1
|
1 |
<? |
|
2 |
|
|
3 |
// +--------------------------------------------------------------------+ |
|
4 |
// | PowerAdmin | |
|
5 |
// +--------------------------------------------------------------------+ |
|
6 |
// | Copyright (c) 1997-2002 The PowerAdmin Team | |
|
7 |
// +--------------------------------------------------------------------+ |
|
8 |
// | This source file is subject to the license carried by the overal | |
|
9 |
// | program PowerAdmin as found on http://poweradmin.sf.net | |
|
10 |
// | The PowerAdmin program falls under the QPL License: | |
|
11 |
// | http://www.trolltech.com/developer/licensing/qpl.html | |
|
12 |
// +--------------------------------------------------------------------+ |
|
13 |
// | Authors: Roeland Nieuwenhuis <trancer <AT> trancer <DOT> nl> | |
|
14 |
// | Sjeemz <sjeemz <AT> sjeemz <DOT> nl> | |
|
15 |
// +--------------------------------------------------------------------+ |
|
16 |
|
|
17 |
// Filename: dns.inc.php |
|
18 |
// Startdate: 26-10-2002 |
|
19 |
// Description: checks whether a given content is valid. |
|
20 |
// A lot of DNS Record features are found to be here and also are to be placed here. |
|
21 |
// If they are authorized this code handles that they can access stuff. |
|
22 |
// |
|
23 |
// $Id: dns.inc.php,v 1.23 2003/02/23 21:31:13 azurazu Exp $ |
|
24 |
// |
|
25 |
|
|
26 |
|
|
27 |
/* |
|
28 |
* Validates an IPv4 IP. |
|
29 |
* returns true if valid. |
|
30 |
*/ |
12
|
31 |
function validate_input($recordid, $zoneid, $type, &$content, &$name, &$prio, &$ttl) |
1
|
32 |
{ |
|
33 |
global $db; |
|
34 |
|
|
35 |
// Has to validate content first then it can do the rest |
|
36 |
// Since if content is invalid already it can aswell be just removed |
|
37 |
// Check first if content is IPv4, IPv6 or Hostname |
|
38 |
// We accomplish this by just running all tests over it |
|
39 |
// We start with IPv6 since its not able to have these ip's in domains. |
|
40 |
// |
|
41 |
// <TODO> |
|
42 |
// The nocheck has to move to the configuration file |
|
43 |
// </TODO> |
|
44 |
// |
|
45 |
$domain = get_domain_name_from_id($zoneid); |
|
46 |
$nocheck = array('SOA', 'HINFO', 'NAPTR', 'URL', 'MBOXFW', 'TXT'); |
|
47 |
$hostname = false; |
|
48 |
$ip4 = false; |
|
49 |
$ip6 = false; |
|
50 |
|
|
51 |
if(!in_array(strtoupper($type), $nocheck)) |
|
52 |
{ |
|
53 |
|
|
54 |
if(!is_valid_ip6($content)) |
|
55 |
{ |
|
56 |
if(!is_valid_ip($content)) |
|
57 |
{ |
|
58 |
if(!is_valid_hostname($content)) |
|
59 |
{ |
|
60 |
error(ERR_DNS_CONTENT); |
|
61 |
} |
|
62 |
else |
|
63 |
{ |
|
64 |
$hostname = true; |
|
65 |
} |
|
66 |
} |
|
67 |
else |
|
68 |
{ |
|
69 |
$ip4 = true; |
|
70 |
} |
|
71 |
} |
|
72 |
else |
|
73 |
{ |
|
74 |
$ip6 = true; |
|
75 |
} |
|
76 |
} |
|
77 |
|
|
78 |
// Prepare total hostname. |
|
79 |
|
|
80 |
if($name == '*') |
|
81 |
{ |
|
82 |
$wildcard = true; |
|
83 |
} |
|
84 |
|
|
85 |
if ($name=="0") { |
|
86 |
$name=$name.".".$domain; |
|
87 |
} else { |
|
88 |
$name = ($name) ? $name.".".$domain : $domain; |
|
89 |
} |
|
90 |
|
|
91 |
if (preg_match('!@\.!i', $name)) |
|
92 |
{ |
|
93 |
$name = str_replace('@.', '@', $name); |
|
94 |
} |
|
95 |
|
|
96 |
if(!$wildcard) |
|
97 |
{ |
|
98 |
if(!is_valid_hostname($name)) |
|
99 |
{ |
