1
+ − 1
<?
+ − 2
+ − 3
/*
+ − 4
* Validates an IPv4 IP.
+ − 5
* returns true if valid.
+ − 6
*/
16
+ − 7
function validate_input ( $zoneid , $type , & $content , & $name , & $prio , & $ttl )
1
+ − 8
{
+ − 9
global $db ;
+ − 10
+ − 11
// Has to validate content first then it can do the rest
+ − 12
// Since if content is invalid already it can aswell be just removed
+ − 13
// Check first if content is IPv4, IPv6 or Hostname
+ − 14
// We accomplish this by just running all tests over it
+ − 15
// We start with IPv6 since its not able to have these ip's in domains.
+ − 16
//
+ − 17
// <TODO>
+ − 18
// The nocheck has to move to the configuration file
+ − 19
// </TODO>
+ − 20
//
+ − 21
$domain = get_domain_name_from_id ( $zoneid );
+ − 22
$nocheck = array ( 'SOA' , 'HINFO' , 'NAPTR' , 'URL' , 'MBOXFW' , 'TXT' );
+ − 23
$hostname = false ;
+ − 24
$ip4 = false ;
+ − 25
$ip6 = false ;
+ − 26
+ − 27
if ( ! in_array ( strtoupper ( $type ), $nocheck ))
+ − 28
{
+ − 29
+ − 30
if ( ! is_valid_ip6 ( $content ))
+ − 31
{
+ − 32
if ( ! is_valid_ip ( $content ))
+ − 33
{
+ − 34
if ( ! is_valid_hostname ( $content ))
+ − 35
{
+ − 36
error ( ERR_DNS_CONTENT );
+ − 37
}
+ − 38
else
+ − 39
{
+ − 40
$hostname = true ;
+ − 41
}
+ − 42
}
+ − 43
else
+ − 44
{
+ − 45
$ip4 = true ;
+ − 46
}
+ − 47
}
+ − 48
else
+ − 49
{
+ − 50
$ip6 = true ;
+ − 51
}
+ − 52
}
+ − 53
+ − 54
// Prepare total hostname.
+ − 55
+ − 56
if ( $name == '*' )
+ − 57
{
+ − 58
$wildcard = true ;
+ − 59
}
+ − 60
+ − 61
if ( $name == "0" ) {
+ − 62
$name = $name . "." . $domain ;
+ − 63
} else {
+ − 64
$name = ( $name ) ? $name . "." . $domain : $domain ;
+ − 65
}
+ − 66
+ − 67
if ( preg_match ( '!@\.!i' , $name ))
+ − 68
{
+ − 69
$name = str_replace ( '@.' , '@' , $name );
+ − 70
}
+ − 71
+ − 72
if ( ! $wildcard )
+ − 73
{
+ − 74
if ( ! is_valid_hostname ( $name ))
+ − 75
{
+ − 76
error ( ERR_DNS_HOSTNAME );
+ − 77
}
+ − 78
}
+ − 79
+ − 80
// Check record type (if it exists in our allowed list.
+ − 81
if ( ! in_array ( strtoupper ( $type ), get_record_types ()))
+ − 82
{
+ − 83
error ( ERR_DNS_RECORDTYPE );
+ − 84
}
+ − 85
+ − 86
// Start handling the demands for the functions.
+ − 87
// Validation for IN A records. Can only have an IP. Nothing else.
