maxmod
diff --git a/‎BTPanel/__init__.py
+82-124 b/‎BTPanel/__init__.py
+82-124
@@ -9,7 +9,7 @@
 import sys,json,os,time,logging,re
 if sys.version_info[0] != 2:
         from imp import reload
-sys.path.insert(0,'class/')
+sys.path.insert(0,'/www/server/panel/class/')
 import public
 from flask import Flask
 app = Flask(__name__,template_folder="templates/" + public.GetConfigValue('template'))
@@ -19,6 +19,7 @@
 from werkzeug.contrib.cache import SimpleCache
 from werkzeug.wrappers import Response
 from flask_socketio import SocketIO,emit,send
+from threading import Lock
 dns_client = None
 app.config['DEBUG'] = os.path.exists('data/debug.pl')
 
@@ -37,11 +38,11 @@
 socketio = SocketIO()
 socketio.init_app(app)
 
-import common,db,jobs,uuid
+import common,db,jobs,uuid,ssh_terminal
 jobs.control_init()
 app.secret_key = uuid.UUID(int=uuid.getnode()).hex[-12:]
 local_ip = None
-
+my_terms = {}
 
 try:
     from flask_sqlalchemy import SQLAlchemy
@@ -67,7 +68,10 @@
 app.config['PERMANENT_SESSION_LIFETIME'] = 86400
 Session(app)
 
-if s_sqlite: sdb.create_all()
+
+if s_sqlite:
+    sdb.create_all()
+    public.ExecShell("chmod 600 /dev/shm/session.db")
 
 from datetime import datetime
 import socket
@@ -89,11 +93,67 @@ def service_status():
     return 'True'
 
 
+
+@socketio.on('connect')
+def socket_connect(msg=None):
+    if not check_login():
+        emit('server_response',{'data':public.getMsg('111')})
+        return False
+
+@socketio.on('webssh')
+def webssh(msg):
+    if not check_login():
+        session.clear()
+        emit('server_response',"Panel session is lost, please re-login panel!")
+        return None
+    if not 'ssh_obj' in session:
+        session['ssh_obj'] = ssh_terminal.ssh_terminal()
+    session['ssh_obj'].send(msg)
+
+
+@app.route('/term_open',methods=method_all)
+def term_open():
+    comReturn = comm.local()
+    if comReturn: return comReturn
+    args = get_input()
+    if 'get_ssh_info' in args:
+        key = 'ssh_' + args['host']
+        if key in session:
+            return public.getJson(session[key]),json_header
+        return public.returnMsg(False,'Acquisition failed!')
+    session['ssh_info'] = json.loads(args.data)
+    key = 'ssh_' + session['ssh_info']['host']
+    session[key] = session['ssh_info']
+    s_file = '/www/server/panel/config/t_info.json'
+    if 'is_save' in session['ssh_info']:
+        public.writeFile(s_file,public.de_hexb(json.dumps(session['ssh_info'])))
+        public.set_mode(s_file,600)
+    else:
+        if os.path.exists(s_file): os.remove(s_file)
+    return public.returnJson(True,'Successful setup!');
+
+@app.route('/reload_mod',methods=method_all)
+def reload_mod():
+    comReturn = comm.local()
+    if comReturn: return comReturn
+    args = get_input()
+    mod_name = None
+    if 'mod_name' in args:
+        mod_name = args.mod_name
+    result = public.reload_mod(mod_name)
+    if result: return public.returnJson(True,result),json_header
+    return public.returnJson(False,'Reload failure!'),json_header
+
 @app.before_request
 def request_check():
     if not request.path in ['/safe','/hook','/public']:
         ip_check = public.check_ip_panel()
         if ip_check: return ip_check
+
+    if request.path.find('/static/') != -1 or request.path == '/code':
+        if not 'login' in session and not 'admin_auth' in session:
+            session.clear()
+            return abort(401)
     domain_check = public.check_domain_panel()
     if domain_check: return domain_check
     if public.is_local():
@@ -120,7 +180,9 @@ def request_end(reques = None):
 def send_authenticated():
     global local_ip
     if not local_ip: local_ip = public.GetLocalIp()
-    return Response('', 401,{'WWW-Authenticate': 'Basic realm="%s"' % local_ip.strip()})
+    result = Response('', 401,{'WWW-Authenticate': 'Basic realm="%s"' % local_ip.strip()})
+    if not 'login' in session and not 'admin_auth' in session: session.clear()
+    return result
 
