1
+ − 1
<?
+ − 2
47
+ − 3
/* PowerAdmin, a friendly web-based admin tool for PowerDNS.
+ − 4
* See <https://rejo.zenger.nl/poweradmin> for more details.
+ − 5
*
+ − 6
* Copyright 2007, 2008 Rejo Zenger <rejo@zenger.nl>
+ − 7
*
+ − 8
* This program is free software: you can redistribute it and/or modify
+ − 9
* it under the terms of the GNU General Public License as published by
+ − 10
* the Free Software Foundation, either version 3 of the License, or
+ − 11
* (at your option) any later version.
+ − 12
*
+ − 13
* This program is distributed in the hope that it will be useful,
+ − 14
* but WITHOUT ANY WARRANTY; without even the implied warranty of
+ − 15
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ − 16
* GNU General Public License for more details.
+ − 17
*
+ − 18
* You should have received a copy of the GNU General Public License
+ − 19
* along with this program. If not, see <http://www.gnu.org/licenses/>.
+ − 20
*/
+ − 21
1
+ − 22
/*
+ − 23
* Validates an IPv4 IP.
+ − 24
* returns true if valid.
+ − 25
*/
16
+ − 26
function validate_input ( $zoneid , $type , & $content , & $name , & $prio , & $ttl )
1
+ − 27
{
+ − 28
global $db ;
+ − 29
+ − 30
// Has to validate content first then it can do the rest
+ − 31
// Since if content is invalid already it can aswell be just removed
+ − 32
// Check first if content is IPv4, IPv6 or Hostname
+ − 33
// We accomplish this by just running all tests over it
+ − 34
// We start with IPv6 since its not able to have these ip's in domains.
+ − 35
//
+ − 36
// <TODO>
+ − 37
// The nocheck has to move to the configuration file
+ − 38
// </TODO>
+ − 39
//
+ − 40
$domain = get_domain_name_from_id ( $zoneid );
+ − 41
$nocheck = array ( 'SOA' , 'HINFO' , 'NAPTR' , 'URL' , 'MBOXFW' , 'TXT' );
+ − 42
$hostname = false ;
+ − 43
$ip4 = false ;
+ − 44
$ip6 = false ;
+ − 45
+ − 46
if ( ! in_array ( strtoupper ( $type ), $nocheck ))
+ − 47
{
+ − 48
+ − 49
if ( ! is_valid_ip6 ( $content ))
+ − 50
{
+ − 51
if ( ! is_valid_ip ( $content ))
+ − 52
{
+ − 53
if ( ! is_valid_hostname ( $content ))
+ − 54
{
+ − 55
error ( ERR_DNS_CONTENT );
+ − 56
}
+ − 57
else
+ − 58
{
+ − 59
$hostname = true ;
+ − 60
}
+ − 61
}
+ − 62
else
+ − 63
{
+ − 64
$ip4 = true ;
+ − 65
}
+ − 66
}
+ − 67
else
+ − 68
{
+ − 69
$ip6 = true ;
+ − 70
}
+ − 71
}
+ − 72
+ − 73
// Prepare total hostname.
+ − 74
+ − 75
if ( $name == '*' )
+ − 76
{
+ − 77
$wildcard = true ;
+ − 78
}
+ − 79
+ − 80
if ( $name == "0" ) {
+ − 81
$name = $name . "." . $domain ;
+ − 82
} else {
+ − 83
$name = ( $name ) ? $name . "." . $domain : $domain ;
+ − 84
}
+ − 85
+ − 86
if ( preg_match ( '!@\.!i' , $name ))
+ − 87
{
+ − 88
$name = str_replace ( '@.' , '@' , $name );
+ − 89
}
+ − 90
+ − 91
if ( ! $wildcard )
+ − 92
{
+ − 93
if ( ! is_valid_hostname ( $name ))
+ − 94
{
+ − 95
error ( ERR_DNS_HOSTNAME );
+ − 96
}
+ − 97
}
+ − 98
+ − 99
// Check record type (if it exists in our allowed list.
+ − 100
if ( ! in_array ( strtoupper ( $type ), get_record_types ()))
+ − 101
{
+ − 102
error ( ERR_DNS_RECORDTYPE );
+ − 103
}
+ − 104
+ − 105
// Start handling the demands for the functions.
+ − 106
// Validation for IN A records. Can only have an IP. Nothing else.