|
100 |
error(ERR_DNS_HOSTNAME); |
|
101 |
} |
|
102 |
} |
|
103 |
|
|
104 |
// Check record type (if it exists in our allowed list. |
|
105 |
if (!in_array(strtoupper($type), get_record_types())) |
|
106 |
{ |
|
107 |
error(ERR_DNS_RECORDTYPE); |
|
108 |
} |
|
109 |
|
|
110 |
// Start handling the demands for the functions. |
|
111 |
// Validation for IN A records. Can only have an IP. Nothing else. |
|
112 |
if ($type == 'A' && !$ip4) |
|
113 |
{ |
|
114 |
error(ERR_DNS_IPV4); |
|
115 |
} |
|
116 |
|
|
117 |
if ($type == 'AAAA' && !$ip6) |
|
118 |
{ |
|
119 |
error(ERR_DNS_IPV6); |
|
120 |
} |
|
121 |
|
|
122 |
if ($type == 'CNAME' && $hostname) |
|
123 |
{ |
|
124 |
if(!is_valid_cname($name)) |
|
125 |
{ |
|
126 |
error(ERR_DNS_CNAME); |
|
127 |
} |
|
128 |
} |
|
129 |
|
|
130 |
if ($type == 'NS') |
|
131 |
{ |
|
132 |
$status = is_valid_ns($content, $hostname); |
|
133 |
if($status == -1) |
|
134 |
{ |
|
135 |
error(ERR_DNS_NS_HNAME); |
|
136 |
} |
|
137 |
elseif($status == -2) |
|
138 |
{ |
|
139 |
error(ERR_DNS_NS_CNAME); |
|
140 |
} |
|
141 |
// Otherwise its ok |
|
142 |
} |
|
143 |
|
|
144 |
if ($type == 'SOA') |
|
145 |
{ |
|
146 |
$status = is_valid_soa($content, $zoneid); |
|
147 |
if($status == -1) |
|
148 |
{ |
|
149 |
error(ERR_DNS_SOA_UNIQUE); |
|
150 |
// Make nicer error |
|
151 |
} |
|
152 |
elseif($status == -2) |
|
153 |
{ |
|
154 |
error(ERR_DNS_SOA_NUMERIC); |
|
155 |
} |
|
156 |
} |
|
157 |
|
|
158 |
// HINFO and TXT require no validation. |
|
159 |
|
|
160 |
if ($type == 'URL') |
|
161 |
{ |
|
162 |
if(!is_valid_url($content)) |
|
163 |
{ |
|
164 |
error(ERR_INV_URL); |
|
165 |
} |
|
166 |
} |
|
167 |
if ($type == 'MBOXFW') |
|
168 |
{ |
|
169 |
if(!is_valid_mboxfw($content)) |
|
170 |
{ |
|
171 |
error(ERR_INV_EMAIL); |
|
172 |
} |
|
173 |
} |
|
174 |
|
|
175 |
// NAPTR has to be done. |
|
176 |
// Do we want that? |
|
177 |
// http://www.ietf.org/rfc/rfc2915.txt |
|
178 |
// http://www.zvon.org/tmRFC/RFC2915/Output/chapter2.html |
|
179 |
// http://www.zvon.org/tmRFC/RFC3403/Output/chapter4.html |
|
180 |
|
|
181 |
// See if the prio field is valid and if we have one. |
|
182 |
// If we dont have one and the type is MX record, give it value '10' |
|
183 |
if($type == 'NAPTR') |
|
184 |
{ |
|
185 |
|
|
186 |
} |
|
187 |
|
|
188 |
if($type == 'MX') |
|
189 |
{ |
|
190 |
if($hostname) |
|
191 |
{ |
|
192 |
$status = is_valid_mx($content, $prio); |
|
193 |
if($status == -1) |
|
194 |
{ |
|
195 |
error(ERR_DNS_MX_CNAME); |
|
196 |
} |
|
197 |
elseif($status == -2) |
|
198 |
{ |
|
199 |
error(ERR_DNS_MX_PRIO); |
|
200 |
} |
|
201 |
} |
|
202 |
else |
|
203 |
{ |
6
|
204 |
error( _('If you specify an MX record it must be a hostname.') ); |
1
|
205 |
} |
|
206 |
} |
|
207 |
else |
|
208 |
{ |
|
209 |
$prio=''; |
|
210 |
} |
|
211 |
// Validate the TTL, it has to be numeric. |
|
212 |
$ttl = (!isset($ttl) || !is_numeric($ttl)) ? $DEFAULT_TTL : $ttl; |
|
213 |
} |
|
214 |
|
|
215 |
|
|
216 |
|
|
217 |
/**************************************** |
|
218 |
* * |
|
219 |
* RECORD VALIDATING PART. * |
|
220 |
* CHANGES HERE SHOULD BE CONSIDERED * |
|
221 |
* THEY REQUIRE KNOWLEDGE ABOUT THE * |
|
222 |
* DNS SPECIFICATIONS * |
|
223 |
* * |
|
224 |
***************************************/ |
|
