71
+ − 1
<?php
1
+ − 2
47
+ − 3
/* PowerAdmin, a friendly web-based admin tool for PowerDNS.
+ − 4
* See <https://rejo.zenger.nl/poweradmin> for more details.
+ − 5
*
+ − 6
* Copyright 2007, 2008 Rejo Zenger <rejo@zenger.nl>
+ − 7
*
+ − 8
* This program is free software: you can redistribute it and/or modify
+ − 9
* it under the terms of the GNU General Public License as published by
+ − 10
* the Free Software Foundation, either version 3 of the License, or
+ − 11
* (at your option) any later version.
+ − 12
*
+ − 13
* This program is distributed in the hope that it will be useful,
+ − 14
* but WITHOUT ANY WARRANTY; without even the implied warranty of
+ − 15
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ − 16
* GNU General Public License for more details.
+ − 17
*
+ − 18
* You should have received a copy of the GNU General Public License
+ − 19
* along with this program. If not, see <http://www.gnu.org/licenses/>.
+ − 20
*/
+ − 21
1
+ − 22
/*
+ − 23
* Validates an IPv4 IP.
+ − 24
* returns true if valid.
+ − 25
*/
16
+ − 26
function validate_input ( $zoneid , $type , & $content , & $name , & $prio , & $ttl )
1
+ − 27
{
+ − 28
global $db ;
+ − 29
+ − 30
// Has to validate content first then it can do the rest
+ − 31
// Since if content is invalid already it can aswell be just removed
+ − 32
// Check first if content is IPv4, IPv6 or Hostname
+ − 33
// We accomplish this by just running all tests over it
+ − 34
// We start with IPv6 since its not able to have these ip's in domains.
+ − 35
//
+ − 36
// <TODO>
+ − 37
// The nocheck has to move to the configuration file
+ − 38
// </TODO>
+ − 39
//
+ − 40
$domain = get_domain_name_from_id ( $zoneid );
+ − 41
$nocheck = array ( 'SOA' , 'HINFO' , 'NAPTR' , 'URL' , 'MBOXFW' , 'TXT' );
+ − 42
$hostname = false ;
+ − 43
$ip4 = false ;
+ − 44
$ip6 = false ;
+ − 45
82
+ − 46
if ( ! in_array ( strtoupper ( $type ), $nocheck )) {
+ − 47
if ( ! is_valid_ip6 ( $content )) {
+ − 48
if ( ! is_valid_ip ( $content )) {
+ − 49
if ( ! is_valid_hostname ( $content )) {
1
+ − 50
error ( ERR_DNS_CONTENT );
82
+ − 51
return false ;
+ − 52
} else {
1
+ − 53
$hostname = true ;
+ − 54
}
82
+ − 55
} else {
1
+ − 56
$ip4 = true ;
+ − 57
}
82
+ − 58
} else {
1
+ − 59
$ip6 = true ;
+ − 60
}
+ − 61
}
+ − 62
+ − 63
// Prepare total hostname.
82
+ − 64
if ( $name == '*' ) {
1
+ − 65
$wildcard = true ;
79
+ − 66
} else {
+ − 67
$wildcard = false ;
1
+ − 68
}
+ − 69
97
+ − 70
if ( preg_match ( "/@/" , $name )) {
+ − 71
$name = $domain ;
+ − 72
} elseif ( ! ( preg_match ( "/ $domain $/i" , $name ))) {
+ − 73
+ − 74
if ( isset ( $name ) && $name != "" ) {
+ − 75
$name = $name . "." . $domain ;
+ − 76
} else {
+ − 77
$name = $domain ;
+ − 78
}
96
+ − 79
}
+ − 80
82
+ − 81
if ( ! $wildcard ) {
97
+ − 82
if ( ! is_valid_hostname ( $name )) {
1
+ − 83
error ( ERR_DNS_HOSTNAME );
82
+ − 84
return false ;
1
+ − 85
}
+ − 86
}
+ − 87
+ − 88
// Check record type (if it exists in our allowed list.
82
+ − 89
if ( ! in_array ( strtoupper ( $type ), get_record_types ())) {
1
+ − 90
error ( ERR_DNS_RECORDTYPE );
82
+ − 91
return false ;
1
+ − 92
}
+ − 93
+ − 94
// Start handling the demands for the functions.
+ − 95
// Validation for IN A records. Can only have an IP. Nothing else.