+ − 107
if ( $type == 'A' && ! $ip4 )
+ − 108
{
+ − 109
error ( ERR_DNS_IPV4 );
+ − 110
}
+ − 111
+ − 112
if ( $type == 'AAAA' && ! $ip6 )
+ − 113
{
+ − 114
error ( ERR_DNS_IPV6 );
+ − 115
}
+ − 116
+ − 117
if ( $type == 'CNAME' && $hostname )
+ − 118
{
+ − 119
if ( ! is_valid_cname ( $name ))
+ − 120
{
+ − 121
error ( ERR_DNS_CNAME );
+ − 122
}
+ − 123
}
+ − 124
+ − 125
if ( $type == 'NS' )
+ − 126
{
+ − 127
$status = is_valid_ns ( $content , $hostname );
+ − 128
if ( $status == - 1 )
+ − 129
{
+ − 130
error ( ERR_DNS_NS_HNAME );
+ − 131
}
+ − 132
elseif ( $status == - 2 )
+ − 133
{
+ − 134
error ( ERR_DNS_NS_CNAME );
+ − 135
}
+ − 136
// Otherwise its ok
+ − 137
}
+ − 138
+ − 139
if ( $type == 'SOA' )
+ − 140
{
+ − 141
$status = is_valid_soa ( $content , $zoneid );
+ − 142
if ( $status == - 1 )
+ − 143
{
+ − 144
error ( ERR_DNS_SOA_UNIQUE );
+ − 145
// Make nicer error
+ − 146
}
+ − 147
elseif ( $status == - 2 )
+ − 148
{
+ − 149
error ( ERR_DNS_SOA_NUMERIC );
+ − 150
}
+ − 151
}
+ − 152
+ − 153
// HINFO and TXT require no validation.
+ − 154
+ − 155
if ( $type == 'URL' )
+ − 156
{
+ − 157
if ( ! is_valid_url ( $content ))
+ − 158
{
+ − 159
error ( ERR_INV_URL );
+ − 160
}
+ − 161
}
+ − 162
if ( $type == 'MBOXFW' )
+ − 163
{
+ − 164
if ( ! is_valid_mboxfw ( $content ))
+ − 165
{
+ − 166
error ( ERR_INV_EMAIL );
+ − 167
}
+ − 168
}
+ − 169
+ − 170
// NAPTR has to be done.
+ − 171
// Do we want that?
+ − 172
// http://www.ietf.org/rfc/rfc2915.txt
+ − 173
// http://www.zvon.org/tmRFC/RFC2915/Output/chapter2.html
+ − 174
// http://www.zvon.org/tmRFC/RFC3403/Output/chapter4.html
+ − 175
+ − 176
// See if the prio field is valid and if we have one.
+ − 177
// If we dont have one and the type is MX record, give it value '10'
+ − 178
if ( $type == 'NAPTR' )
+ − 179
{
+ − 180
+ − 181
}
+ − 182
+ − 183
if ( $type == 'MX' )
+ − 184
{
+ − 185
if ( $hostname )
+ − 186
{
+ − 187
$status = is_valid_mx ( $content , $prio );
+ − 188
if ( $status == - 1 )
+ − 189
{
+ − 190
error ( ERR_DNS_MX_CNAME );
+ − 191
}
+ − 192
elseif ( $status == - 2 )
+ − 193
{
+ − 194
error ( ERR_DNS_MX_PRIO );
+ − 195
}
+ − 196
}
+ − 197
else
+ − 198
{
6
+ − 199
error ( _ ( 'If you specify an MX record it must be a hostname.' ) );
1
+ − 200
}
+ − 201
}
+ − 202
else
+ − 203
{
55
+ − 204
$prio = 0 ;
1
+ − 205
}
+ − 206
// Validate the TTL, it has to be numeric.
+ − 207
$ttl = ( ! isset ( $ttl ) || ! is_numeric ( $ttl )) ? $DEFAULT_TTL : $ttl ;
+ − 208
}
+ − 209
+ − 210
+ − 211
+ − 212
/****************************************
+ − 213
* *
+ − 214
* RECORD VALIDATING PART. *
+ − 215
* CHANGES HERE SHOULD BE CONSIDERED *
+ − 216
* THEY REQUIRE KNOWLEDGE ABOUT THE *
+ − 217
* DNS SPECIFICATIONS *
+ − 218
* *
+ − 219
***************************************/
+ − 220
+ − 221
+ − 222
/*
+ − 223
* Validatis a CNAME record by the name it will have and its destination
+ − 224
*
+ − 225
*/
+ − 226
function is_valid_cname ( $dest )
+ − 227
{
+ − 228
/*
+ − 229
* This is really EVIL.