+ − 88
if ( $type == 'A' && ! $ip4 )
+ − 89
{
+ − 90
error ( ERR_DNS_IPV4 );
+ − 91
}
+ − 92
+ − 93
if ( $type == 'AAAA' && ! $ip6 )
+ − 94
{
+ − 95
error ( ERR_DNS_IPV6 );
+ − 96
}
+ − 97
+ − 98
if ( $type == 'CNAME' && $hostname )
+ − 99
{
+ − 100
if ( ! is_valid_cname ( $name ))
+ − 101
{
+ − 102
error ( ERR_DNS_CNAME );
+ − 103
}
+ − 104
}
+ − 105
+ − 106
if ( $type == 'NS' )
+ − 107
{
+ − 108
$status = is_valid_ns ( $content , $hostname );
+ − 109
if ( $status == - 1 )
+ − 110
{
+ − 111
error ( ERR_DNS_NS_HNAME );
+ − 112
}
+ − 113
elseif ( $status == - 2 )
+ − 114
{
+ − 115
error ( ERR_DNS_NS_CNAME );
+ − 116
}
+ − 117
// Otherwise its ok
+ − 118
}
+ − 119
+ − 120
if ( $type == 'SOA' )
+ − 121
{
+ − 122
$status = is_valid_soa ( $content , $zoneid );
+ − 123
if ( $status == - 1 )
+ − 124
{
+ − 125
error ( ERR_DNS_SOA_UNIQUE );
+ − 126
// Make nicer error
+ − 127
}
+ − 128
elseif ( $status == - 2 )
+ − 129
{
+ − 130
error ( ERR_DNS_SOA_NUMERIC );
+ − 131
}
+ − 132
}
+ − 133
+ − 134
// HINFO and TXT require no validation.
+ − 135
+ − 136
if ( $type == 'URL' )
+ − 137
{
+ − 138
if ( ! is_valid_url ( $content ))
+ − 139
{
+ − 140
error ( ERR_INV_URL );
+ − 141
}
+ − 142
}
+ − 143
if ( $type == 'MBOXFW' )
+ − 144
{
+ − 145
if ( ! is_valid_mboxfw ( $content ))
+ − 146
{
+ − 147
error ( ERR_INV_EMAIL );
+ − 148
}
+ − 149
}
+ − 150
+ − 151
// NAPTR has to be done.
+ − 152
// Do we want that?
+ − 153
// http://www.ietf.org/rfc/rfc2915.txt
+ − 154
// http://www.zvon.org/tmRFC/RFC2915/Output/chapter2.html
+ − 155
// http://www.zvon.org/tmRFC/RFC3403/Output/chapter4.html
+ − 156
+ − 157
// See if the prio field is valid and if we have one.
+ − 158
// If we dont have one and the type is MX record, give it value '10'
+ − 159
if ( $type == 'NAPTR' )
+ − 160
{
+ − 161
+ − 162
}
+ − 163
+ − 164
if ( $type == 'MX' )
+ − 165
{
+ − 166
if ( $hostname )
+ − 167
{
+ − 168
$status = is_valid_mx ( $content , $prio );
+ − 169
if ( $status == - 1 )
+ − 170
{
+ − 171
error ( ERR_DNS_MX_CNAME );
+ − 172
}
+ − 173
elseif ( $status == - 2 )
+ − 174
{
+ − 175
error ( ERR_DNS_MX_PRIO );
+ − 176
}
+ − 177
}
+ − 178
else
+ − 179
{
6
+ − 180
error ( _ ( 'If you specify an MX record it must be a hostname.' ) );
1
+ − 181
}
+ − 182
}
+ − 183
else
+ − 184
{
+ − 185
$prio = '' ;
+ − 186
}
+ − 187
// Validate the TTL, it has to be numeric.
+ − 188
$ttl = ( ! isset ( $ttl ) || ! is_numeric ( $ttl )) ? $DEFAULT_TTL : $ttl ;
+ − 189
}
+ − 190
+ − 191
+ − 192
+ − 193
/****************************************
+ − 194
* *
+ − 195
* RECORD VALIDATING PART. *
+ − 196
* CHANGES HERE SHOULD BE CONSIDERED *
+ − 197
* THEY REQUIRE KNOWLEDGE ABOUT THE *
+ − 198
* DNS SPECIFICATIONS *
+ − 199
* *
+ − 200
***************************************/
+ − 201
+ − 202
+ − 203
/*
+ − 204
* Validatis a CNAME record by the name it will have and its destination
+ − 205
*
+ − 206
*/
+ − 207
function is_valid_cname ( $dest )
+ − 208
{
+ − 209
/*
+ − 210
* This is really EVIL.
+ − 211
* If the new record (a CNAME) record is being pointed to by a MX record or NS record we have to bork.
