Browse code

vhost-hostnamen vernünftig prüfen: IDN-encoding, PHP-eigene funktion, check von komplettem fqdn

Hanno Böck authored on 07/08/2018 20:24:06
Showing 2 changed files
... ...
@@ -105,6 +105,19 @@ function verify_input_hostname($input, $wildcard=false)
105 105
 }
106 106
 
107 107
 
108
+function verify_input_hostname_utf8($input)
109
+{
110
+    $puny = idn_to_ascii($input, IDNA_DEFAULT, INTL_IDNA_VARIANT_UTS46);
111
+    if ($puny === false) {
112
+        system_failure("Ungültiger Hostname! idn ".$input);
113
+    }
114
+    $filter = filter_var($puny, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME);
115
+    if ($filter === false) {
116
+        system_failure("Ungültiger Hostname! filter ".$input);
117
+    }
118
+}
119
+
120
+
108 121
 function verify_input_ipv4($input)
109 122
 {
110 123
     if (! preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $input)) {
... ...
@@ -37,7 +37,7 @@ if ($_GET['action'] == 'edit') {
37 37
     }
38 38
     DEBUG($vhost);
39 39
 
40
-    $hostname = filter_input_hostname($_POST['hostname'], true);
40
+    $hostname = strtolower(trim($_POST['hostname']));
41 41
 
42 42
     $domainname = null;
43 43
     $domain_id = (int) $_POST['domain'];
... ...
@@ -69,6 +69,12 @@ if ($_GET['action'] == 'edit') {
69 69
         }
70 70
     }
71 71
 
72
+    $fqdn = ($hostname!==""?$hostname.".":"").$domainname;
73
+    verify_input_hostname_utf8($fqdn);
74
+    if ($aliaswww) {
75
+        verify_input_hostname_utf8("www.".$fqdn);
76
+    }
77
+
72 78
     $docroot = '';
73 79
     if ($_POST['vhost_type'] == 'regular' || $_POST['vhost_type'] == 'dav') {
74 80
         $defaultdocroot = $vhost['homedir'].'/websites/'.((strlen($hostname) > 0) ? $hostname.'.' : '').($domainname).'/htdocs';
... ...
@@ -282,18 +288,20 @@ if ($_GET['action'] == 'edit') {
282 288
     $alias['vhost'] = $vhost['id'];
283 289
 
284 290
 
285
-    $hostname = filter_input_hostname($_POST['hostname'], true);
286
-    $domainid = (int) $_POST['domain'];
287
-    if ($domainid >= 0) {
291
+    $hostname = strtolower(trim($_POST['hostname']));
292
+
293
+    $domain_id = (int) $_POST['domain'];
294
+    if ($domain_id >= 0) {
288 295
         $domain = new Domain((int) $_POST['domain']);
289 296
         $domain->ensure_userdomain();
290
-        $domainid = $domain->id;
291
-    }
292
-    if ($domainid == -1) {
297
+        $domain_id = $domain->id;
298
+        $domainname = $domain->fqdn;
299
+    } elseif ($domain_id == -1) {
293 300
         # use configured user_vhosts_domain
294 301
         $userdomain = userdomain();
295 302
         $domain = new Domain((int) $userdomain['id']);
296
-        $domainid = $domain->id;
303
+        $domain_id = $domain->id;
304
+        $domainname = $domain->fqdn;
297 305
         $hostname = $hostname.'.'.$_SESSION['userinfo']['username'];
298 306
         $hostname = trim($hostname, " .-");
299 307
     }
... ...
@@ -304,6 +312,12 @@ if ($_GET['action'] == 'edit') {
304 312
     $aliaswww = in_array('aliaswww', $_POST['options']);
305 313
     $forward = in_array('forward', $_POST['options']);
306 314
 
315
+    $fqdn = ($hostname!==""?$hostname.".":"").$domainname;
316
+    verify_input_hostname_utf8($fqdn);
317
+    if ($aliaswww) {
318
+        verify_input_hostname_utf8("www.".$fqdn);
319
+    }
320
+
307 321
     $new_options = array();
308 322
     if ($aliaswww) {
309 323
         array_push($new_options, 'aliaswww');
... ...
@@ -316,7 +330,7 @@ if ($_GET['action'] == 'edit') {
316 330
     DEBUG('New options: '.$options);
317 331
 
318 332
     $alias['hostname'] = $hostname;
319
-    $alias['domain_id'] = $domainid;
333
+    $alias['domain_id'] = $domain_id;
320 334
 
321 335
     $alias ['options'] = $options;
322 336