Tags: hestiacp/hestiacp
Tags
1.9.5 beta (#5350) * Comment out ssl_stapling directives due to Lets Encrypt ending OCSP support in 2025 (#5002) * Fixed error of database not downloading from UI (#4876) Redirection for the download request from GUI was not working, which was also redirecting to: `This site cannot be accessed The website at site/download/database/?database=dbname_db&token=token` may be temporarily down or has been permanently moved to a new web address. `ERR_INVALID_RESPONSE` @sahsanu provided the manual fix as: `sed -i 's/\$output\[1\]/\$output\[0\]/' /usr/local/hestia/web/download/database/index.php` Basically the file does save in the `/backup` folder, but was not redirecting at UI level. @jaapmarcus please review. More details: https://forum.hestiacp.com/t/18306/ * Fix Json format (#5059) Fix #5056 * Updates translations Updates the translation files for various languages. Removes the Danish translation. * Fix: avoid spamd execution in Exim when reject_spam is off (#5076) * fix: avoid spamd execution in Exim when reject_spam is off Ensure spamd is not called when reject_spam is disabled, preventing unnecessary processing and potential errors. * Fixing spamd execution in Exim when reject_spam is off during the upgrade * Add -f flag to rm command in v-add-mail-domain-smtp-relay to avoid error if ip file does not exist (#5086) * Fix typo in development.md (#5106) * Add ESMTP to SMTP banner in Exim configuration templates (#5140) * Add ESMTP to SMTP banner in Exim configuration templates Updated all Exim configuration templates (`exim4.conf.template`, `exim4.conf.4.94.template` and `exim4.conf.4.95.template`) to include "ESMTP" in the SMTP banner. This change ensures that the server correctly identifies itself as supporting Extended SMTP, improving compatibility and compliance with modern mail clients and servers. * Changing the smtp_banner directive during the upgrade * Fix netplan permissions. (#5159) IMO a mild-severity "information disclosure vulnerability", quote root@host2:/# netplan generate ** (generate:1843186): WARNING **: 10:24:11.770: Permissions for /etc/netplan/60-hestia.yaml are too open. Netplan configuration should NOT be accessible by others. root@host2:/# namei -l /etc/netplan/60-hestia.yaml f: /etc/netplan/60-hestia.yaml drwxr-xr-x root root / drwxr-xr-x root root etc drwxr-xr-x root root netplan -rw-r--r-- root root 60-hestia.yaml * PHP-8.5 support (#5157) This PR adds support for PHP 8.5 but it shouldn’t be merged yet: **1.-** PHP 8.5 GA will be released on November 20th. **2.-** Sury hasn’t released the packages for 8.5 yet. * Fix SpamAssassin service name for Ubuntu 24.04 (#5162) * Fix SpamAssassin service name for Ubuntu 24.04 Ubuntu 24.04 renamed the SpamAssassin service from `spamassassin` to `spamd`, preventing Hestia from restarting it via the Web UI. - Use `spamd` for Ubuntu 24.04+ in installer - Add migration logic in upgrade script for existing installations - Preserve `spamassassin` for older Ubuntu versions * Ensure composer alias uses the user-defined PHP CLI (#5155) This change updates the creation of the composer alias so that it explicitly runs `composer` using the PHP CLI defined for the user rather than the system default. It also removes any previous composer alias to prevent conflicts and ensures consistent behavior with the user-specific PHP configuration. Forum post: https://forum.hestiacp.com/t/composer-uses-wrong-php-version-but-php-v-shows-the-correct-one/20593 * Remove deprecated wp-password-bcrypt download (#5164) 1: it was causing rate-limit errors from github, this should resolve #5136 2: Since at least 17 February 2025, WP use password_hash internally: WordPress/wordpress-develop@f444639 * limit conf grep results to one for U_DISK_DIRS * Secure SSL settings (#5109) * 20m cache, 4h timeout 7d is bonkers, and https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-tcp/ suggest 20m cache + 4h timeout (with higher timeout you need a bigger cache..) * fix v-list-database-host: correct path to configuration file (#5114) * fix(v-list-database-host): correct path to configuration file Update call to `is_object_valid` to use `../../../conf/$type` instead of `git commit ../../conf/$type`, fixing the path to the host configuration file. * Modify four more database-host scripts that are also affected by the bug * Added missing check to see if user can access DNS templates or is admin Added missing check to see if user can access DNS templates or is an admin - if the system policy "Allow users to change templates when editing DNS zones" is set to "no", the templates selection field is not displayed to the user when adding or editing a DNS zone (which is correct/expected behaviour), BUT it seems that the code here was not carrying out the appropriate check before attempting to change the DNS template - and an "Undefined array key "v_dnssec" in /usr/local/hestia/web/edit/dns/idex.php" error was occurring. * Added that local usernames can't be used in Hestia. (#5134) Hestia uses Linux system, so local users already present can't be added to Hestia. * Add Fail2Ban unban support to firewall ban removal script (#5139) * Add Fail2Ban unban support to firewall ban removal script This update enhances the v-delete-firewall-ban script by integrating Fail2Ban unban functionality. Implemented logic to iterate through all Fail2Ban jails and unban the corresponding IP if the jail uses a hestia-* action matching the firewall chain. This ensures that IPs removed from Hestia’s firewall are also properly unbanned