+ − 212
* this is the idea.
+ − 213
*
+ − 214
* MX record: blaat.nl MX mail.blaat.nl
+ − 215
* Now we look what mail.blaat.nl is
+ − 216
* We discover the following:
+ − 217
* mail.blaat.nl CNAME bork.blaat.nl
+ − 218
* This is NOT allowed! mail.onthanet.nl can not be a CNAME!
+ − 219
* The same goes for NS. mail.blaat.nl must have a normal IN A record.
+ − 220
* It MAY point to a CNAME record but its not wished. Lets not support it.
+ − 221
*/
+ − 222
+ − 223
global $db ;
+ − 224
+ − 225
// Check if there are other records with this information of the following types.
+ − 226
// P.S. we might add CNAME to block CNAME recursion and chains.
+ − 227
$blockedtypes = " AND (type='MX' OR type='NS')" ;
+ − 228
+ − 229
$cnamec = "SELECT type, content FROM records WHERE content=' $dest '" . $blockedtypes ;
+ − 230
$result = $db -> query ( $cnamec );
+ − 231
+ − 232
if ( $result -> numRows () > 0 )
+ − 233
{
+ − 234
return false ;
+ − 235
// Lets inform the user he is doing something EVIL.
+ − 236
// Ok we found a record that has our content field in their content field.
+ − 237
}
+ − 238
return true ;
+ − 239
}
+ − 240
+ − 241
+ − 242
/*
+ − 243
* Checks if something is a valid domain.
+ − 244
* Checks for domainname with the allowed characters <a,b,...z,A,B,...Z> and - and _.
+ − 245
* This part must be followed by a 2 to 4 character TLD.
+ − 246
*/
+ − 247
function is_valid_domain ( $domain )
+ − 248
{
+ − 249
if (( eregi ( "^[0-9a-z]([-.]?[0-9a-z])* \\ .[a-z]{2,4}$" , $domain )) && ( strlen ( $domain ) <= 128 ))
+ − 250
{
+ − 251
return true ;
+ − 252
}
+ − 253
return false ;
+ − 254
}
+ − 255
+ − 256
+ − 257
/*
+ − 258
* Validates if given hostname is allowed.
+ − 259
* returns true if allowed.
+ − 260
*/
+ − 261
function is_valid_hostname ( $host )
+ − 262
{
+ − 263
if ( count ( explode ( "." , $host )) == 1 )
+ − 264
{
+ − 265
return false ;
+ − 266
}
+ − 267
+ − 268
// Its not perfect (in_addr.int is allowed) but works for now.
+ − 269
+ − 270
if ( preg_match ( '!(ip6|in-addr).(arpa|int)$!i' , $host ))
+ − 271
{
+ − 272
if ( preg_match ( '!^(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+$!i' , $host ))
+ − 273
{
+ − 274
return true ;
+ − 275
}
+ − 276
return false ;
+ − 277
}
+ − 278
+ − 279
// Validate further.
+ − 280
return ( preg_match ( '!^(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+$!i' , $host )) ? true : false ;
+ − 281
}
+ − 282
+ − 283
+ − 284
/*
+ − 285
* Validates an IPv4 IP.
+ − 286
* returns true if valid.
+ − 287
*/
+ − 288
function is_valid_ip ( $ip )
+ − 289
{
+ − 290
// Stop reading at this point. Scroll down to the next function...
+ − 291
// Ok... you didn't stop reading... now you have to rewrite the whole function! enjoy ;-)
+ − 292
// Trance unborked it. Twice even!
+ − 293
return ( $ip == long2ip ( ip2long ( $ip ))) ? true : false ;
+ − 294
+ − 295
}
+ − 296
+ − 297
+ − 298
/*
+ − 299
* Validates an IPv6 IP.
+ − 300
* returns true if valid.
+ − 301
*/
+ − 302
function is_valid_ip6 ( $ip )
+ − 303
{
+ − 304
// Validates if the given IP is truly an IPv6 address.
