servnest/pg-act/ht/add-dns.php

<?php declare(strict_types=1);

$_POST['domain'] = formatDomain($_POST['domain']);

if (dirsStatuses('dns')[$_POST['dir']] !== false)
	output(403, 'Wrong value for <code>dir</code>.');

if (query('select', 'sites', ['address' => $_POST['domain']], ['address']) !== [])
	output(403, _('This domain already exists on this service. Use another one.'));

$remoteAaaaRecords = dns_get_record($_POST['domain'], DNS_AAAA);
if (is_array($remoteAaaaRecords) !== true)
	output(500, sprintf(_('Can\'t retrieve the %1$s record for domain %2$s.'), 'AAAA', '<code>' . htmlspecialchars($_POST['domain']) . '</code>'));
if (equalArrays([CONF['ht']['ipv6_address']], array_column($remoteAaaaRecords, 'ipv6')) !== true)
	output(403, sprintf(_('This domain must have %2$s as its only %1$s record.'), 'AAAA', '<code>' . CONF['ht']['ipv6_address'] . '</code>'));

$remoteARecords = dns_get_record($_POST['domain'], DNS_A);
if (is_array($remoteARecords) !== true)
	output(500, sprintf(_('Can\'t retrieve the %1$s record for domain %2$s.'), 'A', '<code>' . htmlspecialchars($_POST['domain']) . '</code>'));
if (equalArrays([CONF['ht']['ipv4_address']], array_column($remoteARecords, 'ip')) !== true)
	output(403, sprintf(_('This domain must have %2$s as its only %1$s record.'), 'A', '<code>' . CONF['ht']['ipv4_address'] . '</code>'));

$remoteTXTRecords = dns_get_record('_auth.' . $_POST['domain'], DNS_TXT);
if (is_array($remoteTXTRecords) !== true)
	output(500, sprintf(_('Can\'t retrieve the %1$s record for domain %2$s.'), 'TXT', '<code>_auth.' . htmlspecialchars($_POST['domain']) . '</code>'));
if (preg_match('/^' . preg_quote(SERVER_NAME, '/') . '_domain-verification=(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})$/Dm', implode(LF, array_column($remoteTXTRecords, 'txt')), $matches) !== 1)
	output(403, sprintf(_('No TXT record with the expected format has been found on domain %s.'), '<code>_auth.' . htmlspecialchars($_POST['domain']) . '</code>'));

checkAuthToken($matches['salt'], $matches['hash']);

rateLimit();

exescape([
	CONF['ht']['sudo_path'],
	CONF['ht']['certbot_path'],
	'--config',
	CONF['ht']['certbot_config_path'],
	'certonly',
	'--domain',
	$_POST['domain'],
	...(($_SESSION['type'] === 'approved') ? [] : ['--test-cert']),
], $output, $returnCode);
if ($returnCode !== 0)
	output(500, 'Certbot failed to get a Let\'s Encrypt certificate.', $output);

addSite($_SESSION['id'], $_POST['dir'], $_POST['domain'], 'dns');

htRelativeSymlink('../fs/' . $_SESSION['id'] . '/' . $_POST['dir'], CONF['ht']['ht_path'] . '/uri/' . $_POST['domain']);

output(200, sprintf(_('%s added on this directory.'), PAGE_METADATA['title']));
declare(strict_types=1); 2023-07-17 19:15:18 +00:00			`<?php declare(strict_types=1);`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00
			`$_POST['domain'] = formatDomain($_POST['domain']);`

ht: subdomain and subpath on shared domain 2022-12-22 00:44:57 +00:00			`if (dirsStatuses('dns')[$_POST['dir']] !== false)`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00			`output(403, 'Wrong value for <code>dir</code>.');`

