No domain validation

Discussion in 'General' started by Tommahawk, Sep 13, 2007.

  1. Tommahawk

    Tommahawk New Member

    ISPConfig does not check for a valid domain. You should add...

    if (!preg_match("/^([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $domain_here)) $error = "Please enter a valid domain name";

    somewhere. Now the DNS manager folders will not load, I have included a screenshot because it has corrupt the database and it also create folders. e.g

    the entry in the dns_isp_dns table | 1 | | |
    | 38 | 1016 | /root/Desktop/organised/html/t7v/index.php | 28800 | 7200 | 604800 | 86400 | | | admin@/root/Desktop/organised/html/t7v/index.php

    1) the folders are created in chroot under pri. folder

    2) /root/Desktop/organised/html/t7v/index.php is not a valid domain.

    I fixed the issue by deleting 2 references in the database and all is fixed but reseller may be able to expoit the issue and break out of chroot by creating folders.

    Need to include the fix

    if (!preg_match("/^([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $domain_here)) $error = "Please enter a valid domain name";

    when specifying a domain named for a new site.

    Attached Files:

    Last edited: Sep 13, 2007
  2. falko

    falko Super Moderator ISPConfig Developer

    Thanks for the report. I've added this to our bugtracker.
  3. Tommahawk

    Tommahawk New Member

    I have also noticed that turning client side javascript off in the browser allows for the creation of empty sites (bypasses the javascript alerts). So a few additional PHP lines to backup the javascript also.

    Where would the likely candidate file be to add my fix

    function web_insert -> ispconfig_isp_web.lib.php -> ignored
    function web_insert -> ispconfig_web.lib.php -> ignored

    Perhaps line 234 /home/admispconfig/ispconfig/web/multidoc/edit/edit.php
    would adding my fix have other impacts?

    Note: Javascript validation is handy and efficient but due to its client side nature you also need the fallback validation of pre-processing scripting langauge like php.
    Last edited: Sep 17, 2007
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig does server side checks too, have a look at /home/admispconfig/ispconfig/web/multidoc/edit/edit.php, the regex rules are defined in the forms editor, thats why you wont find them in the sources.

    We will check the problem as falko pointed out.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Fixed in SVN and the fix will be part of ISPConfig 2.2.17.

Share This Page