from Fail2Ban jails, keeping both systems synchronized. * chmod 0755 bin/v-* --------- Co-authored-by: hanshenrik <hans@loltek.net> * Fix hestia logrotate (#5148) * Fix hestia logrotate Forum link https://forum.hestiacp.com/t/logrotate-issue-with-nginx-log-files/20572 * reload --------- Co-authored-by: divinity76 <hans@loltek.net> * Fixes path for object validation (#5167) * Fixes path for object validation Corrects the relative path used to validate the existence of DNS cluster hosts. The path was off by one directory level, leading to incorrect validation results. This change ensures that the correct configuration files are checked, preventing potential errors when deleting, suspending, or unsuspending remote DNS hosts. * Fixes incorrect path for DNS cluster config Corrects the relative path to the DNS cluster configuration file, ensuring the script can properly locate and update host suspension status. * Fix linting * Fix: Preserve SSL and redirect on cert renewal failure (#5149) Preserve web domain redirect and force-SSL settings on Let's Encrypt certificate renewal failure Fixes #4640 * Revert fix-hestia-logrotate (#5170) * Remove extra code (#5065) * Remove _domainkey entries from DKIM DNS script (#5161) * Remove _domainkey entries from DKIM DNS script https://datatracker.ietf.org/doc/html/rfc4870#section-3.7.6 has been superseded by DMARC Furthermore t=y means testing mode. "This domain is testing DomainKeys, and unverified email MUST NOT be treated differently from verified email. Recipient systems MAY wish to track testing mode results to assist the sender" * Remove DKIM policy record creation Removed the addition of a DKIM policy record from the DNS. * Remove domainkey DNS record addition Removed the addition of the domainkey DNS record and its policy. * Simplify DKIM record addition logic Removed unnecessary DKIM policy record addition. * Remove grep check for '_domainkey' record Removed unnecessary grep command for DKIM record check. * Remove deprecated policy _domainkey record from dns configuration Removed unnecessary TXT record for DKIM key. * clean more deprecated policy _domainkey records --------- Co-authored-by: hanshenrik <hans@loltek.net> * run UTF-8 locale (#4704) * ensure UTF-8 locale, switch to 1.9.5.sh upgrade commit history for the old branch got messy, re-created from main. * nit * nit * Add Roundcube logrotate configuration and adjust file permissions (#5142) This commit adds logic to automatically copy the `roundcube` logrotate configuration file to `/etc/logrotate.d/` during installation and updates using `v-add-sys-roundcube`. Additionally, it modifies the logrotate configuration to set more restrictive file permissions (0640) and adjust ownership to `hestiamail www-data` instead of `www-data www-data`. * fix: resource limits and disk quota detection in v-add-user (#5172) * fix: resource limits and disk quota detection in v-add-user While testing native ext4 quotas, I realized that quotas are not being applied to new users. A similar issue occurs when setting resource limits for users. - Add numeric validation for DISK_QUOTA to properly set quota for user. - Read `RESOURCES_LIMIT` from global `hestia.conf` instead of package (package does not have this variable set). - Fix typo: `resource_enaled` -> `resource_enabled` * Add logic to update quotas and cgroup for exissting users * Fix port logging in v-add-firewall-rule (#5176) * Fix port logging in v-add-firewall-rule More info: https://forum.hestiacp.com/t/bug-logging-added-firewall/20701 * Fix vstats link to use https when SSL enabled (#5183) resolves #5182 * Add zsh support for Hestia PATH configuration (#5191) Add support for zsh shell in PATH configuration during installation. Now checks for both .bashrc and .zshrc files and adds Hestia bin directory to PATH for whichever shell configuration files exist. * Harden DNS record listing escaping (#5196) * Use ROOT_USER variable instead of hard‑coded admin in restic restore scripts (#5201) This change updates all `v-restore-*-restic` scripts to replace the hard‑coded `admin` user in `v-update-user-counters` calls with the `ROOT_USER` variable. This makes the restore process respect the configured administrator user. * Add dynamic maxelem and hashsize to v-add-firewall-ipset (#5198) * Add dynamic maxelem and hashsize to v-add-firewall-ipset - Automatically set maxelem to the number of entries in the IP list. - Calculate a reasonable hashsize based on iplist size for better memory and performance. - Ensure iplist_size is validated and handle missing or empty iplist files. - Replace hardcoded maxelem in temporary and main sets with dynamic value. - Replace sed-based line counting with grep for more reliable IP list size calculation. More info: https://forum.hestiacp.com/t/various-problems-with-ipset/20765 * Remove redhat part * Bump Roundcube to version 1.6.12 (#5187) Security fixes: - Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike. - Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev. * Update moodle templates (#5143) * Update moodle templates for moodle 5.1+ * Fix moodledata permission issues * Fix an issue where a long text could by by pass 2FA check (#5203) Thanks to PHP and the exec function * harden dns record validation (#5197) * harden dns record validation * Update test/checks.bats * Add HTTP_HOST param, cleanup headers, and add WordPress HTTP/3 templates (#5185) This update improves WordPress Nginx templates, adds HTTP/3 support, and introduces automation for selective `reuseport` usage. - Added `fastcgi_param