82
+ − 96
if ( $type == 'A' && ! $ip4 ) {
1
+ − 97
error ( ERR_DNS_IPV4 );
82
+ − 98
return false ;
1
+ − 99
}
+ − 100
82
+ − 101
if ( $type == 'AAAA' && ! $ip6 ) {
1
+ − 102
error ( ERR_DNS_IPV6 );
82
+ − 103
return false ;
1
+ − 104
}
+ − 105
82
+ − 106
if ( $type == 'CNAME' && $hostname ) {
+ − 107
if ( ! is_valid_cname ( $name )) {
1
+ − 108
error ( ERR_DNS_CNAME );
82
+ − 109
return false ;
1
+ − 110
}
+ − 111
}
+ − 112
82
+ − 113
if ( $type == 'NS' ) {
1
+ − 114
$status = is_valid_ns ( $content , $hostname );
82
+ − 115
if ( $status == - 1 ) {
1
+ − 116
error ( ERR_DNS_NS_HNAME );
82
+ − 117
return false ;
1
+ − 118
}
82
+ − 119
elseif ( $status == - 2 ) {
1
+ − 120
error ( ERR_DNS_NS_CNAME );
82
+ − 121
return false ;
1
+ − 122
}
+ − 123
}
+ − 124
82
+ − 125
if ( $type == 'SOA' ) {
1
+ − 126
$status = is_valid_soa ( $content , $zoneid );
82
+ − 127
if ( $status == - 1 ) {
1
+ − 128
error ( ERR_DNS_SOA_UNIQUE );
82
+ − 129
} elseif ( $status == - 2 ) {
1
+ − 130
error ( ERR_DNS_SOA_NUMERIC );
82
+ − 131
return false ;
1
+ − 132
}
+ − 133
}
+ − 134
+ − 135
// HINFO and TXT require no validation.
+ − 136
82
+ − 137
if ( $type == 'URL' ) {
+ − 138
if ( ! is_valid_url ( $content )) {
1
+ − 139
error ( ERR_INV_URL );
82
+ − 140
return false ;
1
+ − 141
}
+ − 142
}
82
+ − 143
if ( $type == 'MBOXFW' ) {
+ − 144
if ( ! is_valid_mboxfw ( $content )) {
1
+ − 145
error ( ERR_INV_EMAIL );
82
+ − 146
return false ;
1
+ − 147
}
+ − 148
}
+ − 149
+ − 150
// NAPTR has to be done.
+ − 151
// Do we want that?
+ − 152
// http://www.ietf.org/rfc/rfc2915.txt
+ − 153
// http://www.zvon.org/tmRFC/RFC2915/Output/chapter2.html
+ − 154
// http://www.zvon.org/tmRFC/RFC3403/Output/chapter4.html
+ − 155
+ − 156
// See if the prio field is valid and if we have one.
+ − 157
// If we dont have one and the type is MX record, give it value '10'
82
+ − 158
if ( $type == 'NAPTR' ) {
1
+ − 159
+ − 160
}
+ − 161
82
+ − 162
if ( $type == 'MX' ) {
+ − 163
if ( $hostname ) {
1
+ − 164
$status = is_valid_mx ( $content , $prio );
82
+ − 165
if ( $status == - 1 ) {
1
+ − 166
error ( ERR_DNS_MX_CNAME );
82
+ − 167
return false ;
1
+ − 168
}
82
+ − 169
elseif ( $status == - 2 ) {
1
+ − 170
error ( ERR_DNS_MX_PRIO );
82
+ − 171
return false ;
1
+ − 172
}
82
+ − 173
} else {
+ − 174
error ( _ ( 'If you specify an MX record it must be a hostname.' ) ); // TODO make error
+ − 175
return false ;
1
+ − 176
}
82
+ − 177
} else {
55
+ − 178
$prio = 0 ;
1
+ − 179
}
+ − 180
// Validate the TTL, it has to be numeric.
+ − 181
$ttl = ( ! isset ( $ttl ) || ! is_numeric ( $ttl )) ? $DEFAULT_TTL : $ttl ;
82
+ − 182
+ − 183
return true ;
1
+ − 184
}
+ − 185
+ − 186
+ − 187
+ − 188
/****************************************
+ − 189
* *
+ − 190
* RECORD VALIDATING PART. *
+ − 191
* CHANGES HERE SHOULD BE CONSIDERED *
+ − 192
* THEY REQUIRE KNOWLEDGE ABOUT THE *
+ − 193
* DNS SPECIFICATIONS *
+ − 194
* *
+ − 195
***************************************/
+ − 196
+ − 197
+ − 198
/*
+ − 199
* Validatis a CNAME record by the name it will have and its destination
+ − 200
*
+ − 201
*/
+ − 202
function is_valid_cname ( $dest )
+ − 203
{
+ − 204
/*
+ − 205
* This is really EVIL.