225 |
|
|
226 |
|
|
227 |
/* |
|
228 |
* Validatis a CNAME record by the name it will have and its destination |
|
229 |
* |
|
230 |
*/ |
|
231 |
function is_valid_cname($dest) |
|
232 |
{ |
|
233 |
/* |
|
234 |
* This is really EVIL. |
|
235 |
* If the new record (a CNAME) record is being pointed to by a MX record or NS record we have to bork. |
|
236 |
* this is the idea. |
|
237 |
* |
|
238 |
* MX record: blaat.nl MX mail.blaat.nl |
|
239 |
* Now we look what mail.blaat.nl is |
|
240 |
* We discover the following: |
|
241 |
* mail.blaat.nl CNAME bork.blaat.nl |
|
242 |
* This is NOT allowed! mail.onthanet.nl can not be a CNAME! |
|
243 |
* The same goes for NS. mail.blaat.nl must have a normal IN A record. |
|
244 |
* It MAY point to a CNAME record but its not wished. Lets not support it. |
|
245 |
*/ |
|
246 |
|
|
247 |
global $db; |
|
248 |
|
|
249 |
// Check if there are other records with this information of the following types. |
|
250 |
// P.S. we might add CNAME to block CNAME recursion and chains. |
|
251 |
$blockedtypes = " AND (type='MX' OR type='NS')"; |
|
252 |
|
|
253 |
$cnamec = "SELECT type, content FROM records WHERE content='$dest'" . $blockedtypes; |
|
254 |
$result = $db->query($cnamec); |
|
255 |
|
|
256 |
if($result->numRows() > 0) |
|
257 |
{ |
|
258 |
return false; |
|
259 |
// Lets inform the user he is doing something EVIL. |
|
260 |
// Ok we found a record that has our content field in their content field. |
|
261 |
} |
|
262 |
return true; |
|
263 |
} |
|
264 |
|
|
265 |
|
|
266 |
/* |
|
267 |
* Checks if something is a valid domain. |
|
268 |
* Checks for domainname with the allowed characters <a,b,...z,A,B,...Z> and - and _. |
|
269 |
* This part must be followed by a 2 to 4 character TLD. |
|
270 |
*/ |
|
271 |
function is_valid_domain($domain) |
|
272 |
{ |
|
273 |
if ((eregi("^[0-9a-z]([-.]?[0-9a-z])*\\.[a-z]{2,4}$", $domain)) && (strlen($domain) <= 128)) |
|
274 |
{ |
|
275 |
return true; |
|
276 |
} |
|
277 |
return false; |
|
278 |
} |
|
279 |
|
|
280 |
|
|
281 |
/* |
|
282 |
* Validates if given hostname is allowed. |
|
283 |
* returns true if allowed. |
|
284 |
*/ |
|
285 |
function is_valid_hostname($host) |
|
286 |
{ |
|
287 |
if(count(explode(".", $host)) == 1) |
|
288 |
{ |
|
289 |
return false; |
|
290 |
} |
|
291 |
|
|
292 |
// Its not perfect (in_addr.int is allowed) but works for now. |
|
293 |
|
|
294 |
if(preg_match('!(ip6|in-addr).(arpa|int)$!i', $host)) |
|
295 |
{ |
|
296 |
if(preg_match('!^(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+$!i', $host)) |
|
297 |
{ |
|
298 |
return true; |
|
299 |
} |
|
300 |
return false; |
|
301 |
} |
|
302 |
|
|
303 |
// Validate further. |
|
304 |
return (preg_match('!^(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+$!i', $host)) ? true : false; |
|
305 |
} |
|
306 |
|
|
307 |
|
|
308 |
/* |
|
309 |
* Validates an IPv4 IP. |
|
310 |
* returns true if valid. |
|
311 |
*/ |
|
312 |
function is_valid_ip($ip) |
|
313 |
{ |
|
314 |
// Stop reading at this point. Scroll down to the next function... |
|
315 |
// Ok... you didn't stop reading... now you have to rewrite the whole function! enjoy ;-) |
|
316 |
// Trance unborked it. Twice even! |
|
317 |
return ($ip == long2ip(ip2long($ip))) ? true : false; |
