ", @needed) . " 2>/dev/null");
 return ( ) if ($?);
 foreach my $line (split(/\n/, $sysctl_output)) {
 	if ($line =~ m/^([^:]+):\s+(.+)\s*$/s) {

proc/linux-lib.pl

@@ -501,6 +501,13 @@ my @fans;
 my @fans_all;
 my @cpu_thermisters;
 my $cpu_broadcoms;
+my @sensors;
+my $ceil = sub {
+	my $x = shift;
+	$x //= 0;
+	my $i = int($x);
+	return $i + ($x > $i);
+	};
 if (&has_command("sensors")) {
     my ($cpu, $cpu_aux, $cpu_unnamed, $cpu_package, $cpu_broadcom, $cpu_amd);
     my $fh = "SENSORS";
@@ -510,9 +517,10 @@ if (&has_command("sensors")) {
     &open_execute_command($fh, "sensors </dev/null 2>/dev/null", 1);
 
     while (<$fh>) {
-
+	# Buffer output for later use
+	push(@sensors, $_);
         # CPU full output must have either voltage or fan data
-        my ($cpu_volt) = $_ =~ /(?|in[\d+]\s*:\s+([\+\-0-9\.]+)\s+V|cpu\s+core\s+voltage\s*:\s+([0-9\.]+)\s+V)/i;
+        my ($cpu_volt) = $_ =~ /(?|in\d+\s*:\s+([\+\-0-9\.]+)\s+V|cpu\s+core\s+voltage\s*:\s+([0-9\.]+)\s+V)/i;
 	# CPU fans should be always labeled as 'cpu fan' or 'cpu_fan' or 'cpufan'
 	# and/or 'cpu fan 1', 'cpu_fan1', 'cpufan1', 'cpu_fan 2', 'cpu_fan2',
 	# 'cpufan2' etc.
@@ -535,7 +543,7 @@ if (&has_command("sensors")) {
 
         # AMD CPU Thermisters #1714
         if ($cpu && /thermistor\s+[\d]+:\s+[+-]([\d]+)/i) {
-            my $temp = int($1);
+            my $temp = $ceil->($1);
             push(@cpu_thermisters,
                  {  'core' => scalar(@cpu_thermisters) + 1,
                     'temp' => $temp
@@ -552,13 +560,13 @@ if (&has_command("sensors")) {
             # Common CPU multi
             if (/Core\s+(\d+):\s+([\+\-][0-9\.]+)/) {
 
-                # Prioritise package core temperature
+                # Prioritize package core temperature
                 # data over motherboard but keep fans
                 @cpu = (), $cpu_aux++
                     if ($cpu_aux & 1 && grep { $_->{'core'} eq $1 } @cpu);
                 push(@cpu,
                      {  'core' => $1,
-                        'temp' => int($2)
+                        'temp' => $ceil->($2)
                      });
                 }
 
@@ -566,7 +574,7 @@ if (&has_command("sensors")) {
             elsif (/CPU:\s+([\+\-][0-9\.]+)/) {
                 push(@cpu,
                      {  'core' => 0,
-                        'temp' => int($1)
+                        'temp' => $ceil->($1)
                      });
                 }
             }
@@ -588,7 +596,7 @@ if (&has_command("sensors")) {
                 if (/temp(\d+):\s+([\+][0-9\.]+).*?[Cc]\s+.*?[=+].*?\)/) {
                     push(@cpu,
                          {  'core' => (int($1) - 1),
-                            'temp' => int($2)
+                            'temp' => $ceil->($2)
                          });
                     }
 
