Webmin module symlinking breaks other modules sometimes

[Ilia]

Hello, guys,

We have received few bug reports from our users saying that some Webmin modules `index.cgi` files are getting destroyed and overwritten with a symlink to CSF. I have checked your code and added few fixes to add extra protection before making such changes and also fix message formatting.

Could you please be kind to fix that for the next 14.16 release?

File DisplayUI.pm, lines around 1995-2007.

Here is the fixed chunk:

Code: Select all

if (defined $ENV{WEBMIN_VAR} and defined $ENV{WEBMIN_CONFIG} and defined $ENV{HTTP_REFERER}) {
			unless (-l "index.cgi") {
				unlink "index.cgi";
				my $status = symlink ("/usr/local/csf/lib/webmin/csf/index.cgi","index.cgi");
				if ($status and -l "index.cgi") {
					symlink ("/usr/local/csf/lib/webmin/csf/images","csfimages");
					print "<p>ConfigServer Security & Firewall symlinked to use actual module files from <tt>/usr/local/csf/lib/webmin/csf</tt> directory. Please click <a href='index.cgi'>here</a> to go to the module.</p>\n";
					exit;
				} else {
					print "<p>Failed to symlink to /usr/local/csf/lib/webmin/csf/<p>\n";
				}
			}
		}

[Ilia]

Actually this is not the actual fix for the problem. I will take a deeper look and post back ..

[Ilia]

I see the problem. You should check for the refer and most importantly we need to make sure that working directory is actually CSF Webmin module directory. Here is the final and well tested patch!

Code: Select all

if (defined $ENV{WEBMIN_VAR} and defined $ENV{WEBMIN_CONFIG} and defined $ENV{HTTP_REFERER}) {
			eval "use WebminCore";
			if (!$@) {
				# This is very important to make sure that the working directory is
				# actually ConfigServer Security & Firewall Webmin module directory
				my %csf_module_info;
				&read_file('module.info', \%csf_module_info);
				if ((defined $csf_module_info{'name'} and $csf_module_info{'name'} =~ /^csf/i) or
				    (defined $csf_module_info{'desc'} and $csf_module_info{'desc'} =~ /ConfigServer\s+Security\s+&\s+Firewall/i)) {
					unless (-l "index.cgi") {
						unlink "index.cgi";
						my $status = symlink ("/usr/local/csf/lib/webmin/csf/index.cgi","index.cgi");
						if ($status and -l "index.cgi") {
							symlink ("/usr/local/csf/lib/webmin/csf/images","csfimages");
							print "<p>ConfigServer Security & Firewall was symlinked to use actual module files from <tt>/usr/local/csf/lib/webmin/csf</tt> directory. Please click <a href='index.cgi'>here</a> to go to the module.</p>\n";
							exit;
						} else {
							print "<p>Failed to symlink ConfigServer Security & Firewall <tt>/usr/local/csf/lib/webmin/csf</tt> module directory </p>\n";
						}
					}
				}
			}
		}

[Ilia]

Please take a deeper look at this. This is clearly a bug, and if the page in Webmin, when using Authentic Theme reloaded when CSF module is opened it will overwrite one of the standard modules `index.cgi` files, like in `acl/index.cgi`.

Kind regards,
Ilia