servnest
/
servnest
1
1
Fork 0
Code Issues 4 Pull Requests Releases Wiki Activity

Add server name in token strings

This commit is contained in:
Miraty 2022-11-22 00:28:19 +01:00
parent 567034b8fe
commit 83f9a05875
4 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config.ini
View File

@ -3,6 +3,7 @@ root_path = "/srv/niver/core"
docs_prefix = "/docs/"
; Prefix in URL, if any
prefix = ""
public_domains[] = "niver.test"
[dns]
knotc_path = "/usr/sbin/knotc"

4
pages/ht/add-http-dns.php
View File

@ -29,7 +29,7 @@ if (processForm()) {
$remoteTXTRecords = dns_get_record($_POST['domain'], DNS_TXT);
if (is_array($remoteTXTRecords) !== true)
output(500, 'Erreur lors de la récupération de l\'enregistrement TXT.');
if (preg_match('/^auth-owner=([0-9a-f]{8})-([0-9a-f]{32})$/Dm', implode(LF, array_column($remoteTXTRecords, 'txt')), $matches) !== 1)
if (preg_match('/^' . preg_quote(SERVER_NAME, '/') . '_domain-verification=([0-9a-f]{8})-([0-9a-f]{32})$/Dm', implode(LF, array_column($remoteTXTRecords, 'txt')), $matches) !== 1)
output(403, 'Aucun enregistrement TXT au format correct trouvé.');
checkAuthToken($matches[1], $matches[2]);
@ -88,7 +88,7 @@ $proof = getAuthToken();
</dd>
<dt><code>TXT</code></dt>
<dd>
<code>auth-owner=<?= $proof ?></code>
<code><?= SERVER_NAME ?>_domain-verification=<?= $proof ?></code>
</dd>
</dl>

4
pages/ns/zone-add.php
View File

@ -13,7 +13,7 @@ if (processForm()) {
checkAbsoluteDomainFormat($parentAuthoritative);
exec(CONF['ns']['kdig_path'] . ' ' . $_POST['domain'] . ' NS @' . $parentAuthoritatives[0] . ' +noidn', $results);
if (preg_match('/^' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})\.auth-owner.+$/Dm', implode(LF, $results), $matches) !== 1)
if (preg_match('/^' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})\._domain-verification\.' . preg_quote(SERVER_NAME, '/') . '$/Dm', implode(LF, $results), $matches) !== 1)
output(403, 'Enregistrement d\'authentification introuvable');
checkAuthToken($matches['salt'], $matches['hash']);
@ -58,7 +58,7 @@ $proof = getAuthToken();
?>
<p>
Le domaine doit avoir un <?= linkToDocs('ns-record', 'enregistrement NS') ?> qui commence par <code><?= $proof ?>.auth-owner</code> lors du traitement de ce formulaire.
Pour prouver que vous possédez bien ce domaine, il doit posséder un <?= linkToDocs('ns-record', 'enregistrement NS') ?> égal à <code><?= $proof ?>._domain-verification.<?= SERVER_NAME ?>.</code> lors du traitement de ce formulaire.
</p>
<p>

14
router.php
View File

@ -116,8 +116,18 @@ if (in_array(SERVICE, ['reg', 'ns', 'ht']) AND CONF[SERVICE]['enabled'] !== true
output(403, 'Ce service est désactivé.');
// Protect against cross-site request forgery if a POST request is received
if (empty($_POST) === false AND (isset($_SERVER['HTTP_SEC_FETCH_SITE']) !== true OR $_SERVER['HTTP_SEC_FETCH_SITE'] !== 'same-origin'))
output(403, 'Anti-<abbr title="Cross-Site Request Forgery">CSRF</abbr> verification failed ! (Wrong or unset <code>Sec-Fetch-Site</code> HTTP header)');
if ($_POST !== []) {
if (isset($_SERVER['HTTP_SEC_FETCH_SITE']) !== true)
output(403, 'The <code>Sec-Fetch-Site</code> HTTP header is required when submitting a POST request to prevent Cross-Site Request Forgery (<abbr>CSRF</abbr>).');
if ($_SERVER['HTTP_SEC_FETCH_SITE'] !== 'same-origin')
output(403, 'The <code>Sec-Fetch-Site</code> HTTP header must be <code>same-origin</code> when submitting a POST request to prevent Cross-Site Request Forgery (<abbr>CSRF</abbr>).');
}
if (isset($_SERVER['SERVER_NAME']) !== true)
output(500, 'Missing $_SERVER[\'SERVER_NAME\']');
if (in_array($_SERVER['SERVER_NAME'], CONF['common']['public_domains'], true) !== true)
output(500, 'The current server name is not allowed in configuration.');
define('SERVER_NAME', $_SERVER['SERVER_NAME']);
function displayFinalMessage() {
global $final_message;