ns/sync.php: instant sync when adding new sync 2023-10-07 22:50:48 +00:00			`if (query('select', 'sites', ['address' => $_POST['domain']], ['address']) !== [])`
Use Apache - Allows customization through .htaccess - No need to configure or reload a server when adding a site - Content negotiation 2023-04-09 22:50:42 +00:00			`output(403, _('This domain already exists on this service. Use another one.'));`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00
			`$remoteAaaaRecords = dns_get_record($_POST['domain'], DNS_AAAA);`
			`if (is_array($remoteAaaaRecords) !== true)`
add-dns.php: CNAME&co sourcing support 2023-09-16 17:45:46 +00:00			`output(500, sprintf(_('Can\'t retrieve the %1$s record for domain %2$s.'), 'AAAA', '<code>' . htmlspecialchars($_POST['domain']) . '</code>'));`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00			`if (equalArrays([CONF['ht']['ipv6_address']], array_column($remoteAaaaRecords, 'ipv6')) !== true)`
Gettext internationalization and english translation 2023-01-21 00:27:52 +00:00			`output(403, sprintf(_('This domain must have %2$s as its only %1$s record.'), 'AAAA', '<code>' . CONF['ht']['ipv6_address'] . '</code>'));`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00
			`$remoteARecords = dns_get_record($_POST['domain'], DNS_A);`
			`if (is_array($remoteARecords) !== true)`
add-dns.php: CNAME&co sourcing support 2023-09-16 17:45:46 +00:00			`output(500, sprintf(_('Can\'t retrieve the %1$s record for domain %2$s.'), 'A', '<code>' . htmlspecialchars($_POST['domain']) . '</code>'));`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00			`if (equalArrays([CONF['ht']['ipv4_address']], array_column($remoteARecords, 'ip')) !== true)`
Gettext internationalization and english translation 2023-01-21 00:27:52 +00:00			`output(403, sprintf(_('This domain must have %2$s as its only %1$s record.'), 'A', '<code>' . CONF['ht']['ipv4_address'] . '</code>'));`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00
add-dns.php: CNAME&co sourcing support 2023-09-16 17:45:46 +00:00			`$remoteTXTRecords = dns_get_record('_auth.' . $_POST['domain'], DNS_TXT);`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00			`if (is_array($remoteTXTRecords) !== true)`
add-dns.php: CNAME&co sourcing support 2023-09-16 17:45:46 +00:00			`output(500, sprintf(_('Can\'t retrieve the %1$s record for domain %2$s.'), 'TXT', '<code>_auth.' . htmlspecialchars($_POST['domain']) . '</code>'));`
			`if (preg_match('/^' . preg_quote(SERVER_NAME, '/') . '_domain-verification=(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})$/Dm', implode(LF, array_column($remoteTXTRecords, 'txt')), $matches) !== 1)`
			`output(403, sprintf(_('No TXT record with the expected format has been found on domain %s.'), '<code>_auth.' . htmlspecialchars($_POST['domain']) . '</code>'));`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00
add-dns.php: CNAME&co sourcing support 2023-09-16 17:45:46 +00:00			`checkAuthToken($matches['salt'], $matches['hash']);`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00
			`rateLimit();`

Fix important vulnerability in reg/ds.php + exescape In page reg/ds.php, POST parameter 'key' was directly sent to shell, allowing for remote arbitrary commands execution. This commit fixes this vulnerability, and uses a new function to automatically escape every shell command arguments as an additional generic protection. 2023-06-19 00:15:43 +00:00			`exescape([`
			`CONF['ht']['sudo_path'],`
			`CONF['ht']['certbot_path'],`
Use custom certbot config path 2024-01-28 18:21:01 +00:00			`'--config',`
			`CONF['ht']['certbot_config_path'],`
Fix important vulnerability in reg/ds.php + exescape In page reg/ds.php, POST parameter 'key' was directly sent to shell, allowing for remote arbitrary commands execution. This commit fixes this vulnerability, and uses a new function to automatically escape every shell command arguments as an additional generic protection. 2023-06-19 00:15:43 +00:00			`'certonly',`
			`'--domain',`
			`$_POST['domain'],`
			`...(($_SESSION['type'] === 'approved') ? [] : ['--test-cert']),`
			`], $output, $returnCode);`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00			`if ($returnCode !== 0)`
			`output(500, 'Certbot failed to get a Let\'s Encrypt certificate.', $output);`

Call Certbot before adding to DB 2023-05-04 00:20:29 +00:00			`addSite($_SESSION['id'], $_POST['dir'], $_POST['domain'], 'dns');`

Use Apache - Allows customization through .htaccess - No need to configure or reload a server when adding a site - Content negotiation 2023-04-09 22:50:42 +00:00			`htRelativeSymlink('../fs/' . $_SESSION['id'] . '/' . $_POST['dir'], CONF['ht']['ht_path'] . '/uri/' . $_POST['domain']);`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00
Use Apache - Allows customization through .htaccess - No need to configure or reload a server when adding a site - Content negotiation 2023-04-09 22:50:42 +00:00			`output(200, sprintf(_('%s added on this directory.'), PAGE_METADATA['title']));`