Add server name in token strings

config.ini

@@ -3,6 +3,7 @@ root_path = "/srv/niver/core"
 docs_prefix = "/docs/"
 ; Prefix in URL, if any
 prefix = ""
+public_domains[] = "niver.test"
 
 [dns]
 knotc_path = "/usr/sbin/knotc"

pages/ht/add-http-dns.php

@@ -29,7 +29,7 @@ if (processForm()) {
 	$remoteTXTRecords = dns_get_record($_POST['domain'], DNS_TXT);
 	if (is_array($remoteTXTRecords) !== true)
 		output(500, 'Erreur lors de la récupération de l\'enregistrement TXT.');
-	if (preg_match('/^auth-owner=([0-9a-f]{8})-([0-9a-f]{32})$/Dm', implode(LF, array_column($remoteTXTRecords, 'txt')), $matches) !== 1)
+	if (preg_match('/^' . preg_quote(SERVER_NAME, '/') . '_domain-verification=([0-9a-f]{8})-([0-9a-f]{32})$/Dm', implode(LF, array_column($remoteTXTRecords, 'txt')), $matches) !== 1)
 		output(403, 'Aucun enregistrement TXT au format correct trouvé.');
 
 	checkAuthToken($matches[1], $matches[2]);
@@ -88,7 +88,7 @@ $proof = getAuthToken();
 	</dd>
 	<dt><code>TXT</code></dt>
 	<dd>
-		<code>auth-owner=<?= $proof ?></code>
+		<code><?= SERVER_NAME ?>_domain-verification=<?= $proof ?></code>
 	</dd>
 </dl>
 

pages/ns/zone-add.php

@@ -13,7 +13,7 @@ if (processForm()) {
 		checkAbsoluteDomainFormat($parentAuthoritative);
 
 	exec(CONF['ns']['kdig_path'] . ' ' . $_POST['domain'] . ' NS @' . $parentAuthoritatives[0] . ' +noidn', $results);
-	if (preg_match('/^' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})\.auth-owner.+$/Dm', implode(LF, $results), $matches) !== 1)
+	if (preg_match('/^' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})\._domain-verification\.' . preg_quote(SERVER_NAME, '/') . '$/Dm', implode(LF, $results), $matches) !== 1)
 		output(403, 'Enregistrement d\'authentification introuvable');
 
 	checkAuthToken($matches['salt'], $matches['hash']);
@@ -58,7 +58,7 @@ $proof = getAuthToken();
 ?>
 
 <p>
-	Le domaine doit avoir un <?= linkToDocs('ns-record', 'enregistrement NS') ?> qui commence par <code><?= $proof ?>.auth-owner</code> lors du traitement de ce formulaire.
+	Pour prouver que vous possédez bien ce domaine, il doit posséder un <?= linkToDocs('ns-record', 'enregistrement NS') ?> égal à <code><?= $proof ?>._domain-verification.<?= SERVER_NAME ?>.</code> lors du traitement de ce formulaire.
 </p>
 
 <p>

router.php

@@ -116,8 +116,18 @@ if (in_array(SERVICE, ['reg', 'ns', 'ht']) AND CONF[SERVICE]['enabled'] !== true
 	output(403, 'Ce service est désactivé.');
 
 // Protect against cross-site request forgery if a POST request is received
-if (empty($_POST) === false AND (isset($_SERVER['HTTP_SEC_FETCH_SITE']) !== true OR $_SERVER['HTTP_SEC_FETCH_SITE'] !== 'same-origin'))
-	output(403, 'Anti-<abbr title="Cross-Site Request Forgery">CSRF</abbr> verification failed ! (Wrong or unset <code>Sec-Fetch-Site</code> HTTP header)');
+if ($_POST !== []) {
+	if (isset($_SERVER['HTTP_SEC_FETCH_SITE']) !== true)
+		output(403, 'The <code>Sec-Fetch-Site</code> HTTP header is required when submitting a POST request to prevent Cross-Site Request Forgery (<abbr>CSRF</abbr>).');
+	if ($_SERVER['HTTP_SEC_FETCH_SITE'] !== 'same-origin')
+		output(403, 'The <code>Sec-Fetch-Site</code> HTTP header must be <code>same-origin</code> when submitting a POST request to prevent Cross-Site Request Forgery (<abbr>CSRF</abbr>).');
+}
+
+if (isset($_SERVER['SERVER_NAME']) !== true)
+	output(500, 'Missing $_SERVER[\'SERVER_NAME\']');
+if (in_array($_SERVER['SERVER_NAME'], CONF['common']['public_domains'], true) !== true)
+	output(500, 'The current server name is not allowed in configuration.');
+define('SERVER_NAME', $_SERVER['SERVER_NAME']);
 
 function displayFinalMessage() {
 	global $final_message;