 @app.route('/',methods=method_all)
 def home():
@@ -462,7 +524,7 @@ def config(pdata = None):
         if public.is_local(): data['is_local'] = 'checked'
         return render_template( 'config.html',data=data)
     import config
-    defs = ('get_qrcode_data','check_two_step','set_two_step_auth','get_key','get_php_session_path','set_php_session_path','get_cert_source','set_local','set_debug','get_panel_error_logs','clean_panel_error_logs','get_basic_auth_stat','set_basic_auth','get_cli_php_version','get_tmp_token','set_cli_php_version','DelOldSession', 'GetSessionCount', 'SetSessionConf', 'GetSessionConf','get_ipv6_listen','set_ipv6_status','GetApacheValue','SetApacheValue','GetNginxValue','SetNginxValue','get_token','set_token','set_admin_path','is_pro','get_php_config','get_config','SavePanelSSL','GetPanelSSL','GetPHPConf','SetPHPConf','GetPanelList','AddPanelInfo','SetPanelInfo','DelPanelInfo','ClickPanelInfo','SetPanelSSL','SetTemplates','Set502','setPassword','setUsername','setPanel','setPathInfo','setPHPMaxSize','getFpmConfig','setFpmConfig','setPHPMaxTime','syncDate','setPHPDisable','SetControl','ClosePanel','AutoUpdatePanel','SetPanelLock')
+    defs = ('set_coll_open','get_qrcode_data','check_two_step','set_two_step_auth','get_key','get_php_session_path','set_php_session_path','get_cert_source','set_local','set_debug','get_panel_error_logs','clean_panel_error_logs','get_basic_auth_stat','set_basic_auth','get_cli_php_version','get_tmp_token','set_cli_php_version','DelOldSession', 'GetSessionCount', 'SetSessionConf', 'GetSessionConf','get_ipv6_listen','set_ipv6_status','GetApacheValue','SetApacheValue','GetNginxValue','SetNginxValue','get_token','set_token','set_admin_path','is_pro','get_php_config','get_config','SavePanelSSL','GetPanelSSL','GetPHPConf','SetPHPConf','GetPanelList','AddPanelInfo','SetPanelInfo','DelPanelInfo','ClickPanelInfo','SetPanelSSL','SetTemplates','Set502','setPassword','setUsername','setPanel','setPathInfo','setPHPMaxSize','getFpmConfig','setFpmConfig','setPHPMaxTime','syncDate','setPHPDisable','SetControl','ClosePanel','AutoUpdatePanel','SetPanelLock')
     return publicObject(config.config(),defs,None,pdata);
 
 @app.route('/ajax',methods=method_all)
@@ -570,6 +632,7 @@ def panel_public():
     if not public.path_safe_check("%s/%s" % (get.name,get.fun)): return abort(404)
     if get.fun in ['scan_login', 'login_qrcode', 'set_login', 'is_scan_ok', 'blind','static']:
         if get.fun == 'static':
+            if not 'filename' in get: return abort(404)
             if not public.path_safe_check("%s" % (get.filename)): return abort(404)
             s_file = '/www/server/panel/BTPanel/static/' + get.filename
             if s_file.find('..') != -1 or s_file.find('./') != -1: return abort(404)
@@ -598,6 +661,7 @@ def panel_public():
     comm.checkWebType()
     comm.GetOS()
     result = plu.a(get)
+    session.clear()
     return public.getJson(result),json_header
 