@@ -597,7 +605,7 @@ if (&has_command("sensors")) {
                        /(cpu\s+temperature)\s*:\s+([\+][0-9\.]+).*?[Cc]/i) {
                     push(@cpu,
                          {  'core' => 0,
-                            'temp' => int($2)
+                            'temp' => $ceil->($2)
                          });
                     }
                 }
@@ -606,8 +614,8 @@ if (&has_command("sensors")) {
             elsif ($cpu_broadcom) {
                 if (/temp(\d+):\s+([\+\-][0-9\.]+)/) {
                     push(@cpu,
-                         {  'core' => $1,
-                            'temp' => int($2)
+                         {  'core' => int($1),
+                            'temp' => $ceil->($2)
                          });
                     $cpu_broadcoms++;
                     }
@@ -615,7 +623,7 @@ if (&has_command("sensors")) {
                     $cpu_unnamed++;
                     push(@cpu,
                          {  'core' => $cpu_unnamed,
-                            'temp' => int($2)
+                            'temp' => $ceil->($2)
                          });
                     $cpu_broadcoms++;
                     }
@@ -628,15 +636,15 @@ if (&has_command("sensors")) {
                 if (/Tdie:\s+([\+\-][0-9\.]+)/) {
                     push(@cpu,
                          {  'core' => 0,
-                            'temp' => int($1),
+                            'temp' => $ceil->($1),
                          });
                     }
 
                 # Like in #1481 #1484
                 elsif (/temp(\d+):\s+([\+\-][0-9\.]+).*?[Cc]\s+.*?[=+].*?\)/) {
                     push(@cpu,
-                         {  'core' => (int($1) - 1),
-                            'temp' => int($2),
+                         {  'core' => ($ceil->($1) - 1),
+                            'temp' => $ceil->($2),
                          });
                     }
 		
@@ -644,7 +652,7 @@ if (&has_command("sensors")) {
                 elsif (/Tctl:\s*([\+\-][0-9\.]+)/) {
                     push(@cpu,
                          {  'core' => 0,
-                            'temp' => int($1),
+                            'temp' => $ceil->($1),
                          });
                     }
                 }
@@ -690,35 +698,121 @@ if (!@fans && @cpu && @fans_all &&
 			}
 		}
 	}
+
+# Fall back logic for CPU temperature and fans spread over multiple
+# devices like Raspberry Pi #2517 and #2539 #2545
+if (@cpu || !@fans) {
+	# - Look for least two ISA voltage rails anywhere
+	# - See a CPU temp under cpu_thermal
+	# - Optionally grab a fan RPM under *fan-isa-*
+	my $can_fallback =
+		(!@cpu && (grep { /^\s*cpu_thermal/i } @sensors)) ||
+		(@cpu && !@fans && (grep { /fan-isa-\d+/i } @sensors));
+	return (\@cpu, \@fans) if (!$can_fallback);
+	my ($chip, $bus); 	# isa|pci|platform|virtual
+	my $isa_volt;
+	my ($cpu_temp, $fan_rpm);
+	for (@sensors) {
+		# Chip header
+		if (/^([A-Za-z0-9_+\-]+)-(isa|pci|platform|virtual)-[\w:]+\s*$/) {
+			$chip = lc $1;
+			$bus  = lc $2;
+			next;
+			}
+
+		# Count real voltage rails
+		if (defined $bus && $bus eq 'isa' &&
+		    /\bin\d+\s*:\s*([+\-]?[0-9]+(?:\.[0-9]+)?)\s*V\b/i) {
+			$isa_volt++;
+			next;
+			}
+
+		# CPU temperature
+		if (defined $chip && $chip =~ /^cpu_thermal/i &&
+		    /\b(?:CPU(?:\s*Temp)?|temp\d+)\s*:\s*([+\-]?[0-9]+(?:\.[0-9]+)?)\s*°?C\b/i) {
+			$cpu_temp //= $1;
+			next;
+			}
+
+		# Fan RPM
+		if (defined $chip && $chip =~ /fan$/i &&
+		    /\b(?:cpu[_ ]?fan(?:\s*\d+)?|fan\d+)\s*:\s*(\d+)\s*rpm\b/i) {
+			my $rpm = $1 + 0;
+			$fan_rpm = $rpm if (!$fan_rpm || $rpm > $fan_rpm);
+			next;
+			}
+		}
+
+	# Update only what's missing
+	push(@cpu, { 'core' => 1, 'temp' => $ceil->($cpu_temp) })
+		if (!@cpu && defined $cpu_temp && $isa_volt >= 2);
+	push(@fans, { 'fan' => 1, 'rpm' => $fan_rpm })
+		if (!@fans && defined $fan_rpm);
+	}
+
 return (\@cpu, \@fans);
 }
 