HTTP_HOST $host;` to all WordPress-related Nginx templates. - Ensures correct host header forwarding to PHP-FPM and prevents URL resolution issues in WordPress. - Removed `proxy_hide_header Upgrade;` from multiple `.stpl` templates where it was not applicable to FastCGI setups. Introduced new templates and helper scripts with built-in HTTP/3 (QUIC) support: - `wordpress-disable-xmlrpc-http3.sh` - `wordpress-disable-xmlrpc-http3.stpl` - `wordpress-disable-xmlrpc-http3.tpl` - `wordpress-http3.sh` - `wordpress-http3.stpl` - `wordpress-http3.tpl` - `wordpress_mu_subdir-http3.sh` - `wordpress_mu_subdir-http3.stpl` - `wordpress_mu_subdir-http3.tpl` - Added scripts to automate enabling `reuseport` **only for one site** when multiple domains share the same IP, avoiding listener conflicts while supporting HTTP/3. These changes improve compatibility, reliability, and performance for WordPress deployments on HestiaCP using Nginx + PHP-FPM. * Fix php-fpm template to allow dynamically generated tracking code (#5212) * Update moodle templates (#5211) * Quotes variables for `is_common_format_valid` (#5218) Ensures that the variables passed to the `is_common_format_valid` function are properly quoted. This resolves potential issues arising from whitespace or special characters within the variable values, preventing unexpected behavior or errors during validation. * Normalize blacklist IP parsing and improve sorting (#5219) Improve IP extraction and normalization in the blacklist generation script. Update the grep pattern from ^(?:… to (?:… so it no longer requires the IP address to start at the beginning of the line, allowing matches embedded in files or lines with leading characters. Enhance IPv4 normalization by stripping leading zeros from each octet while preserving any CIDR suffix using an updated sed expression. Switch from sed -r to sed -E for better portability across systems. Finally, replace the slower sort -n | sort -mu pipeline with a single sort -Vu, which correctly sorts dotted IPv4 addresses and removes duplicates in one pass. Fixes #5213 * Add default checked state for DKIM checkbox (#5220) Update the DKIM checkbox logic to be checked by default when the `v_dkim` variable is empty or explicitly set to `yes`. **Note**: Nowadays, it’s important to have this option enabled by default. * Bump Roundcube to version 1.6.13 (#5222) Security fixes: Fix CSS injection vulnerability reported by CERT Polska. Fix remote image blocking bypass via SVG content reported by nullcathedral. * Improve HTML encoding (5245-chunk) (#5246) * Improve HTML encoding (5245-chunk) Reviewable chunk of #5245. 5245 grew too large to comfortably review. * Update web/templates/pages/edit_web.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update web/templates/pages/edit_web.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Use JS-safe encoding for certificate toggle labels Replace HTML-escaped Alpine x-text string literals with JSON-encoded strings in edit_web.php to avoid JS-context escaping issues in translations. * fix * fix * fix * fix * fix * fix --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Add missing HTML/url encoding, (#5247) Was reports that some missing HTML encoding could lead to XSS/javascript injection. Reviewable chunk of #5245 , which grew too large. * web-terminal: use php helper for session auth lookup (#5244) * web-terminal: use php helper for session auth lookup * nit * Harde cookie parsing requested by https://github.com/numanturle * Add missing HTML/url encoding (5245-chunk3) (#5248) * Add missing HTML/url encoding (5245-chunk3) Was reports that some missing HTML encoding could lead to XSS/javascript injection. Reviewable chunk of #5245 , which grew too large. * Update web/templates/pages/list_user.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix FileGator 7.13.4 session migrate incompatibility in Hestia (#5241) * Fix FileGator 7.13.4 session migrate incompatibility in Hestia FileGator 7.13.4 introduced the migrate() method on the session storage, and Hestia’s bundled SessionStorage adapter was not updated accordingly. As a result, FileGator attempted to call migrate() on the storage, which did not exist in Hestia’s version, causing a 500 Internal Server Error. This commit adds the missing migrate($destroy = false, $lifetime = null) method to the SessionStorage adapter and proxies the call to the underlying Session instance, restoring compatibility with FileGator 7.13.4 and preventing the 500 error. * Bump FileGator version to 7.13.4 * Add missing HTML/url encoding (5245-chunk4) (#5249) Was reports that some missing HTML encoding could lead to XSS/javascript injection. Reviewable chunk of #5245 , which grew too large. * Add missing HTML/url encoding (5245-chunk5) (#5250) Was reports that some missing HTML encoding could lead to XSS/javascript injection. Reviewable chunk of #5245 , which grew too large. * Add missing HTML/url encoding (5245-chunk6) (#5251) Was reports that some missing HTML encoding could lead to XSS/javascript injection. Reviewable chunk of #5245 , which grew too large. * Add missing HTML/url encoding (5245-chunk7) (#5252) * Add missing HTML/url encoding (5245-chunk7) Was reports that some missing HTML encoding could lead to XSS/javascript injection. Reviewable chunk of #5245 , which grew too large. * Add missing HTML/url encoding (5245-chunk8) (#5253) * Add missing HTML/url encoding (5245-chunk8) Was reports that some missing HTML encoding could lead to XSS/javascript injection. Reviewable chunk of #5245 , which grew too large. * Fix row ids and item counting web/templates/pages/list_backup_detail.php Comment on lines +103 to +104 <input id="check2<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="mail[]" value="<?