Many fixes for security.
This commit is contained in:
parent
6f5cc58c21
commit
a0d32ba8fe
|
@ -99,6 +99,18 @@ a:hover {
|
||||||
form {
|
form {
|
||||||
text-align: center;
|
text-align: center;
|
||||||
}
|
}
|
||||||
|
.error-messages {
|
||||||
|
background-color: #ffdddd;
|
||||||
|
border: 1px solid #ff0000;
|
||||||
|
color: #ff0000;
|
||||||
|
margin: 10px 0;
|
||||||
|
padding: 10px;
|
||||||
|
border-radius: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.error-messages p {
|
||||||
|
margin: 5px 0;
|
||||||
|
}
|
||||||
|
|
||||||
/* Aligning form inputs to the left */
|
/* Aligning form inputs to the left */
|
||||||
form input[type="text"],
|
form input[type="text"],
|
||||||
|
|
|
@ -81,7 +81,7 @@ fclose($logFile);
|
||||||
|
|
||||||
// Git commit and push if there are changes
|
// Git commit and push if there are changes
|
||||||
if ($changes) {
|
if ($changes) {
|
||||||
// exec('git add .');
|
exec('git add .');
|
||||||
// exec('git commit -m "Updated DNS files"');
|
exec('git commit -m "Updated DNS files"');
|
||||||
// exec('git push origin master');
|
exec('git push origin master');
|
||||||
}
|
}
|
|
@ -3,9 +3,35 @@ require_once 'initdb.php';
|
||||||
|
|
||||||
session_start();
|
session_start();
|
||||||
|
|
||||||
|
// Initialize error messages array if not set
|
||||||
|
if (!isset($_SESSION['error_messages'])) {
|
||||||
|
$_SESSION['error_messages'] = [];
|
||||||
|
}
|
||||||
|
|
||||||
|
// Session timeout logic
|
||||||
|
$timeout = 1800; // 30 minutes in seconds
|
||||||
|
if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $timeout)) {
|
||||||
|
// Last request was more than 30 minutes ago
|
||||||
|
session_unset(); // Unset $_SESSION variable
|
||||||
|
session_destroy(); // Destroy session data
|
||||||
|
header("Location: /?page=login"); // Redirect to login page
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
$_SESSION['last_activity'] = time(); // Update last activity time
|
||||||
|
|
||||||
|
// Check if user IP or user agent has changed
|
||||||
|
if ((isset($_SESSION['user_ip']) && $_SESSION['user_ip'] !== $_SERVER['REMOTE_ADDR']) ||
|
||||||
|
(isset($_SESSION['user_agent']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT'])) {
|
||||||
|
session_unset();
|
||||||
|
session_destroy();
|
||||||
|
header("Location: /?page=login");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
// Redirect to login if not logged in
|
// Redirect to login if not logged in
|
||||||
if (!isset($_SESSION['username'])) {
|
if (!isset($_SESSION['username'])) {
|
||||||
header("Location: https://tildenic.org/?page=login");
|
header("Location: /?page=login");
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -14,22 +40,41 @@ $restrictedDomains = ['master.tilde', 'nic.tilde', 'tilde.tilde']; // Add more a
|
||||||
|
|
||||||
// Function to register domain
|
// Function to register domain
|
||||||
function registerDomain($domain, $userId, $pdo, $restrictedDomains) {
|
function registerDomain($domain, $userId, $pdo, $restrictedDomains) {
|
||||||
|
// Ensure '.tilde' is appended only once
|
||||||
|
if (!str_ends_with($domain, '.tilde')) {
|
||||||
|
$domain .= '.tilde';
|
||||||
|
}
|
||||||
|
|
||||||
|
// Debug: Output the full domain name
|
||||||
|
// echo "Attempting to register domain: " . htmlspecialchars($domain) . "<br>";
|
||||||
|
|
||||||
|
// Validate domain format (excluding the '.tilde' part)
|
||||||
|
$domainNameWithoutSuffix = str_replace('.tilde', '', $domain);
|
||||||
|
if (!preg_match('/^[a-zA-Z0-9\-]+$/', $domainNameWithoutSuffix)) {
|
||||||
|
// echo "Error: Invalid domain format detected.<br>"; // Debug message
|
||||||
|
return "Error: Invalid domain format. Only letters, numbers, and hyphens are allowed.";
|
||||||
|
}
|
||||||
|
|
||||||
if (in_array($domain, $restrictedDomains)) {
|
if (in_array($domain, $restrictedDomains)) {
|
||||||
|
// echo "Error: Domain is restricted.<br>"; // Debug message
|
||||||
return "Error: The domain '$domain' cannot be registered.";
|
return "Error: The domain '$domain' cannot be registered.";
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$stmt = $pdo->prepare("INSERT INTO domains (user_id, domain_name) VALUES (?, ?)");
|
$stmt = $pdo->prepare("INSERT INTO domains (user_id, domain_name) VALUES (?, ?)");
|
||||||