+ − 206
* If the new record (a CNAME) record is being pointed to by a MX record or NS record we have to bork.
+ − 207
* this is the idea.
+ − 208
*
+ − 209
* MX record: blaat.nl MX mail.blaat.nl
+ − 210
* Now we look what mail.blaat.nl is
+ − 211
* We discover the following:
+ − 212
* mail.blaat.nl CNAME bork.blaat.nl
+ − 213
* This is NOT allowed! mail.onthanet.nl can not be a CNAME!
+ − 214
* The same goes for NS. mail.blaat.nl must have a normal IN A record.
+ − 215
* It MAY point to a CNAME record but its not wished. Lets not support it.
+ − 216
*/
+ − 217
+ − 218
global $db ;
+ − 219
+ − 220
// Check if there are other records with this information of the following types.
+ − 221
// P.S. we might add CNAME to block CNAME recursion and chains.
+ − 222
$blockedtypes = " AND (type='MX' OR type='NS')" ;
+ − 223
65
+ − 224
$cnamec = "SELECT type, content FROM records WHERE content=" . $db -> quote ( $dest ) . $blockedtypes ;
1
+ − 225
$result = $db -> query ( $cnamec );
+ − 226
+ − 227
if ( $result -> numRows () > 0 )
+ − 228
{
+ − 229
return false ;
+ − 230
// Lets inform the user he is doing something EVIL.
+ − 231
// Ok we found a record that has our content field in their content field.
+ − 232
}
+ − 233
return true ;
+ − 234
}
+ − 235
+ − 236
+ − 237
/*
+ − 238
* Checks if something is a valid domain.
+ − 239
* Checks for domainname with the allowed characters <a,b,...z,A,B,...Z> and - and _.
+ − 240
* This part must be followed by a 2 to 4 character TLD.
+ − 241
*/
+ − 242
function is_valid_domain ( $domain )
+ − 243
{
+ − 244
if (( eregi ( "^[0-9a-z]([-.]?[0-9a-z])* \\ .[a-z]{2,4}$" , $domain )) && ( strlen ( $domain ) <= 128 ))
+ − 245
{
+ − 246
return true ;
+ − 247
}
+ − 248
return false ;
+ − 249
}
+ − 250
+ − 251
+ − 252
/*
+ − 253
* Validates if given hostname is allowed.
+ − 254
* returns true if allowed.
+ − 255
*/
+ − 256
function is_valid_hostname ( $host )
+ − 257
{
+ − 258
if ( count ( explode ( "." , $host )) == 1 )
+ − 259
{
+ − 260
return false ;
+ − 261
}
+ − 262
+ − 263
// Its not perfect (in_addr.int is allowed) but works for now.
+ − 264
+ − 265
if ( preg_match ( '!(ip6|in-addr).(arpa|int)$!i' , $host ))
+ − 266
{
+ − 267
if ( preg_match ( '!^(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+$!i' , $host ))
+ − 268
{
+ − 269
return true ;
+ − 270
}
+ − 271
return false ;
+ − 272
}
+ − 273
+ − 274
// Validate further.
+ − 275
return ( preg_match ( '!^(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+$!i' , $host )) ? true : false ;
+ − 276
}
+ − 277
+ − 278
+ − 279
/*
+ − 280
* Validates an IPv4 IP.
+ − 281
* returns true if valid.
+ − 282
*/
+ − 283
function is_valid_ip ( $ip )
+ − 284
{
+ − 285
// Stop reading at this point. Scroll down to the next function...
+ − 286
// Ok... you didn't stop reading... now you have to rewrite the whole function! enjoy ;-)
+ − 287
// Trance unborked it. Twice even!
+ − 288
return ( $ip == long2ip ( ip2long ( $ip ))) ? true : false ;
+ − 289
+ − 290
}
+ − 291
+ − 292
+ − 293
/*
+ − 294
* Validates an IPv6 IP.
+ − 295
* returns true if valid.