= tohtml($key) ?>"> <label for="check2<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label> Copilot AI 18 minutes ago $i is only incremented in the WEB loop, but this MAIL section uses $i to form checkbox id/for. That means every mail row will reuse the same id (e.g. check2N), breaking label targeting and potentially any JS relying on unique ids; it also makes the footer item count inaccurate. Increment $i inside this loop (and the other loops) or use a unique per-row identifier (e.g. derived from $key) for the id/for attributes. web/templates/pages/list_backup_detail.php Comment on lines +143 to +144 <input id="check3<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="dns[]" value="<?= tohtml($key) ?>"> <label for="check3<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label> Copilot AI 18 minutes ago This DNS section also uses $i for id/for, but $i is not incremented in this loop, so multiple DNS rows will end up with duplicate checkbox ids. Increment $i per iteration (or switch the id to a unique value derived from $key) to keep ids unique and keep the footer count correct. web/templates/pages/list_backup_detail.php Comment on lines +183 to +184 <input id="check4<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="db[]" value="<?= tohtml($key) ?>"> <label for="check4<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label> Copilot AI 19 minutes ago In the DB loop, $i is reused for the checkbox id/for without being incremented per database entry, which will generate duplicate ids for multiple DB rows. Increment $i inside this loop (or generate a unique id from $key) to avoid broken label associations and incorrect item counting. web/templates/pages/list_backup_detail.php Comment on lines +259 to +260 <input id="check6<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="udir[]" value="<?= tohtml($key) ?>"> <label for="check6<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label> Copilot AI 19 minutes ago The UDIR loop reuses $i for checkbox id/for but doesn’t increment $i per user-directory row, so ids will be duplicated when there are multiple entries. Increment $i in this loop (or derive a unique id from $key) to keep ids unique and the footer item count accurate. * unique counter names so we don't accidentally end up with like "foo1 foo2 foo3 bar4 bar5" but instead "foo1 foo2 foo3 bar1 bar2" * Fix: handle missing session gracefully in SessionStorage (#5254) * Fix FileGator 7.13.4 session migrate incompatibility in Hestia FileGator 7.13.4 introduced the migrate() method on the session storage, and Hestia’s bundled SessionStorage adapter was not updated accordingly. As a result, FileGator attempted to call migrate() on the storage, which did not exist in Hestia’s version, causing a 500 Internal Server Error. This commit adds the missing migrate($destroy = false, $lifetime = null) method to the SessionStorage adapter and proxies the call to the underlying Session instance, restoring compatibility with FileGator 7.13.4 and preventing the 500 error. * Bump FileGator version to 7.13.4 * fix: handle missing session gracefully in SessionStorage Wrap getSession() call in a try-catch to handle SessionNotFoundException, returning null instead of throwing when no session is available. Without this fix, trying to access filemanager gives this error: ``` 2026/03/10 07:30:45 [error] 774#0: *3 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Symfony\Component\HttpFoundation\Exception\SessionNotFoundException: Session has not been set. in /usr/local/hestia/web/fm/vendor/symfony/http-foundation/Request.php:758 Stack trace: thrown in /usr/local/hestia/web/fm/vendor/symfony/http-foundation/Request.php on line 758" while reading response header from upstream, client: 192.168.2.3, server: _, request: "GET /fm/ HTTP/2.0", upstream: "fastcgi://unix:/run/hestia-php.sock:", host: "192.168.2.201:8083", referrer: "https://192.168.2.201:8083/list/user/" ``` Maybe it should be fixed in `backend/Services/Auth/Adapters/HestiaAuth.php` but my PHP knowdledge is 0 and this fix works fine with Symfony 8 and compiling Hestia with PHP 8.4. Related PR #5241 * Add missing HTML/url encoding (5245-chunk9) (#5255) * Add missing HTML/url encoding (5245-chunk9) Was reports that some missing HTML encoding could lead to XSS/javascript injection. Reviewable chunk of #5245 , which grew too large. * Add missing HTML/url encoding (5245-chunk10) (#5256) * Add missing HTML/url encoding (5245-chunk10) Was reports that some missing HTML encoding could lead to XSS/javascript injection. Reviewable chunk of #5245 , which grew too large. * Add missing HTML/url encoding (5245-chunk11) (#5257) * Add missing HTML/url encoding (5245-chunk11) Was reports that some missing HTML encoding could lead to XSS/javascript injection. Reviewable chunk of #5245 , which grew too large. * Harden template escaping with shared tohtml helper (#5245) * Harden template escaping with shared tohtml helper * Remove double encoding * more double-encode fixes * fix * fix * fix * double encode fix * fix * fix * fix * fix * more htmlspecialchars > tohtml * tohtml(urlencode(...)) fix * more html(urlencode) * fix * fix copilot review * make tohtml() accept null. * Align edit_web escaping with chunk branch Merge back the remaining edit_web.php adjustments from more-htmlencode-chunk1 to keep more-htmlencode in sync. * Use JS-safe encoding for certificate toggle labels Replace HTML-escaped Alpine x-text string literals with JSON-encoded strings in edit_web.php to avoid JS-context escaping issues in translations. * fix * fix * fix * fix * fix * fix * Update web/templates/pages/list_user.