|
318 |
|
|
319 |
} |
|
320 |
|
|
321 |
|
|
322 |
/* |
|
323 |
* Validates an IPv6 IP. |
|
324 |
* returns true if valid. |
|
325 |
*/ |
|
326 |
function is_valid_ip6($ip) |
|
327 |
{ |
|
328 |
// Validates if the given IP is truly an IPv6 address. |
|
329 |
// Precondition: have a string |
|
330 |
// Postcondition: false: Error in IP |
|
331 |
// true: IP is correct |
|
332 |
// Requires: String |
|
333 |
// Date: 10-sep-2002 |
|
334 |
if(preg_match('!^[A-F0-9:]{1,39}$!i', $ip) == true) |
|
335 |
{ |
|
336 |
// Not 3 ":" or more. |
|
337 |
$p = explode(':::', $ip); |
|
338 |
if(sizeof($p) > 1) |
|
339 |
{ |
|
340 |
return false; |
|
341 |
} |
|
342 |
// Find if there is only one occurence of "::". |
|
343 |
$p = explode('::', $ip); |
|
344 |
if(sizeof($p) > 2) |
|
345 |
{ |
|
346 |
return false; |
|
347 |
} |
|
348 |
// Not more than 8 octects |
|
349 |
$p = explode(':', $ip); |
|
350 |
|
|
351 |
if(sizeof($p) > 8) |
|
352 |
{ |
|
353 |
return false; |
|
354 |
} |
|
355 |
|
|
356 |
// Check octet length |
|
357 |
foreach($p as $checkPart) |
|
358 |
{ |
|
359 |
if(strlen($checkPart) > 4) |
|
360 |
{ |
|
361 |
return false; |
|
362 |
} |
|
363 |
} |
|
364 |
return true; |
|
365 |
} |
|
366 |
return false; |
|
367 |
} |
|
368 |
|
|
369 |
|
|
370 |
/* |
|
371 |
* FANCY RECORD. |
|
372 |
* Validates if the fancy record mboxfw is an actual email address. |
|
373 |
*/ |
|
374 |
function is_valid_mboxfw($email) |
|
375 |
{ |
|
376 |
return is_valid_email($email); |
|
377 |
} |
|
378 |
|
|
379 |
|
|
380 |
/* |
|
381 |
* Validates MX records. |
|
382 |
* an MX record cant point to a CNAME record. This has to be checked. |
|
383 |
* this function also sets a proper priority. |
|
384 |
*/ |
|
385 |
function is_valid_mx($content, &$prio) |
|
386 |
{ |
|
387 |
global $db; |
|
388 |
// See if the destination to which this MX is pointing is NOT a CNAME record. |
|
389 |
// Check inside our dns server. |
8
|
390 |
if($db->queryOne("SELECT count(id) FROM records WHERE name='$content' AND type='CNAME'") > 0) |
1
|
391 |
{ |
|
392 |
return -1; |
|
393 |
} |
|
394 |
else |
|
395 |
{ |
|
396 |
// Fix the proper priority for the record. |
|
397 |
// Bugfix, thanks Oscar :) |
|
398 |
if(!isset($prio)) |
|
399 |
{ |
|
400 |
$prio = 10; |
|
401 |
} |
|
402 |
if(!is_numeric($prio)) |
|
403 |
{ |
|
404 |
if($prio == '') |
|
405 |
{ |
|
406 |
$prio = 10; |
|
407 |
} |
|
408 |
else |
|
409 |
{ |
|
410 |
return -2; |
|
411 |
} |
|
412 |
} |
|
413 |
} |
|
414 |
return 1; |
|
415 |
} |
|
416 |
|
|
417 |
/* |
|
418 |
* Validates NS records. |
|
419 |
* an NS record cant point to a CNAME record. This has to be checked. |
|
420 |
* $hostname directive means if its a hostname or not (this to avoid that NS records get ip fields) |
|
421 |
* NS must have a hostname, it is not allowed to have an IP. |
|
422 |
*/ |
|
423 |
function is_valid_ns($content, $hostname) |
|
424 |
{ |
|
425 |
global $db; |
|
426 |
// Check if the field is a hostname, it MUST be a hostname. |
|
427 |
if(!$hostname) |
|
428 |
{ |
|
429 |
return -1; |
|
430 |
// "an IN NS field must be a hostname." |
|
431 |
} |
|
432 |
|
8
|
433 |
if($db->queryOne("SELECT count(id) FROM records WHERE name='$content' AND type='CNAME'") > 0) |
1
|
434 |
{ |
|
435 |
return -2; |
|
436 |