 @app.route('/favicon.ico',methods=method_get)
@@ -661,7 +725,9 @@ def panel_other(name=None,fun = None,stype=None):
         comReturn = comm.local()
         if comReturn:
             if not is_php:
-                if not hasattr(plu,'_check'): return public.returnJson(False,'SPECIFY_PLUG_ERR'),json_header
+                if not hasattr(plu,'_check'):
+                    session.clear()
+                    return public.returnJson(False,'SPECIFY_PLUG_ERR'),json_header
                 checks = plu._check(args)
                 r_type = type(checks)
                 if r_type == Response: return checks
@@ -738,6 +804,7 @@ def panel_hook():
     if not os.path.exists('plugin/webhook'): return public.getJson(public.returnMsg(False,'INIT_WEBHOOK_ERR'));
     sys.path.append('plugin/webhook');
     import webhook_main
+    session.clear()
     return public.getJson(webhook_main.webhook_main().RunHook(get));
 
 @app.route('/safe',methods=method_all)
@@ -760,13 +827,16 @@ def panel_safe():
     if not hasattr(s,get.data['action']): return public.returnJson(False,'INIT_FUN_NOT_EXISTS');
     defs = ('GetServerInfo','add_ssh_limit','remove_ssh_limit','get_ssh_limit','get_login_log','get_panel_limit','add_panel_limit','remove_panel_limit','close_ssh_limit','close_panel_limit','get_system_info','get_service_info','get_ssh_errorlogin')
     if not get.data['action'] in defs: return 'False';
-    return public.getJson(eval('s.' + get.data['action'] + '(get)'));
+    result = public.getJson(eval('s.' + get.data['action'] + '(get)'));
+    session.clear()
+    return result
 
 
 @app.route('/install',methods=method_all)
 def install():
     if public.M('config').where("id=?",('1',)).getField('status') == 1: 
         if os.path.exists('install.pl'): os.remove('install.pl');
+        session.clear()
         return redirect('/login')
     ret_login = os.path.join('/',admin_path)
     if admin_path == '/' or admin_path == '/bt': ret_login = '/login'
@@ -863,122 +933,6 @@ def panel_cloud():
         if download_url.find('http') != 0:download_url = 'http://' + download_url
     return redirect(download_url)
 
