Currently any vegadns installation allows any surfer to get a listing of all
the domains for the zone file. This is done so that the update-data script
can generate the tinydns-data file. This patch will allow you to limit the
connections that can read the data based on IP. This should provide a low
level of security for this data.
Any comments are welcome. I don't do much php programming and there may be a
more efficient way to do this using smarty but this does the trick for now
patch -p1 < vegadns-0.6.1-authpatch
diff -Naur vegadns-0.6.1/index.php vegadns-0.6.1-authpatch/index.php
--- vegadns-0.6.1/index.php Fri Mar 19 18:14:48 2004
+++ vegadns-0.6.1-authpatch/index.php Mon Mar 29 03:44:16 2004
@@ -68,6 +68,12 @@
if(isset($_REQUEST['state']) && $_REQUEST['state'] == 'get_data') {
+ if(!(ereg($trusted_host,$_SERVER['REMOTE_ADDR']))) {
+ $message = "Host ".$_SERVER['REMOTE_ADDR']." not authorized.";
+ header("Location:
".$_SERVER['PHP_SELF']."?".SID."&message=".urlencode($message));
+ exit;
+ }
+
// EXPORT DATA
require('src/data.php');
exit;
diff -Naur vegadns-0.6.1/src/config.php
vegadns-0.6.1-authpatch/src/config.php
--- vegadns-0.6.1/src/config.php Wed Mar 24 09:59:33 2004
+++ vegadns-0.6.1-authpatch/src/config.php Mon Mar 29 03:45:16 2004
@@ -47,6 +47,9 @@
// Records per page
$per_page = 75;
+// Host that is allowed to view entire domain database. You can use a
partial ip
+// address as well.
+$trusted_host = '127.0.0.1';
/////////////////////////////////////
------------------------------------
Niuhi, Inc.
Ryan White
[EMAIL PROTECTED]
tel: 800.996.4844 x333
mobile: 714 390 8151
------------------------------------