// "You can not point a NS record to a CNAME record. Remove/rename the CNAME record first or take another name." |
|
437 |
|
|
438 |
} |
|
439 |
return 1; |
|
440 |
} |
|
441 |
|
|
442 |
|
|
443 |
/* |
|
444 |
* Function to check the validity of SOA records. |
|
445 |
* return values: true if succesful |
|
446 |
*/ |
|
447 |
function is_valid_soa(&$content, $zoneid) |
|
448 |
{ |
|
449 |
|
|
450 |
/* |
|
451 |
* SOA (start of authority) |
|
452 |
* there is only _ONE_ SOA record allowed in every zone. |
|
453 |
* Validate SOA record |
|
454 |
* The Start of Authority record is one of the most complex available. It specifies a lot |
|
455 |
* about a domain: the name of the master nameserver ('the primary'), the hostmaster and |
|
456 |
* a set of numbers indicating how the data in this domain expires and how often it needs |
|
457 |
* to be checked. Further more, it contains a serial number which should rise on each change |
|
458 |
* of the domain. |
|
459 |
2002120902 28800 7200 604800 10800 |
|
460 |
* The stored format is: primary hostmaster serial refresh retry expire default_ttl |
|
461 |
* From the powerdns documentation. |
|
462 |
*/ |
|
463 |
|
|
464 |
|
|
465 |
// Check if there already is an occurence of a SOA, if so see if its not the one we are currently changing |
|
466 |
$return = get_records_by_type_from_domid("SOA", $zoneid); |
|
467 |
if($return->numRows() > 1) |
|
468 |
{ |
|
469 |
return -1; |
|
470 |
} |
|
471 |
|
|
472 |
|
|
473 |
$soacontent = explode(" ", $content); |
|
474 |
// Field is at least one otherwise it wouldnt even get here. |
|
475 |
if(is_valid_hostname($soacontent[0])) |
|
476 |
{ |
|
477 |
$totalsoa = $soacontent[0]; |
|
478 |
// It doesnt matter what field 2 contains, but lets check if its there |
|
479 |
// We assume the 2nd field wont have numbers, otherwise its a TTL field |
|
480 |
if(count($soacontent) > 1) |
|
481 |
{ |
|
482 |
if(is_numeric($soacontent[1])) |
|
483 |
{ |
|
484 |
// its a TTL field, or at least not hostmaster or alike |
|
485 |
// Set final string to the default hostmaster addy |
|
486 |
global $HOSTMASTER; |
|
487 |
$totalsoa .= " ". $HOSTMASTER; |
|
488 |
} |
|
489 |
else |
|
490 |
{ |
|
491 |
$totalsoa .= " ".$soacontent[1]; |
|
492 |
} |
|
493 |
// For loop to iterate over the numbers |
|
494 |
$imax = count($soacontent); |
|
495 |
for($i = 2; ($i < $imax) && ($i < 7); $i++) |
|
496 |
{ |
|
497 |
if(!is_numeric($soacontent[$i])) |
|
498 |
{ |
|
499 |
return -2; |
|
500 |
} |
|
501 |
else |
|
502 |
{ |
|
503 |
$totalsoa .= " ".$soacontent[$i]; |
|
504 |
} |
|
505 |
} |
|
506 |
if($i > 7) |
|
507 |
{ |
|
508 |
error(ERR_DNS_SOA_NUMERIC_FIELDS); |
|
509 |
} |
|
510 |
} |
|
511 |
} |
|
512 |
else |
|
513 |
{ |
|
514 |
error(ERR_DNS_SOA_HOSTNAME); |
|
515 |
} |
|
516 |
$content = $totalsoa; |
|
517 |
return 1; |
|
518 |
} |
|
519 |
|
|
520 |
|
|
521 |
function is_valid_url($url) |
|
522 |
{ |
|
523 |
return preg_match('!^(http://)(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+([//]([0-9a-z//~#%&\'_\-+=:?.]*))?$!i', $url); |
|
524 |
} |
|
525 |
|
|
526 |
/**************************************** |
|
527 |
* * |
|
528 |
* END OF RECORD VALIDATING PART. * |
|
529 |
* * |
|
530 |
***************************************/ |
|
531 |
?> |