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix * fix * fix * fix * Fix row ids and item counting web/templates/pages/list_backup_detail.php Comment on lines +103 to +104 <input id="check2<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="mail[]" value="<?= tohtml($key) ?>"> <label for="check2<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label> Copilot AI 18 minutes ago $i is only incremented in the WEB loop, but this MAIL section uses $i to form checkbox id/for. That means every mail row will reuse the same id (e.g. check2N), breaking label targeting and potentially any JS relying on unique ids; it also makes the footer item count inaccurate. Increment $i inside this loop (and the other loops) or use a unique per-row identifier (e.g. derived from $key) for the id/for attributes. web/templates/pages/list_backup_detail.php Comment on lines +143 to +144 <input id="check3<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="dns[]" value="<?= tohtml($key) ?>"> <label for="check3<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label> Copilot AI 18 minutes ago This DNS section also uses $i for id/for, but $i is not incremented in this loop, so multiple DNS rows will end up with duplicate checkbox ids. Increment $i per iteration (or switch the id to a unique value derived from $key) to keep ids unique and keep the footer count correct. web/templates/pages/list_backup_detail.php Comment on lines +183 to +184 <input id="check4<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="db[]" value="<?= tohtml($key) ?>"> <label for="check4<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label> Copilot AI 19 minutes ago In the DB loop, $i is reused for the checkbox id/for without being incremented per database entry, which will generate duplicate ids for multiple DB rows. Increment $i inside this loop (or generate a unique id from $key) to avoid broken label associations and incorrect item counting. web/templates/pages/list_backup_detail.php Comment on lines +259 to +260 <input id="check6<?= tohtml($i) ?>" class="js-unit-checkbox" type="checkbox" name="udir[]" value="<?= tohtml($key) ?>"> <label for="check6<?= tohtml($i) ?>" class="u-hide-desktop"><?= tohtml( _("Select")) ?></label> Copilot AI 19 minutes ago The UDIR loop reuses $i for checkbox id/for but doesn’t increment $i per user-directory row, so ids will be duplicated when there are multiple entries. Increment $i in this loop (or derive a unique id from $key) to keep ids unique and the footer item count accurate. * fix * unique counter names so we don't accidentally end up with like "foo1 foo2 foo3 bar4 bar5" but instead "foo1 foo2 foo3 bar1 bar2" * fix * fix * fix * fix * indentation Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix * fix --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix PR #5254 (#5259) Looks like the merge duplicated the migrate function. @divinity76, please take a look. Thank you. * Add missing HTML/url encoding (5245-chunk12) (#5258) * Add missing HTML/url encoding (5245-chunk12) Was reports that some missing HTML encoding could lead to XSS/javascript injection. Reviewable chunk of #5245 , which grew too large. * another urlencode+htmlecode fix (#5261) * Configure Nginx to handle Livewire v3 asset requests (#5260) * Configure Nginx to handle Livewire v3 asset requests Add location block for dynamic Livewire v3 assets in Nginx config * Add location block for Livewire assets in Nginx config For non ssl websites * Refactor Livewire location block in nginx config Keep config same as .stpl format --------- Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com> * rename old admin user under delete user notification test (#5233) User notification test uses old hard coden 'admin' user to test. On newer systems with other admin user than 'admin' this test fails: False positive * fix: Avoid crash during Hestia install (#5223) * fix: Avoid crash during Hestia install Because of commit #5218, the Hestia installation fails as the self-signed certificate is not created. ``` [ * ] Adding SSL certificate to Hestia Control Panel... sed: -e expression #1, char 3: unexpected `,' sed: -e expression #1, char 1: unknown command: `,' [ * ] Enabling SFTP jail... [...] [ * ] Configuring System IP... Job for apache2.service failed because the control process exited with error code. See "systemctl status apache2.service" and "journalctl -xeu apache2.service" for details. Error: apache2 restart failed Error: can't create test.example.net domain ``` This is because commit #5218 is quoting the variables in the following validations: ``` is_common_format_valid "$state" "state" is_common_format_valid "$org" "org" is_common_format_valid "$unit" "unit" ``` State, Organization, and Unit variables can contain (and in this case contain) spaces, so they fail validation and the certificate is not created, causing the crash. - This PR removes those validations in script `v-generate-ssl-cert` - Added missing quotes to variable expansion in v-list-backup-host to prevent word splitting. - It also refined validation logic in `v-change-user-name` by checking first and last names independently. * Add space-aware common format validator Introduce a new common format validation function that safely allows