+ − 305
// Precondition: have a string
+ − 306
// Postcondition: false: Error in IP
+ − 307
// true: IP is correct
+ − 308
// Requires: String
+ − 309
// Date: 10-sep-2002
+ − 310
if ( preg_match ( '!^[A-F0-9:]{1,39}$!i' , $ip ) == true )
+ − 311
{
+ − 312
// Not 3 ":" or more.
+ − 313
$p = explode ( ':::' , $ip );
+ − 314
if ( sizeof ( $p ) > 1 )
+ − 315
{
+ − 316
return false ;
+ − 317
}
+ − 318
// Find if there is only one occurence of "::".
+ − 319
$p = explode ( '::' , $ip );
+ − 320
if ( sizeof ( $p ) > 2 )
+ − 321
{
+ − 322
return false ;
+ − 323
}
+ − 324
// Not more than 8 octects
+ − 325
$p = explode ( ':' , $ip );
+ − 326
+ − 327
if ( sizeof ( $p ) > 8 )
+ − 328
{
+ − 329
return false ;
+ − 330
}
+ − 331
+ − 332
// Check octet length
+ − 333
foreach ( $p as $checkPart )
+ − 334
{
+ − 335
if ( strlen ( $checkPart ) > 4 )
+ − 336
{
+ − 337
return false ;
+ − 338
}
+ − 339
}
+ − 340
return true ;
+ − 341
}
+ − 342
return false ;
+ − 343
}
+ − 344
+ − 345
+ − 346
/*
+ − 347
* FANCY RECORD.
+ − 348
* Validates if the fancy record mboxfw is an actual email address.
+ − 349
*/
+ − 350
function is_valid_mboxfw ( $email )
+ − 351
{
+ − 352
return is_valid_email ( $email );
+ − 353
}
+ − 354
+ − 355
+ − 356
/*
+ − 357
* Validates MX records.
+ − 358
* an MX record cant point to a CNAME record. This has to be checked.
+ − 359
* this function also sets a proper priority.
+ − 360
*/
+ − 361
function is_valid_mx ( $content , & $prio )
+ − 362
{
+ − 363
global $db ;
+ − 364
// See if the destination to which this MX is pointing is NOT a CNAME record.
+ − 365
// Check inside our dns server.
8
+ − 366
if ( $db -> queryOne ( "SELECT count(id) FROM records WHERE name=' $content ' AND type='CNAME'" ) > 0 )
1
+ − 367
{
+ − 368
return - 1 ;
+ − 369
}
+ − 370
else
+ − 371
{
+ − 372
// Fix the proper priority for the record.
+ − 373
// Bugfix, thanks Oscar :)
+ − 374
if ( ! isset ( $prio ))
+ − 375
{
+ − 376
$prio = 10 ;
+ − 377
}
+ − 378
if ( ! is_numeric ( $prio ))
+ − 379
{
+ − 380
if ( $prio == '' )
+ − 381
{
+ − 382
$prio = 10 ;
+ − 383
}
+ − 384
else
+ − 385
{
+ − 386
return - 2 ;
+ − 387
}
+ − 388
}
+ − 389
}
+ − 390
return 1 ;
+ − 391
}
+ − 392
+ − 393
/*
+ − 394
* Validates NS records.
+ − 395
* an NS record cant point to a CNAME record. This has to be checked.
+ − 396
* $hostname directive means if its a hostname or not (this to avoid that NS records get ip fields)
+ − 397
* NS must have a hostname, it is not allowed to have an IP.
+ − 398
*/
+ − 399
function is_valid_ns ( $content , $hostname )
+ − 400
{
+ − 401
global $db ;
+ − 402
// Check if the field is a hostname, it MUST be a hostname.
+ − 403
if ( ! $hostname )
+ − 404
{
+ − 405
return - 1 ;
+ − 406
// "an IN NS field must be a hostname."
+ − 407
}
+ − 408
8
+ − 409
if ( $db -> queryOne ( "SELECT count(id) FROM records WHERE name=' $content ' AND type='CNAME'" ) > 0 )
1
+ − 410
{
+ − 411
return - 2 ;
+ − 412
// "You can not point a NS record to a CNAME record. Remove/rename the CNAME record first or take another name."
