[users] sanity checking for names

Thu, 21 Oct 2004 12:59:31 -0700 

I recently discovered, after a careless user cut and pasted a name with
a "^M" character in it, that there is no validation of the $name value
of domain records.

I've modified functions.php to include a validation routing, which
insists that the name field of the record contain only ".", "-", 0-9,
a-z characters.

Following is a diff. I don't use the update-data.sh script (I use
sql2data) so it might be a good idea to include some sanity checking
there too, in case the DB contains illegal characters.

Regards,
Len

*** vegadns-0.9.7.dist/src/functions.php        2004-10-09 22:06:59.000000000 +0200
--- vegadns-0.9.7/src/functions.php     2004-10-21 21:25:48.000000000 +0200
***************
*** 131,136 ****
--- 131,144 ----
  
  }
  
+ function check_domain_name_format($name) {
+ 
+     $result = ereg("^[\.a-z0-9-]+$", 
+         strtolower($name));
+     return $result;
+ 
+ }
+ 
  function check_first_use() {
  
      $result = mysql_query("show tables") or die(mysql_error());
***************
*** 227,232 ****
--- 235,243 ----
          if(validate_ip($address) == FALSE) {
              return "\"$address\" is not a valid A record address";
          }
+         if(check_domain_name_format($name) == FALSE) {
+             return "\"$name\" is not a valid A record name";
+         }
      }
  
      // verify NS record
***************
*** 234,239 ****
--- 245,253 ----
          if(validate_ip($address) != FALSE) {
              return "\"$address\" should not be an IP address";
          }
+         if(check_domain_name_format($name) == FALSE) {
+             return "\"$name\" is not a valid NS record name";
+         }
      }
  
      // verify MX record
***************
*** 241,246 ****
--- 255,263 ----
          if(validate_ip($name)) {
              return "MX records can not be an IP address";
          }
+         if(check_domain_name_format($name) == FALSE) {
+             return "\"$name\" is not a valid MX record name";
+         }
          if(!eregi("^([0-9])+$", $distance)) 
              return "\"$distance\" is not a valid MX distance";
      }
***************
*** 256,261 ****
--- 273,281 ----
          if(validate_ip($address)) {
              return "CNAME records can not point to an IP address";
          }
+         if(check_domain_name_format($name) == FALSE) {
+             return "\"$name\" is not a valid CNAME record name";
+         }
      }
  
      // make sure a TTL was given


-- 
Len Padilla
[EMAIL PROTECTED]

Reply via email to