spaces and apply it to relevant fields requiring space support. * Count custom backend templates (e.g. *-PHP-x_y) in PHP version usage screen (#5228) * Count custom backend templates (e.g. *-PHP-x_y) in PHP version usage without duplicates * Run npm run format --------- Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com> * Adjustment under 'Add domain record SRV' test after 'harden dns record validation' #5197 (#5234) After commit a74babb 'harden dns record validation' #5197 the test 'DNS: Add domain record SRV' fails due to wrong call parameters. This PR corrects the call parameters under test/test.bats Idea and implementing by sahsanu. PR by asmcc * Bump Nginx, PHP and build dependency versions (#5262) Update bundled component versions used in the build process: - Nginx: 1.27.4 → 1.28.2 - PHP: 8.3.17 → 8.4.18 - OpenSSL: 3.4.0 → 3.4.4 - PCRE: 10.44 → 10.47 - Zlib: 1.3.1 → 1.3.2 PHP is upgraded to the 8.4 branch to meet the requirements of Symfony 8. * Stop trusting unauthenticated proxy headers (#5273) * Stop trusting unauthenticated proxy headers * pin version cus the other libs do the same Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Create Changelog Fix format * Update hestia package version * Update versions in installer * Bump Roundcube to version 1.6.14 (#5267) **Security fixes** - Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us. - Fix bug where a password could get changed without providing the old password, reported by flydragon777. - Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team. - Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral. - Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral. - Fix fixed position mitigation bypass via use of !important, reported by nullcathedral. - Fix XSS issue in a HTML attachment preview, reported by aikido_security. - Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/. * Fix composer.lock file * Bump Roundcube to version 1.6.15 (#5280) - Fix regression where mail search would fail on non-ascii search criteria (#10121) - Fix regression where some data url images could get ignored/lost (#10128) - Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke * validate ip before assign (#5282) * validate ip before assign * formatting - style * Fix: resolve undefined array key "look" warnings in main.php (#5285) This PR fixes multiple `PHP Warning: Undefined array key "look"` in `web/inc/main.php` when running on PHP 8.x. Log example: ``` 2026/03/30 20:47:52 [error] 2397#0: *3085 FastCGI sent in stderr: "PHP message: PHP Warning: Undefined array key "look" in /usr/local/hestia/web/inc/main.php on line 104" while reading response header from upstream, client: 203.0.113.1, server: hestia.example.net, request: "GET /list/user/ HTTP/2.0", upstream: "fastcgi://unix:/run/hestia-php.sock:", host: "hestia.example.net:8083", referrer: "https://hestia.example.net:8083/edit/mail/?domain=example.com&account=test&token=81fd67cfdaf4256a228a1abd8d2b4101" ``` In PHP 8, accessing a non-existent array key triggers a Warning. In HestiaCP, the `$_SESSION["look"]` key is only set when an administrator impersonates another user. On regular sessions, this key is undefined, causing multiple warnings throughout the dashboard. - **Line 81**: Replaced direct comparison `$_SESSION["look"] != ""` with `!empty($_SESSION["look"])`. - **Line 140**: Changed `empty()` check to `!isset()` to safely initialize the session key without triggering a warning. These changes ensure full compatibility with PHP 8.0+ while maintaining existing logic. * Fix: prevent session conflict in File Manager configuration (#5286) This PR resolves a PHP Warning in the File Manager: `ini_set(): Session ini settings cannot be changed when a session is active`. Log example: ``` 2026/03/30 22:42:32 [error] 2397#0: *3810 FastCGI sent in stderr: "PHP message: PHP Warning: ini_set(): Session ini settings cannot be changed when a session is active in /usr/local/hestia/web/fm/vendor/symfony/http-foundation/Session/Storage/Handler/NativeFileSessionHandler.php on line 53" while reading response header from upstream, client: 203.0.113.1, server: hestia.example.net, request: "POST /fm/?r=/getdir HTTP/2.0", upstream: "fastcgi://unix:/run/hestia-php.sock:", host: "hestia.example.net:8083", referrer: "https://hestia.example.net:8083/fm/" ``` HestiaCP starts a global session in `web/inc/main.php`. When the File Manager (FileGator) is loaded, its Symfony components attempt to modify session settings via `ini_set()`. PHP forbids changing these settings if a session is already active. - Added `session_write_close()` in `web/fm/configuration.php` if a session is active. - Removed the redundant `session_start()` call at the beginning of the file. - This allows the File Manager's Symfony kernel to re-configure session settings (like `save_path`) without conflicts. - The session is automatically resumed by the File Manager kernel, preserving user authentication. * Add support for more PHP versions based on official support documentation https://make.wordpress.org/core/handbook/references/php-compatibility-and-wordpress-versions/ (#5287) * Update hestia-nginx / hestia-php (#5288) * Fixed bug in Wordpress Installer * Accept invalid hostname for CNAME records (#5291) * Allow underscore in cname record * Only use FILTER_VALIDATE_DOMAIN * Allow underscores in CNAME records Update the domain validation function to allow disabling the FILTER_FLAG_HOSTNAME flag. This enables support for underscores in CNAME records, which are commonly required for certain DNS configurations