+ − 413
+ − 414
}
+ − 415
return 1 ;
+ − 416
}
+ − 417
+ − 418
+ − 419
/*
+ − 420
* Function to check the validity of SOA records.
+ − 421
* return values: true if succesful
+ − 422
*/
+ − 423
function is_valid_soa ( & $content , $zoneid )
+ − 424
{
+ − 425
+ − 426
/*
+ − 427
* SOA (start of authority)
+ − 428
* there is only _ONE_ SOA record allowed in every zone.
+ − 429
* Validate SOA record
+ − 430
* The Start of Authority record is one of the most complex available. It specifies a lot
+ − 431
* about a domain: the name of the master nameserver ('the primary'), the hostmaster and
+ − 432
* a set of numbers indicating how the data in this domain expires and how often it needs
+ − 433
* to be checked. Further more, it contains a serial number which should rise on each change
+ − 434
* of the domain.
+ − 435
2002120902 28800 7200 604800 10800
+ − 436
* The stored format is: primary hostmaster serial refresh retry expire default_ttl
+ − 437
* From the powerdns documentation.
+ − 438
*/
+ − 439
+ − 440
+ − 441
// Check if there already is an occurence of a SOA, if so see if its not the one we are currently changing
+ − 442
$return = get_records_by_type_from_domid ( "SOA" , $zoneid );
+ − 443
if ( $return -> numRows () > 1 )
+ − 444
{
+ − 445
return - 1 ;
+ − 446
}
+ − 447
+ − 448
+ − 449
$soacontent = explode ( " " , $content );
+ − 450
// Field is at least one otherwise it wouldnt even get here.
+ − 451
if ( is_valid_hostname ( $soacontent [ 0 ]))
+ − 452
{
+ − 453
$totalsoa = $soacontent [ 0 ];
+ − 454
// It doesnt matter what field 2 contains, but lets check if its there
+ − 455
// We assume the 2nd field wont have numbers, otherwise its a TTL field
+ − 456
if ( count ( $soacontent ) > 1 )
+ − 457
{
+ − 458
if ( is_numeric ( $soacontent [ 1 ]))
+ − 459
{
+ − 460
// its a TTL field, or at least not hostmaster or alike
+ − 461
// Set final string to the default hostmaster addy
+ − 462
global $HOSTMASTER ;
+ − 463
$totalsoa .= " " . $HOSTMASTER ;
+ − 464
}
+ − 465
else
+ − 466
{
+ − 467
$totalsoa .= " " . $soacontent [ 1 ];
+ − 468
}
+ − 469
// For loop to iterate over the numbers
+ − 470
$imax = count ( $soacontent );
+ − 471
for ( $i = 2 ; ( $i < $imax ) && ( $i < 7 ); $i ++ )
+ − 472
{
+ − 473
if ( ! is_numeric ( $soacontent [ $i ]))
+ − 474
{
+ − 475
return - 2 ;
+ − 476
}
+ − 477
else
+ − 478
{
+ − 479
$totalsoa .= " " . $soacontent [ $i ];
+ − 480
}
+ − 481
}
+ − 482
if ( $i > 7 )
+ − 483
{
+ − 484
error ( ERR_DNS_SOA_NUMERIC_FIELDS );
+ − 485
}
+ − 486
}
+ − 487
}
+ − 488
else
+ − 489
{
+ − 490
error ( ERR_DNS_SOA_HOSTNAME );
+ − 491
}
+ − 492
$content = $totalsoa ;
+ − 493
return 1 ;
+ − 494
}
+ − 495
+ − 496
+ − 497
function is_valid_url ( $url )
+ − 498
{
+ − 499
return preg_match ( '!^(http://)(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+([//]([0-9a-z//~#%&\'_\-+=:?.]*))?$!i' , $url );
+ − 500
}
+ − 501
+ − 502
/****************************************
+ − 503
* *
+ − 504
* END OF RECORD VALIDATING PART. *
+ − 505
* *
+ − 506
***************************************/
+ − 507
?>