Add server name in token strings
This commit is contained in:
parent
567034b8fe
commit
83f9a05875
|
@ -3,6 +3,7 @@ root_path = "/srv/niver/core"
|
|||
docs_prefix = "/docs/"
|
||||
; Prefix in URL, if any
|
||||
prefix = ""
|
||||
public_domains[] = "niver.test"
|
||||
|
||||
[dns]
|
||||
knotc_path = "/usr/sbin/knotc"
|
||||
|
|
|
@ -29,7 +29,7 @@ if (processForm()) {
|
|||
$remoteTXTRecords = dns_get_record($_POST['domain'], DNS_TXT);
|
||||
if (is_array($remoteTXTRecords) !== true)
|
||||
output(500, 'Erreur lors de la récupération de l\'enregistrement TXT.');
|
||||
if (preg_match('/^auth-owner=([0-9a-f]{8})-([0-9a-f]{32})$/Dm', implode(LF, array_column($remoteTXTRecords, 'txt')), $matches) !== 1)
|
||||
if (preg_match('/^' . preg_quote(SERVER_NAME, '/') . '_domain-verification=([0-9a-f]{8})-([0-9a-f]{32})$/Dm', implode(LF, array_column($remoteTXTRecords, 'txt')), $matches) !== 1)
|
||||
output(403, 'Aucun enregistrement TXT au format correct trouvé.');
|
||||
|
||||
checkAuthToken($matches[1], $matches[2]);
|
||||
|
@ -88,7 +88,7 @@ $proof = getAuthToken();
|
|||
</dd>
|
||||
<dt><code>TXT</code></dt>
|
||||
<dd>
|
||||
<code>auth-owner=<?= $proof ?></code>
|
||||
<code><?= SERVER_NAME ?>_domain-verification=<?= $proof ?></code>
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ if (processForm()) {
|
|||
checkAbsoluteDomainFormat($parentAuthoritative);
|
||||
|
||||
exec(CONF['ns']['kdig_path'] . ' ' . $_POST['domain'] . ' NS @' . $parentAuthoritatives[0] . ' +noidn', $results);
|
||||
if (preg_match('/^' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})\.auth-owner.+$/Dm', implode(LF, $results), $matches) !== 1)
|
||||
if (preg_match('/^' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})\._domain-verification\.' . preg_quote(SERVER_NAME, '/') . '$/Dm', implode(LF, $results), $matches) !== 1)
|
||||
output(403, 'Enregistrement d\'authentification introuvable');
|
||||
|
||||
checkAuthToken($matches['salt'], $matches['hash']);
|
||||
|
@ -58,7 +58,7 @@ $proof = getAuthToken();
|
|||
?>
|
||||
|
||||
<p>
|
||||
Le domaine doit avoir un <?= linkToDocs('ns-record', 'enregistrement NS') ?> qui commence par <code><?= $proof ?>.auth-owner</code> lors du traitement de ce formulaire.
|
||||
Pour prouver que vous possédez bien ce domaine, il doit posséder un <?= linkToDocs('ns-record', 'enregistrement NS') ?> égal à <code><?= $proof ?>._domain-verification.<?= SERVER_NAME ?>.</code> lors du traitement de ce formulaire.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
|
|
14
router.php
14
router.php
|
@ -116,8 +116,18 @@ if (in_array(SERVICE, ['reg', 'ns', 'ht']) AND CONF[SERVICE]['enabled'] !== true
|
|||
output(403, 'Ce service est désactivé.');
|
||||
|
||||
// Protect against cross-site request forgery if a POST request is received
|
||||
if (empty($_POST) === false AND (isset($_SERVER['HTTP_SEC_FETCH_SITE']) !== true OR $_SERVER['HTTP_SEC_FETCH_SITE'] !== 'same-origin'))
|
||||
output(403, 'Anti-<abbr title="Cross-Site Request Forgery">CSRF</abbr> verification failed ! (Wrong or unset <code>Sec-Fetch-Site</code> HTTP header)');
|
||||
if ($_POST !== []) {
|
||||
if (isset($_SERVER['HTTP_SEC_FETCH_SITE']) !== true)
|
||||
output(403, 'The <code>Sec-Fetch-Site</code> HTTP header is required when submitting a POST request to prevent Cross-Site Request Forgery (<abbr>CSRF</abbr>).');
|
||||
if ($_SERVER['HTTP_SEC_FETCH_SITE'] !== 'same-origin')
|
||||
output(403, 'The <code>Sec-Fetch-Site</code> HTTP header must be <code>same-origin</code> when submitting a POST request to prevent Cross-Site Request Forgery (<abbr>CSRF</abbr>).');
|
||||
}
|
||||
|
||||
if (isset($_SERVER['SERVER_NAME']) !== true)
|
||||
output(500, 'Missing $_SERVER[\'SERVER_NAME\']');
|
||||
if (in_array($_SERVER['SERVER_NAME'], CONF['common']['public_domains'], true) !== true)
|
||||
output(500, 'The current server name is not allowed in configuration.');
|
||||
define('SERVER_NAME', $_SERVER['SERVER_NAME']);
|
||||
|
||||
function displayFinalMessage() {
|
||||
global $final_message;
|
||||
|
|
Loading…
Reference in New Issue