such as DKIM. * Fix bug caused by merging from main branch (#5290) * Fix: refactor quick install templates and data access - Update webapp property access from objects to associative arrays in `list_webapps.php` and `setup_webapp.php`. - Remove redundant `tohtml()` calls from translation strings and form field metadata. - Standardize URL parameter escaping using `htmlentities()` and manual query string construction. - Update `WebappInstaller` method calls to match current data structures. * Fix PHP Error * Re apply security fix * Shell check caused an error * Bump hestia-php version to 8.4.20 (#5298) * Cleanup argument handling and improve kv parsing (#5309) * Refactor argument handling in multiple scripts for better consistency and improve kv parsing * use local instead of trap-restore for IFS The trap persist outside of this function, so "IFS="$OLD_IFS"" would run on other bash functions executing after this as well. the trap is not function-local (yuck who designed bash!?) Also there's a much easier way to handle IFS here: local IFS=whatever-we-want * refactor: replace eval-based object kv parser with PHP parser * fix: support modern private key format in installer cert parsing Observed during install: - sed: -e expression #1, char 1: unknown command: ',' - SSLCertificateKeyFile: file '/usr/local/hestia/ssl/certificate.key' does not exist or is empty - Error: apache2 restart failed Root cause: installer key parsing expected RSA markers only, but generated PEM can use BEGIN/END PRIVATE KEY. * php8.3 compatibility Downgrades symfony/console and symfony/process constraints from ^8 to ^7.4 and refreshes composer.lock Turns out symfony/console 8 requires PHP>=8.4 quote >symfony/string v8.0.1 requires php >=8.4 -> your php version (8.3.17) does not satisfy that requirement. * fix WEBMAIL variable name ref Fix test not ok 124 MAIL: Add domain not ok 125 MAIL: Add mail domain webmail client (Roundcube) * Fix change-domain-owner public-IP vs NAT-ip mixup fix bats test: not ok 213 Change: Change domain owner # (from function `assert_success' in file test/test_helper/bats-assert/src/assert_success.bash, line 42, # in test file test/test.bats, line 2217) # `assert_success' failed # # -- command failed -- # status : 12 # output (9 lines): # Moving test-5285.hestiacp.com from test-5285 to test-5286, please wait... # [*] Moving web domain... # [*] IP dedicated to test-5285 select new ip address... # 89.10.235.235 # [*] Moving DNS zone and records... # [*] Moving mail domain and accounts... # grep: /usr/local/hestia/data/ips/89.10.235.235: No such file or directory # grep: /usr/local/hestia/data/ips/89.10.235.235: No such file or directory # Error: Parsing error # -- # --------- Co-authored-by: divinity76 <hans@loltek.net> * Update Hestia verion / Nginx * Bump hestia-nginx version to 1.30.1 (#5332) Changes with nginx 1.30.1 13 May 2026 *) Security: when using the "proxy_set_body" directive, an attacker might inject data in the proxied request to an HTTP/2 backend (CVE-2026-42926). Thanks to Mufeed VH of Winfunc Research. *) Security: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_rewrite_module, potentially resulting in arbitrary code execution (CVE-2026-42945). Thanks to Leo Lin. *) Security: a heap memory buffer overread might occur in a worker process while handling a specially crafted response by ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an attacker to cause a disclosure of worker process memory or segmentation fault in a worker process (CVE-2026-42946). Thanks to Leo Lin. *) Security: a heap memory buffer overread might occur in a worker process while handling a specially sent response with decoding from UTF-8 via the "charset_map" directive, allowing an attacker to cause a limited disclosure of worker proccess memory or segmentation fault in a worker process (CVE-2026-42934). Thanks to David Carlier. *) Security: when using HTTP/3, processing of connection migration might cause new QUIC streams to receive a new client address before validation, allowing an attacker to cause address spoofing (CVE-2026-40460). Thanks to Rodrigo Laneth. *) Security: use-after-free might occur during DNS server response processing if the "ssl_ocsp" directive was used, allowing an attacker to cause worker process memory corruption or segmentation fault in a worker process (CVE-2026-40701). Thanks to Leo Lin. *) Bugfix: connections with HTTP/2 backends might not be cached when using the "proxy_set_body" or "proxy_pass_request_body" directives. *) Bugfix: proxied HTTP/0.9, SCGI, or uWSGI responses might be transferred incorrectly if the first line was not fully read. * Bump hestia-php version to 8.4.21 (#5325) * Remove opcache package from installation scripts (#5323) PHP 8.5 no longer provides OPcache as a separate package because it is included in the core. If the default PHP version is changed to 8.5 in the installation script, the process will fail since the php8.5-opcache package does not exist. Additionally, there is no need to explicitly install OPcache for other PHP versions, as it is already included as a dependency of the phpX.Y-fpm package. The `v-add-web-php script` does not install OPcache explicitly either. * Bump file manager to version 7.14.0 (#5306) * Use fixed FileGator version for installation (#5316) Update the File Manager installation script to reference a specific FileGator version instead of using the latest build. This change introduces a versioned filename (filegator_v${fm_v}) and dynamically constructs the download URL based on that version, improving reproducibility and avoiding unexpected changes from upstream updates. * Bump hestia-nginx version to 1.30.2 (#5341) * Bump file manager to version 7.14.3 (#5340) * Bump js-cookie from 3.0.5 to 3.0.7 (#5339) Bumps [js-cookie](https://github.com/js-cookie/js-cookie) from 3.0.5 to 3.0.7. - [Release notes](https://github.com/js-cookie/js-cookie/releases) - [Commits](js-cookie/js-cookie@v3.0.5...v3.0.7) --- updated-dependencies: - dependency-name: js-cookie dependency-version: 3.0.