7f7bcadb58
In page reg/ds.php, POST parameter 'key' was directly sent to shell, allowing for remote arbitrary commands execution. This commit fixes this vulnerability, and uses a new function to automatically escape every shell command arguments as an additional generic protection.
39 lines
1.5 KiB
PHP
39 lines
1.5 KiB
PHP
<?php
|
|
|
|
if (preg_match('/' . SUBDOMAIN_REGEX . '/D', $_POST['subdomain']) !== 1)
|
|
output(403, _('This format of subdomain is not allowed.'));
|
|
|
|
if (array_key_exists($_POST['suffix'], CONF['reg']['suffixes']) !== true)
|
|
output(403, 'This suffix doesn\'t exist.');
|
|
|
|
$domain = formatAbsoluteDomain($_POST['subdomain'] . '.' . $_POST['suffix']);
|
|
|
|
if (query('select', 'registry', ['username' => $_SESSION['id'], 'domain' => $domain], 'domain') !== [])
|
|
output(403, _('The current account already owns this domain.'));
|
|
|
|
exescape([
|
|
CONF['dns']['kdig_path'],
|
|
$domain,
|
|
'NS',
|
|
'@' . CONF['reg']['address'],
|
|
'+noidn',
|
|
], $results, $code);
|
|
if ($code !== 0)
|
|
output(500, 'Unable to query registry\'s name servers.');
|
|
if (preg_match('/^' . preg_quote($domain, '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})\._transfer-verification\.' . preg_quote(SERVER_NAME, '/') . '\.$/Dm', implode(LF, $results), $matches) !== 1)
|
|
output(403, _('NS authentication record not found.'));
|
|
|
|
checkAuthToken($matches['salt'], $matches['hash']);
|
|
|
|
rateLimit();
|
|
|
|
DB->prepare('UPDATE registry SET username = :username WHERE domain = :domain')
|
|
->execute([':username' => $_SESSION['id'], ':domain' => $domain]);
|
|
|
|
knotcZoneExec($_POST['suffix'], [
|
|
$domain,
|
|
'NS',
|
|
$matches['salt'] . '-' . $matches['hash'] . '._transfer-verification.' . SERVER_NAME . '.'
|
|
], 'delete');
|
|
|
|
output(200, _('The domain has been transferred to the current account ; the NS authentication record has been automatically deleted.'));
|