+ − 230
* If the new record (a CNAME) record is being pointed to by a MX record or NS record we have to bork.
+ − 231
* this is the idea.
+ − 232
*
+ − 233
* MX record: blaat.nl MX mail.blaat.nl
+ − 234
* Now we look what mail.blaat.nl is
+ − 235
* We discover the following:
+ − 236
* mail.blaat.nl CNAME bork.blaat.nl
+ − 237
* This is NOT allowed! mail.onthanet.nl can not be a CNAME!
+ − 238
* The same goes for NS. mail.blaat.nl must have a normal IN A record.
+ − 239
* It MAY point to a CNAME record but its not wished. Lets not support it.
+ − 240
*/
+ − 241
+ − 242
global $db ;
+ − 243
+ − 244
// Check if there are other records with this information of the following types.
+ − 245
// P.S. we might add CNAME to block CNAME recursion and chains.
+ − 246
$blockedtypes = " AND (type='MX' OR type='NS')" ;
+ − 247
65
+ − 248
$cnamec = "SELECT type, content FROM records WHERE content=" . $db -> quote ( $dest ) . $blockedtypes ;
1
+ − 249
$result = $db -> query ( $cnamec );
+ − 250
+ − 251
if ( $result -> numRows () > 0 )
+ − 252
{
+ − 253
return false ;
+ − 254
// Lets inform the user he is doing something EVIL.
+ − 255
// Ok we found a record that has our content field in their content field.
+ − 256
}
+ − 257
return true ;
+ − 258
}
+ − 259
+ − 260
+ − 261
/*
+ − 262
* Checks if something is a valid domain.
+ − 263
* Checks for domainname with the allowed characters <a,b,...z,A,B,...Z> and - and _.
+ − 264
* This part must be followed by a 2 to 4 character TLD.
+ − 265
*/
+ − 266
function is_valid_domain ( $domain )
+ − 267
{
+ − 268
if (( eregi ( "^[0-9a-z]([-.]?[0-9a-z])* \\ .[a-z]{2,4}$" , $domain )) && ( strlen ( $domain ) <= 128 ))
+ − 269
{
+ − 270
return true ;
+ − 271
}
+ − 272
return false ;
+ − 273
}
+ − 274
+ − 275
+ − 276
/*
+ − 277
* Validates if given hostname is allowed.
+ − 278
* returns true if allowed.
+ − 279
*/
+ − 280
function is_valid_hostname ( $host )
+ − 281
{
+ − 282
if ( count ( explode ( "." , $host )) == 1 )
+ − 283
{
+ − 284
return false ;
+ − 285
}
+ − 286
+ − 287
// Its not perfect (in_addr.int is allowed) but works for now.
+ − 288
+ − 289
if ( preg_match ( '!(ip6|in-addr).(arpa|int)$!i' , $host ))
+ − 290
{
+ − 291
if ( preg_match ( '!^(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+$!i' , $host ))
+ − 292
{
+ − 293
return true ;
+ − 294
}
+ − 295
return false ;
+ − 296
}
+ − 297
+ − 298
// Validate further.
+ − 299
return ( preg_match ( '!^(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+$!i' , $host )) ? true : false ;
+ − 300
}
+ − 301
+ − 302
+ − 303
/*
+ − 304
* Validates an IPv4 IP.
+ − 305
* returns true if valid.
+ − 306
*/
+ − 307
function is_valid_ip ( $ip )
+ − 308
{
+ − 309
// Stop reading at this point. Scroll down to the next function...
+ − 310
// Ok... you didn't stop reading... now you have to rewrite the whole function! enjoy ;-)
+ − 311
// Trance unborked it. Twice even!
+ − 312
return ( $ip == long2ip ( ip2long ( $ip ))) ? true : false ;
+ − 313
+ − 314
}
+ − 315
+ − 316
+ − 317
/*
+ − 318
* Validates an IPv6 IP.
+ − 319
* returns true if valid.