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency lint-staged to v17 (#5327) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Bump phpseclib/phpseclib in /install/deb/filemanager/filegator (#5322) Bumps [phpseclib/phpseclib](https://github.com/phpseclib/phpseclib) from 2.0.47 to 2.0.54. - [Release notes](https://github.com/phpseclib/phpseclib/releases) - [Changelog](https://github.com/phpseclib/phpseclib/blob/master/CHANGELOG.md) - [Commits](phpseclib/phpseclib@2.0.47...2.0.54) --- updated-dependencies: - dependency-name: phpseclib/phpseclib dependency-version: 2.0.54 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump ws from 8.19.0 to 8.20.1 in /src/deb/web-terminal (#5346) Bumps [ws](https://github.com/websockets/ws) from 8.19.0 to 8.20.1. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.19.0...8.20.1) --- updated-dependencies: - dependency-name: ws dependency-version: 8.20.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency ws to v8.20.1 [SECURITY] (#5348) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update symfony packages to v8 (#5313) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Bump postcss from 8.5.6 to 8.5.12 (#5311) Bumps [postcss](https://github.com/postcss/postcss) from 8.5.6 to 8.5.12. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.12) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency jsdom to v29 (#5265) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Bump rollup from 4.53.3 to 4.59.0 (#5236) Bumps [rollup](https://github.com/rollup/rollup) from 4.53.3 to 4.59.0. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.53.3...v4.59.0) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.59.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * bin/v-quick-install-app: Update to comply with the new Symfony 8 version (#5235) bin/v-quick-install-app is not compliant with new Symphony 8 version and need a update. Idea and implementation by sahsanu. PR by asmcc * Bump phpMyAdmin to version 5.2.3 (#5227) Some notable fixes in this release include: Fixed "Delete" button not asking for confirmation when deleting a row Remove the maxlength for routines name Fix error 500 when simulating a SET statement Fixed PHP 8.4 deprecations in thecodingmachine/safe Improved GIS visualization to work with huge tables Fix copy to clipboard Fixed some PHP 8.4 and PHP 8.5 deprecations Add support for "bacon-qr-code" v3, which relates to two-factor authentication Fixes for right-to-left languages Full changelog: https://github.com/phpmyadmin/phpmyadmin/blob/RELEASE_5_2_3/ChangeLog * Recreate package.json * Recreate lock file * Fix second .lock fine * Fix PR #5162 (#5343) Testing the upgrade I realized that `write_config_value` is not the right function to replace existing conf value. I've fixed it in this PR. * Bump hestia-web-terminal package version to 1.0.3 * Update web-terminal package dependencies --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: sahsanu <sahsanu@users.noreply.github.com> Co-authored-by: vdbhb59 <60728004+vdbhb59@users.noreply.github.com> Co-authored-by: Maksim Usmanov | Maks <skamasle@gmail.com> Co-authored-by: Joseph <61133303+zcraber@users.noreply.github.com> Co-authored-by: divinity76 <hans@loltek.net> Co-authored-by: xeruf <27jf@pm.me> Co-authored-by: Pavel Z <55258742+pavlozt@users.noreply.github.com> Co-authored-by: fearworksmedia <keith@fearworksmedia.co.uk> Co-authored-by: jenslj <116965753+jenslj@users.noreply.github.com> Co-authored-by: Dario Ventura <94967571+iz7crx@users.noreply.github.com> Co-authored-by: Luca Fontanot <136001177+LucaFontanot@users.noreply.github.com> Co-authored-by: Arturo Mantinetti <amantinetti@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: AFS <drsdre@users.noreply.github.com> Co-authored-by: asmcc <40981206+asmcc@users.noreply.github.com> Co-authored-by: Lucas <lg@wb7.eu> Co-authored-by: Zollner Robert <wolfit_ro@yahoo.com> Co-authored-by: Alex Osmichenko <alex@itmonks.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1.8.12 ? (#4532) * import 1.8.12.sh from main branch * add hestiamail to hestia-users * version numbers * Fix roundcube permissions This patch basically changes the user group root:hestiamail to hestiamail:www-data for roundcube directories. Also changes the permissions from 644 to 640 to the file /etc/roundcube/config.inc.php so that it cannot be read by others as it contains the roundcube user's password for the database. * Update CHANGELOG.md * Fix roundcube permissions This patch basically changes the user group root:hestiamail to hestiamail:www-data for roundcube directories. Also changes the permissions from 644 to 640 to the file /etc/roundcube/config.inc.php so that it cannot be read by others as it contains the roundcube user's password for the database. * Update CHANGELOG.md * Run npm run format * Update Roundcube / Snappymail / Filegator * remove duplicate validate_web_domain (#4536) --------- Co-authored-by: sahsanu <sahsanu@users.noreply.github.com> Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com>
PreviousNext