 # get_cpu_io_usage()
-# Returns a list containing CPU user, kernel, idle, io and VM time, and IO
-# blocks in and out
+# Returns a list of "us", "sy", "id", "wa", "st", "bi", "bo" that match `vmstat`
+# output by using /proc with much lower overhead
 sub get_cpu_io_usage
 {
-my ($nodelay) = @_;
-my $interval;
-$interval = " 1 2"
-	if (!$nodelay);
-my ($out, @lines, @w);
-if (&has_command("vmstat")) {
-        $out = &backquote_command("vmstat$interval 2>/dev/null");
-        @lines = split(/\r?\n/, $out);
-        @w = split(/\s+/, $lines[$#lines]);
-        shift(@w) if ($w[0] eq '');
-        if ($w[8] =~ /^\d+$/ && $w[9] =~ /^\d+$/) {
-            return ( @w[12..16], $w[8], $w[9] );
-        }
-    } elsif (&has_command("dstat")) {
-        $out = &backquote_command("dstat 1 1 2>/dev/null");
-        @lines = split(/\r?\n/, $out);
-        @w = split(/[\s|]+/, $lines[$#lines]);
-        shift(@w) if ($w[0] eq '');
-        return( @w[0..4], @w[6..7]);
-    }
-    return undef;
+# Read CPU counters from /proc/stat, the first "cpu" line
+my $read_cpu = sub {
+	open(my $fh, '<', '/proc/stat') or return;
+	my $line = <$fh>;
+	close($fh);
+	return unless defined $line && $line =~ /^cpu\s+/;
+	my @v = split /\s+/, $line; shift @v;
+	push @v, (0) x (8-@v) if @v < 8;
+	return @v[0..7];
+};
+
+# Read pgpgin/pgpgout from /proc/vmstat (in KB). Note, that all modern kernels,
+# /proc/vmstat pgpgin/pgpgout are KiB (scale=1); not as *pages*, so no need to
+# convert deltas
+my $read_io = sub {
+	open(my $fh, '<', '/proc/vmstat') or return (undef, undef);
+	my ($in, $out);
+	while (my $l = <$fh>) {
+		$in  = $1 if !defined $in  && $l =~ /^pgpgin\s+(\d+)/;
+		$out = $1 if !defined $out && $l =~ /^pgpgout\s+(\d+)/;
+		last if defined $in && defined $out;
+		}
+	close($fh);
+	return ($in, $out);   	   # KB on kernels 2.6.18+; no conversion needed
+};
+
+# Sample A
+my @cb = $read_cpu->() or return;
+my ($pgin_b, $pgout_b) = $read_io->();
+
+# Sleep half a second
+select(undef, undef, undef, 0.5);
+
+# Sample B
+my @ca = $read_cpu->() or return;
+my ($pgin_a, $pgout_a) = $read_io->();
+
+# CPU percentages as in vmstat
+my @d = map { $ca[$_] - $cb[$_] } 0..7;
+for (@d) { $_ = 0 if $_ < 0 }
+my $tot = 0; $tot += $_ for @d[0..7];
+return if !$tot;
+
+# Calculate percentages
+my $us = int( (($d[0] + $d[1]) / $tot) * 100 );          # user+nice
+my $sy = int( (($d[2] + $d[5] + $d[6]) / $tot) * 100 );  # system+irq+softirq
+my $id = int( ( $d[3] / $tot ) * 100 );                  # idle
+my $wa = int( ( $d[4] / $tot ) * 100 );                  # iowait
+my $st = int( ( $d[7] / $tot ) * 100 );                  # steal
+
+# Calculate bi/bo in KiB/s over half a second
+my ($bi, $bo) = (0, 0);
+$bi = int( (($pgin_a  // 0) - ($pgin_b  // 0)) / 0.5 );
+$bo = int( (($pgout_a // 0) - ($pgout_b // 0)) / 0.5 );
+return ($us, $sy, $id, $wa, $st, $bi, $bo);
 }
 