+ − 296
*/
+ − 297
function is_valid_ip6 ( $ip )
+ − 298
{
+ − 299
// Validates if the given IP is truly an IPv6 address.
+ − 300
// Precondition: have a string
+ − 301
// Postcondition: false: Error in IP
+ − 302
// true: IP is correct
+ − 303
// Requires: String
+ − 304
// Date: 10-sep-2002
+ − 305
if ( preg_match ( '!^[A-F0-9:]{1,39}$!i' , $ip ) == true )
+ − 306
{
+ − 307
// Not 3 ":" or more.
+ − 308
$p = explode ( ':::' , $ip );
+ − 309
if ( sizeof ( $p ) > 1 )
+ − 310
{
+ − 311
return false ;
+ − 312
}
+ − 313
// Find if there is only one occurence of "::".
+ − 314
$p = explode ( '::' , $ip );
+ − 315
if ( sizeof ( $p ) > 2 )
+ − 316
{
+ − 317
return false ;
+ − 318
}
+ − 319
// Not more than 8 octects
+ − 320
$p = explode ( ':' , $ip );
+ − 321
+ − 322
if ( sizeof ( $p ) > 8 )
+ − 323
{
+ − 324
return false ;
+ − 325
}
+ − 326
+ − 327
// Check octet length
+ − 328
foreach ( $p as $checkPart )
+ − 329
{
+ − 330
if ( strlen ( $checkPart ) > 4 )
+ − 331
{
+ − 332
return false ;
+ − 333
}
+ − 334
}
+ − 335
return true ;
+ − 336
}
+ − 337
return false ;
+ − 338
}
+ − 339
+ − 340
+ − 341
/*
+ − 342
* FANCY RECORD.
+ − 343
* Validates if the fancy record mboxfw is an actual email address.
+ − 344
*/
+ − 345
function is_valid_mboxfw ( $email )
+ − 346
{
+ − 347
return is_valid_email ( $email );
+ − 348
}
+ − 349
+ − 350
+ − 351
/*
+ − 352
* Validates MX records.
+ − 353
* an MX record cant point to a CNAME record. This has to be checked.
+ − 354
* this function also sets a proper priority.
+ − 355
*/
+ − 356
function is_valid_mx ( $content , & $prio )
+ − 357
{
+ − 358
global $db ;
+ − 359
// See if the destination to which this MX is pointing is NOT a CNAME record.
+ − 360
// Check inside our dns server.
65
+ − 361
if ( $db -> queryOne ( "SELECT count(id) FROM records WHERE name=" . $db -> quote ( $content ) . " AND type='CNAME'" ) > 0 )
1
+ − 362
{
+ − 363
return - 1 ;
+ − 364
}
+ − 365
else
+ − 366
{
+ − 367
// Fix the proper priority for the record.
+ − 368
// Bugfix, thanks Oscar :)
+ − 369
if ( ! isset ( $prio ))
+ − 370
{
+ − 371
$prio = 10 ;
+ − 372
}
+ − 373
if ( ! is_numeric ( $prio ))
+ − 374
{
+ − 375
if ( $prio == '' )
+ − 376
{
+ − 377
$prio = 10 ;
+ − 378
}
+ − 379
else
+ − 380
{
+ − 381
return - 2 ;
+ − 382
}
+ − 383
}
+ − 384
}
+ − 385
return 1 ;
+ − 386
}
+ − 387
+ − 388
/*
+ − 389
* Validates NS records.
+ − 390
* an NS record cant point to a CNAME record. This has to be checked.
+ − 391
* $hostname directive means if its a hostname or not (this to avoid that NS records get ip fields)
+ − 392
* NS must have a hostname, it is not allowed to have an IP.
+ − 393
*/
+ − 394
function is_valid_ns ( $content , $hostname )
+ − 395
{
+ − 396
global $db ;
+ − 397
// Check if the field is a hostname, it MUST be a hostname.
+ − 398
if ( ! $hostname )
+ − 399
{
+ − 400
return - 1 ;
+ − 401
// "an IN NS field must be a hostname."
+ − 402
}
+ − 403
65
+ − 404
if ( $db -> queryOne ( "SELECT count(id) FROM records WHERE name=" . $db -> quote ( $content ) . " AND type='CNAME'" ) > 0 )
1
+ − 405
{
+ − 406
return - 2 ;
+ − 407
// "You can not point a NS record to a CNAME record. Remove/rename the CNAME record first or take another name."