+ − 320
*/
+ − 321
function is_valid_ip6 ( $ip )
+ − 322
{
+ − 323
// Validates if the given IP is truly an IPv6 address.
+ − 324
// Precondition: have a string
+ − 325
// Postcondition: false: Error in IP
+ − 326
// true: IP is correct
+ − 327
// Requires: String
+ − 328
// Date: 10-sep-2002
+ − 329
if ( preg_match ( '!^[A-F0-9:]{1,39}$!i' , $ip ) == true )
+ − 330
{
+ − 331
// Not 3 ":" or more.
+ − 332
$p = explode ( ':::' , $ip );
+ − 333
if ( sizeof ( $p ) > 1 )
+ − 334
{
+ − 335
return false ;
+ − 336
}
+ − 337
// Find if there is only one occurence of "::".
+ − 338
$p = explode ( '::' , $ip );
+ − 339
if ( sizeof ( $p ) > 2 )
+ − 340
{
+ − 341
return false ;
+ − 342
}
+ − 343
// Not more than 8 octects
+ − 344
$p = explode ( ':' , $ip );
+ − 345
+ − 346
if ( sizeof ( $p ) > 8 )
+ − 347
{
+ − 348
return false ;
+ − 349
}
+ − 350
+ − 351
// Check octet length
+ − 352
foreach ( $p as $checkPart )
+ − 353
{
+ − 354
if ( strlen ( $checkPart ) > 4 )
+ − 355
{
+ − 356
return false ;
+ − 357
}
+ − 358
}
+ − 359
return true ;
+ − 360
}
+ − 361
return false ;
+ − 362
}
+ − 363
+ − 364
+ − 365
/*
+ − 366
* FANCY RECORD.
+ − 367
* Validates if the fancy record mboxfw is an actual email address.
+ − 368
*/
+ − 369
function is_valid_mboxfw ( $email )
+ − 370
{
+ − 371
return is_valid_email ( $email );
+ − 372
}
+ − 373
+ − 374
+ − 375
/*
+ − 376
* Validates MX records.
+ − 377
* an MX record cant point to a CNAME record. This has to be checked.
+ − 378
* this function also sets a proper priority.
+ − 379
*/
+ − 380
function is_valid_mx ( $content , & $prio )
+ − 381
{
+ − 382
global $db ;
+ − 383
// See if the destination to which this MX is pointing is NOT a CNAME record.
+ − 384
// Check inside our dns server.
65
+ − 385
if ( $db -> queryOne ( "SELECT count(id) FROM records WHERE name=" . $db -> quote ( $content ) . " AND type='CNAME'" ) > 0 )
1
+ − 386
{
+ − 387
return - 1 ;
+ − 388
}
+ − 389
else
+ − 390
{
+ − 391
// Fix the proper priority for the record.
+ − 392
// Bugfix, thanks Oscar :)
+ − 393
if ( ! isset ( $prio ))
+ − 394
{
+ − 395
$prio = 10 ;
+ − 396
}
+ − 397
if ( ! is_numeric ( $prio ))
+ − 398
{
+ − 399
if ( $prio == '' )
+ − 400
{
+ − 401
$prio = 10 ;
+ − 402
}
+ − 403
else
+ − 404
{
+ − 405
return - 2 ;
+ − 406
}
+ − 407
}
+ − 408
}
+ − 409
return 1 ;
+ − 410
}
+ − 411
+ − 412
/*
+ − 413
* Validates NS records.
+ − 414
* an NS record cant point to a CNAME record. This has to be checked.
+ − 415
* $hostname directive means if its a hostname or not (this to avoid that NS records get ip fields)
+ − 416
* NS must have a hostname, it is not allowed to have an IP.
+ − 417
*/
+ − 418
function is_valid_ns ( $content , $hostname )
+ − 419
{
+ − 420
global $db ;
+ − 421
// Check if the field is a hostname, it MUST be a hostname.
+ − 422
if ( ! $hostname )
+ − 423
{
+ − 424
return - 1 ;
+ − 425
// "an IN NS field must be a hostname."
+ − 426
}
+ − 427
65
+ − 428
if ( $db -> queryOne ( "SELECT count(id) FROM records WHERE name=" . $db -> quote ( $content ) . " AND type='CNAME'" ) > 0 )
1
+ − 429
{
+ − 430
return - 2 ;
+ − 431
// "You can not point a NS record to a CNAME record. Remove/rename the CNAME record first or take another name."