-ssh = None
-shell = None
-try:
-    import paramiko
-    ssh = paramiko.SSHClient()
-except:
-    public.ExecShell('pip install paramiko==2.0.2 &')
-
-@socketio.on('connect')
-def socket_connect(msg=None):
-    if not check_login():
-        emit('server_response',{'data':public.getMsg('111')})
-        return False
-
-@socketio.on('webssh')
-def webssh(msg):
-    if not check_login(msg['x_http_token']):
-        emit('server_response',{'data':public.getMsg('INIT_WEBSSH_LOGOUT')})
-        return None
-
-    global shell,ssh
-    ssh_success = True
-    if type(msg['data']) == dict:
-        if 'ssh_user' in msg['data']:
-            connect_ssh(msg['data']['ssh_user'].strip(),msg['data']['ssh_passwd'].strip())
-    if not shell: ssh_success = connect_ssh()
-    if not shell:
-        emit('server_response',{'data':public.getMsg('INIT_WEBSSH_CONN_ERR')})
-        return;
-    if shell.exit_status_ready(): ssh_success = connect_ssh()
-    if not ssh_success:
-        emit('server_response',{'data':public.getMsg('INIT_WEBSSH_CONN_ERR')})
-        return;
-    shell.send(msg['data'])
-    time.sleep(0.005)
-    recv = shell.recv(4096)
-    emit('server_response',{'data':recv.decode("utf-8")})
-
-def connect_ssh(user=None,passwd=None):
-    global shell,ssh
-    pkey = '/root/.ssh/id_rsa_bt'
-    if not os.path.exists('/root/.ssh/authorized_keys') or not os.path.exists(pkey):
-        create_rsa()
-    try:
-        if not user:
-            key=paramiko.RSAKey.from_private_key_file(pkey)
-            ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
-        try:
-            if not user:
-                ssh.connect('127.0.0.1', public.GetSSHPort(),pkey=key)
-            else:
-                ssh.connect('127.0.0.1', public.GetSSHPort(),username=user,password=passwd)
-        except:
-            if public.GetSSHStatus():
-                try:
-                    if not user:
-                        ssh.connect('localhost', public.GetSSHPort(),pkey=key)
-                    else:
-                        ssh.connect('localhost', public.GetSSHPort(),username=user,password=passwd)
-                except:
-                    create_rsa()
-                    return False;
-            import firewalls
-            fw = firewalls.firewalls()
-            get = common.dict_obj()
-            ssh_status = fw.GetSshInfo(get)['status']
-            if not ssh_status:
-                get.status = '0';
-                fw.SetSshStatus(get)
-
-            if not user:
-                ssh.connect('127.0.0.1', public.GetSSHPort(),pkey=key)
-            else:
-                ssh.connect('127.0.0.1', public.GetSSHPort(),username=user,password=passwd)
-
-            if not ssh_status:
-                get.status = '1';
-                fw.SetSshStatus(get);
-        shell = ssh.invoke_shell(term='xterm', width=100, height=29)
-        shell.setblocking(0)
-        return True
-    except:
-        shell = None
-        return False
-
-def create_rsa():
-    id_ras = '/root/.ssh/id_rsa_bt'
-    a_keys = '/root/.ssh/authorized_keys'
-    if not os.path.exists(a_keys) or not os.path.exists(id_ras):
-        public.ExecShell("rm -f /root/.ssh/id_rsa_bt*")
-        public.ExecShell('ssh-keygen -q -t rsa -P "" -f /root/.ssh/id_rsa_bt')
-        public.ExecShell('cat /root/.ssh/id_rsa_bt.pub >> /root/.ssh/authorized_keys')
-    else:
-        id_ras_pub = '/root/.ssh/id_rsa_bt.pub'
-        if os.path.exists(id_ras_pub):
-            pub_body = public.readFile(id_ras_pub)
-            keys_body = public.readFile(a_keys)
-            if keys_body.find(pub_body) == -1:
-                public.ExecShell('cat /root/.ssh/id_rsa_bt.pub >> /root/.ssh/authorized_keys')
-    public.ExecShell('chmod 600 /root/.ssh/authorized_keys')
-    
-@socketio.on('connect_event')
-def connected_msg(msg):
-    if not check_login(): 
-        emit('server_response',{'data':public.getMsg('INIT_WEBSSH_LOGOUT')})
-        return None 
-    global shell
-    if not shell: connect_ssh()
-    if shell:
-        try:
-            recv = shell.recv(8192)
-            emit('server_response',{'data':recv.decode("utf-8")})
-        except:
-            pass
-
-
 def check_csrf():
     if app.config['DEBUG']: return True
     request_token = request.cookies.get('request_token')
@@ -1002,6 +956,10 @@ def publicObject(toObject,defs,action=None,get = None):
             if get.path.find('./') != -1: return public.ReturnJson(False,public.GetMsg("UNSAFE_PATH")),json_header
             if get.path.find('->') != -1:
                 get.path = get.path.split('->')[0].strip();
+    if hasattr(get,'sfile'):
+        get.sfile = get.sfile.replace('//','/').replace('\\','/');
+    if hasattr(get,'dfile'):
+        get.dfile = get.dfile.replace('//','/').replace('\\','/');
 
     if hasattr(toObject,'site_path_check'):
         if not toObject.site_path_check(get): return public.ReturnJson(False,'Excessive operation!'),json_header