+ − 408
+ − 409
}
+ − 410
return 1 ;
+ − 411
}
+ − 412
+ − 413
+ − 414
/*
+ − 415
* Function to check the validity of SOA records.
+ − 416
* return values: true if succesful
+ − 417
*/
+ − 418
function is_valid_soa ( & $content , $zoneid )
+ − 419
{
+ − 420
+ − 421
/*
+ − 422
* SOA (start of authority)
+ − 423
* there is only _ONE_ SOA record allowed in every zone.
+ − 424
* Validate SOA record
+ − 425
* The Start of Authority record is one of the most complex available. It specifies a lot
+ − 426
* about a domain: the name of the master nameserver ('the primary'), the hostmaster and
+ − 427
* a set of numbers indicating how the data in this domain expires and how often it needs
+ − 428
* to be checked. Further more, it contains a serial number which should rise on each change
+ − 429
* of the domain.
+ − 430
2002120902 28800 7200 604800 10800
+ − 431
* The stored format is: primary hostmaster serial refresh retry expire default_ttl
+ − 432
* From the powerdns documentation.
+ − 433
*/
+ − 434
+ − 435
+ − 436
// Check if there already is an occurence of a SOA, if so see if its not the one we are currently changing
+ − 437
$return = get_records_by_type_from_domid ( "SOA" , $zoneid );
+ − 438
if ( $return -> numRows () > 1 )
+ − 439
{
+ − 440
return - 1 ;
+ − 441
}
+ − 442
+ − 443
+ − 444
$soacontent = explode ( " " , $content );
+ − 445
// Field is at least one otherwise it wouldnt even get here.
+ − 446
if ( is_valid_hostname ( $soacontent [ 0 ]))
+ − 447
{
+ − 448
$totalsoa = $soacontent [ 0 ];
+ − 449
// It doesnt matter what field 2 contains, but lets check if its there
+ − 450
// We assume the 2nd field wont have numbers, otherwise its a TTL field
+ − 451
if ( count ( $soacontent ) > 1 )
+ − 452
{
+ − 453
if ( is_numeric ( $soacontent [ 1 ]))
+ − 454
{
+ − 455
// its a TTL field, or at least not hostmaster or alike
+ − 456
// Set final string to the default hostmaster addy
+ − 457
global $HOSTMASTER ;
+ − 458
$totalsoa .= " " . $HOSTMASTER ;
+ − 459
}
+ − 460
else
+ − 461
{
+ − 462
$totalsoa .= " " . $soacontent [ 1 ];
+ − 463
}
+ − 464
// For loop to iterate over the numbers
+ − 465
$imax = count ( $soacontent );
+ − 466
for ( $i = 2 ; ( $i < $imax ) && ( $i < 7 ); $i ++ )
+ − 467
{
+ − 468
if ( ! is_numeric ( $soacontent [ $i ]))
+ − 469
{
+ − 470
return - 2 ;
+ − 471
}
+ − 472
else
+ − 473
{
+ − 474
$totalsoa .= " " . $soacontent [ $i ];
+ − 475
}
+ − 476
}
+ − 477
if ( $i > 7 )
+ − 478
{
+ − 479
error ( ERR_DNS_SOA_NUMERIC_FIELDS );
+ − 480
}
+ − 481
}
+ − 482
}
+ − 483
else
+ − 484
{
+ − 485
error ( ERR_DNS_SOA_HOSTNAME );
+ − 486
}
+ − 487
$content = $totalsoa ;
+ − 488
return 1 ;
+ − 489
}
+ − 490
+ − 491
+ − 492
function is_valid_url ( $url )
+ − 493
{
+ − 494
return preg_match ( '!^(http://)(([A-Z\d]|[A-Z\d][A-Z\d-]*[A-Z\d])\.)*[A-Z\d]+([//]([0-9a-z//~#%&\'_\-+=:?.]*))?$!i' , $url );
+ − 495
}
+ − 496
62
+ − 497
function is_valid_search ( $holygrail )
+ − 498
{
+ − 499
// Only allow for alphanumeric, numeric, dot, dash, underscore and
+ − 500
// percent in search string. The last two are wildcards for SQL.
+ − 501
// Needs extension probably for more usual record types.
+ − 502
+ − 503
return preg_match ( '/^[a-z0-9.\-%_]+$/i' , $holygrail );
+ − 504
}
+ − 505
+ − 506
1
+ − 507
?>