 # has_disk_stats()

proc/macos-lib.pl

@@ -108,7 +108,7 @@ if ($out =~ /Primary\s+memory\s+available:\s+([0-9\.]+)\s+g/i) {
 	$rv[0] = $1 * 1024 * 1024;
 	}
 else {
-	my $out = &backquote_command("sysctl -a hw.physmem 2>/dev/null");
+	my $out = &backquote_command("sysctl hw.physmem 2>/dev/null");
 	if ($out =~ /:\s*(\d+)/) {
 		$rv[0] = $1 / 1024;
 		}
@@ -129,7 +129,7 @@ if ($usage > $rv[0]) {
 $rv[1] = $rv[0] - $usage;
 
 # Get swap usage
-$out = &backquote_command("sysctl -a vm.swapusage 2>/dev/null");
+$out = &backquote_command("sysctl vm.swapusage 2>/dev/null");
 if ($out =~ /total\s*=\s*([0-9\.]+)([KMGT]).*free\s*=\s*([0-9\.]+)([KMGT])/) {
 	$rv[2] = $1*($2 eq "K" ? 1 :
 		     $2 eq "M" ? 1024 :
@@ -155,7 +155,7 @@ my $out = &backquote_command("uptime 2>&1");
 my @rv = $out =~ /average(s)?:\s+([0-9\.]+),?\s+([0-9\.]+),?\s+([0-9\.]+)/i ?
 	 ( $2, $3, $4 ) : ( undef, undef, undef );
 
-$out = &backquote_command("sysctl -a machdep.cpu.brand_string");
+$out = &backquote_command("sysctl machdep.cpu.brand_string");
 if ($out =~ /:\s*(\S.*)/) {
 	$rv[4] = $1;
 	if ($rv[4] =~ s/\s*\@\s*([0-9\.]+)(GHz|MHz)//i) {
@@ -169,7 +169,7 @@ if (!$?) {
 	$rv[5] = $out;
 	}
 else {
-	$out = &backquote_command("sysctl -a machdep.cpu.vendor");
+	$out = &backquote_command("sysctl machdep.cpu.vendor");
 	if ($out =~ /:\s*(\S.*)/) {
 		$rv[5] = $1;
 		}
@@ -180,7 +180,7 @@ if ($out =~ /:\s*(\d+)/) {
 	$rv[6] = $1 * 1024;
 	}
 
-$out = &backquote_command("sysctl -a machdep.cpu.core_count");
+$out = &backquote_command("sysctl machdep.cpu.core_count");
 if ($out =~ /:\s*(\d+)/) {
 	$rv[7] = $1;
 	}