+ − 432
+ − 433
}
+ − 434
return 1 ;
+ − 435
}
+ − 436
+ − 437
+ − 438
/*
+ − 439
* Function to check the validity of SOA records.
+ − 440
* return values: true if succesful
+ − 441
*/
+ − 442
function is_valid_soa ( & $content , $zoneid )
+ − 443
{
+ − 444
+ − 445
/*
+ − 446
* SOA (start of authority)
+ − 447
* there is only _ONE_ SOA record allowed in every zone.
+ − 448
* Validate SOA record
+ − 449
* The Start of Authority record is one of the most complex available. It specifies a lot
+ − 450
* about a domain: the name of the master nameserver ('the primary'), the hostmaster and
+ − 451
* a set of numbers indicating how the data in this domain expires and how often it needs
+ − 452
* to be checked. Further more, it contains a serial number which should rise on each change
+ − 453
* of the domain.
+ − 454
2002120902 28800 7200 604800 10800
+ − 455
* The stored format is: primary hostmaster serial refresh retry expire default_ttl
+ − 456
* From the powerdns documentation.
+ − 457
*/
+ − 458
+ − 459
+ − 460
// Check if there already is an occurence of a SOA, if so see if its not the one we are currently changing
+ − 461
$return = get_records_by_type_from_domid ( "SOA" , $zoneid );
+ − 462
if ( $return -> numRows () > 1 )
+ − 463
{
+ − 464
return - 1 ;
+ − 465
}
+ − 466
+ − 467
+ − 468
$soacontent = explode ( " " , $content );
+ − 469
// Field is at least one otherwise it wouldnt even get here.
+ − 470
if ( is_valid_hostname ( $soacontent [ 0 ]))
+ − 471
{
+ − 472
$totalsoa = $soacontent [ 0 ];
+ − 473
// It doesnt matter what field 2 contains, but lets check if its there
+ − 474
// We assume the 2nd field wont have numbers, otherwise its a TTL field
+ − 475
if ( count ( $soacontent ) > 1 )
+ − 476
{
+ − 477
if ( is_numeric ( $soacontent [ 1 ]))
+ − 478
{
+ − 479
// its a TTL field, or at least not hostmaster or alike
+ − 480
// Set final string to the default hostmaster addy
+ − 481
global $HOSTMASTER ;
+ − 482
$totalsoa .= " " . $HOSTMASTER ;
+ − 483
}
+ − 484
else
+ − 485
{
+ − 486
$totalsoa .= " " . $soacontent [ 1 ];
+ − 487
}
+ − 488
// For loop to iterate over the numbers
+ − 489
$imax = count ( $soacontent );
+ − 490
for ( $i = 2 ; ( $i < $imax ) && ( $i < 7 ); $i ++ )
+ − 491
{
+ − 492
if ( ! is_numeric ( $soacontent [ $i ]))
+ − 493
{
+ − 494
return - 2 ;
+ − 495
}
+ − 496
else
+ − 497
{
+ − 498
$totalsoa .= " " . $soacontent [ $i ];
+ − 499
}
+ − 500
}
+ − 501
if ( $i > 7 )
+ − 502
{
+ − 503
error ( ERR_DNS_SOA_NUMERIC_FIELDS );
+ − 504
}
+ − 505
}
+ − 506
}
+ − 507
else
+ − 508
{
+ − 509
error ( ERR_DNS_SOA_HOSTNAME );
+ − 510
}
+ − 511
$content = $totalsoa ;
+ − 512
return 1 ;
+ − 513
}
+ − 514
+ − 515
+ − 516
function is_valid_url ( $url )
+ − 517
{
+ − 518
return preg_match ( '!^(http://)(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+([//]([0-9a-z//~#%&\'_\-+=:?.]*))?$!i' , $url );
+ − 519
}
+ − 520
62
+ − 521
function is_valid_search ( $holygrail )
+ − 522
{
+ − 523
// Only allow for alphanumeric, numeric, dot, dash, underscore and
+ − 524
// percent in search string. The last two are wildcards for SQL.
+ − 525
// Needs extension probably for more usual record types.
+ − 526
+ − 527
return preg_match ( '/^[a-z0-9.\-%_]+$/i' , $holygrail );
+ − 528
}
+ − 529
+ − 530
1
+ − 531
?>