setup.pl

@@ -616,6 +616,19 @@ else {
 	print STOP "else\n";
 	print STOP "  echo Stopping Webmin server in $wadir\n";
 	print STOP "fi\n";
+	print STOP "targets=\"stats.pl shellserver.pl\"\n";
+	print STOP "collect_pids() {\n";
+	print STOP "  for s in \$targets; do\n";
+	print STOP "    ps axww | grep \"$wadir/\" | grep \"/\$s\" | grep -v grep\n";
+	print STOP "  done | awk '{print \$1}' | sort -u\n";
+	print STOP "}\n";
+	print STOP "pids=\$(collect_pids)\n";
+	print STOP "[ -n \"\$pids\" ] && kill \$pids 2>/dev/null || true\n";
+	print STOP "if [ \"\$1\" = \"--kill\" ]; then\n";
+	print STOP "  sleep 1\n";
+	print STOP "  pids=\$(collect_pids)\n";
+	print STOP "  [ -n \"\$pids\" ] && kill -KILL \$pids 2>/dev/null || true\n";
+	print STOP "fi\n";
 	print STOP "pidfile=\`grep \"^pidfile=\" $config_directory/miniserv.conf | sed -e 's/pidfile=//g'\`\n";
 	print STOP "pid=\`cat \$pidfile 2>/dev/null\`\n";
 	print STOP "if [ \"\$pid\" != \"\" ]; then\n";
@@ -971,7 +984,7 @@ if (!$ENV{'nostart'}) {
 		print "  - DateTime, DateTime::Locale, DateTime::TimeZone, Data::Dumper,\n";
 		print "  - Digest::MD5, Digest::SHA, Encode::Detect, File::Basename,\n";
 		print "  - File::Path, Net::SSLeay, Time::HiRes, Time::Local, Time::Piece,\n";
-		print "  - JSON::XS, lib, open\n";
+		print "  - Socket6, Sys::Syslog, JSON::XS, lib, open\n";
 		print " Packages:\n";
 		print "  - openssl - Cryptography library with TLS implementation\n";
 		print "  - shared-mime-info - Shared MIME information database\n";

setup.sh

@@ -695,6 +695,19 @@ echo "  echo Force stopping Webmin server in $wadir" >>$config_dir/.stop-init
 echo "else" >>$config_dir/.stop-init
 echo "  echo Stopping Webmin server in $wadir" >>$config_dir/.stop-init
 echo "fi" >>$config_dir/.stop-init
+echo "targets=\"stats.pl shellserver.pl\"" >>$config_dir/.stop-init
+echo "collect_pids() {" >>$config_dir/.stop-init
+echo "  for s in \$targets; do" >>$config_dir/.stop-init
+echo "    ps axww | grep \"$wadir/\" | grep \"/\$s\" | grep -v grep" >>$config_dir/.stop-init
+echo "  done | awk '{print \$1}' | sort -u" >>$config_dir/.stop-init
+echo "}" >>$config_dir/.stop-init
+echo "pids=\$(collect_pids)" >>$config_dir/.stop-init
+echo "[ -n \"\$pids\" ] && kill \$pids 2>/dev/null || true" >>$config_dir/.stop-init
+echo "if [ \"\$1\" = \"--kill\" ]; then" >>$config_dir/.stop-init
+echo "  sleep 1" >>$config_dir/.stop-init
+echo "  pids=\$(collect_pids)" >>$config_dir/.stop-init
+echo "  [ -n \"\$pids\" ] && kill -KILL \$pids 2>/dev/null || true" >>$config_dir/.stop-init
+echo "fi" >>$config_dir/.stop-init
 echo "pidfile=\`grep \"^pidfile=\" $config_dir/miniserv.conf | sed -e 's/pidfile=//g'\`" >>$config_dir/.stop-init
 echo "pid=\`cat \$pidfile 2>/dev/null\`" >>$config_dir/.stop-init
 echo "if [ \"\$pid\" != \"\" ]; then" >>$config_dir/.stop-init
@@ -1063,7 +1076,7 @@ if [ "$nostart" = "" ]; then
 		echo "  - DateTime, DateTime::Locale, DateTime::TimeZone, Data::Dumper,"
 		echo "  - Digest::MD5, Digest::SHA, Encode::Detect, File::Basename,"
 		echo "  - File::Path, Net::SSLeay, Time::HiRes, Time::Local, Time::Piece,"
-		echo "  - JSON::XS, lib, open"
+		echo "  - Socket6, Sys::Syslog, JSON::XS, lib, open"
 		echo " Packages:"
 		echo "  - openssl - Cryptography library with TLS implementation"
 		echo "  - shared-mime-info - Shared MIME information database"