$stmt->execute([$userId, $domain]);
|
$stmt->execute([$userId, $domain]);
|
||||||
|
// echo "Domain registered successfully.<br>"; // Debug message
|
||||||
return "Domain registered successfully: " . htmlspecialchars($domain);
|
return "Domain registered successfully: " . htmlspecialchars($domain);
|
||||||
} catch (PDOException $e) {
|
} catch (PDOException $e) {
|
||||||
|
// echo "Database error occurred.<br>"; // Debug message
|
||||||
if ($e->getCode() == 23000) {
|
if ($e->getCode() == 23000) {
|
||||||
return "Error: The domain '$domain' is already registered.";
|
return"Error: The domain '$domain' is already registered.";
|
||||||
} else {
|
} else {
|
||||||
return "Error: An error occurred while registering the domain.";
|
return "Error: An error occurred while registering the domain.";
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
// Function to get user ID
|
// Function to get user ID
|
||||||
function getUserId($username, $pdo) {
|
function getUserId($username, $pdo) {
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
<?php
|
<?php
|
||||||
require_once 'initdb.php';
|
require_once 'initdb.php';
|
||||||
|
|
||||||
session_start();
|
session_start();
|
||||||
|
|
||||||
// Function to check user credentials
|
// Function to check user credentials
|
||||||
|
@ -17,13 +16,42 @@ if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['login'])) {
|
||||||
$password = $_POST['password'];
|
$password = $_POST['password'];
|
||||||
|
|
||||||
if (checkCredentials($username, $password, $pdo)) {
|
if (checkCredentials($username, $password, $pdo)) {
|
||||||
|
// Regenerate session ID upon successful login
|
||||||
|
session_regenerate_id();
|
||||||
|
|
||||||
$_SESSION['username'] = $username;
|
$_SESSION['username'] = $username;
|
||||||
|
$_SESSION['last_activity'] = time(); // track start of session
|
||||||
|
$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR']; // store user IP
|
||||||
|
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT']; // store user agent
|
||||||
|
|
||||||
header("Location: /?page=user_domains");
|
header("Location: /?page=user_domains");
|
||||||
exit;
|
exit;
|
||||||
} else {
|
} else {
|
||||||
$error = "Invalid username or password.";
|
$error = "Invalid username or password.";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Session timeout logic
|
||||||
|
$timeout = 1800; // 30 minutes in seconds
|
||||||
|
if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $timeout)) {
|
||||||
|
// last request was more than 30 minutes ago
|
||||||
|
session_unset(); // unset $_SESSION variable
|
||||||
|
session_destroy(); // destroy session data
|
||||||
|
header("Location: /?page=login"); // redirect to login page
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
$_SESSION['last_activity'] = time(); // update last activity time
|
||||||
|
|
||||||
|
// Check if user IP or user agent has changed
|
||||||
|
if (isset($_SESSION['user_ip']) && $_SESSION['user_ip'] !== $_SERVER['REMOTE_ADDR'] ||
|
||||||
|
isset($_SESSION['user_agent']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT']) {
|
||||||
|
session_unset();
|
||||||
|
session_destroy();
|
||||||
|
header("Location: /?page=login");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|
||||||
<!DOCTYPE html>
|
<!DOCTYPE html>
|
||||||
|
|
|
@ -53,15 +53,6 @@ function getDnsServersInfo() {
|
||||||
$dnsServers = getDnsServersInfo();
|
$dnsServers = getDnsServersInfo();
|
||||||
|
|
||||||
// Function to check server status
|
// Function to check server status
|
||||||
//function checkServerStatus($server) {
|
|
||||||
// Ping command varies depending on the operating system
|
|
||||||
// This is an example for a Unix-like system
|
|
||||||
// $output = [];
|
|
||||||
// $status = null;
|
|
||||||
// exec("ping -c 1 -W 5000 " . escapeshellarg($server), $output, $status);
|
|
||||||
//
|
|
||||||
// return $status === 0 ? "Online" : "Offline";
|
|
||||||
//}
|
|
||||||
function checkServerStatus($server) {
|
function checkServerStatus($server) {
|
||||||
$port = 53; // DNS port, change if necessary
|
$port = 53; // DNS port, change if necessary
|
||||||
$timeout = 10; // Timeout in seconds
|
$timeout = 10; // Timeout in seconds
|
||||||
|
@ -107,7 +98,6 @@ function checkServerStatus($server) {
|
||||||
<ul>
|
<ul>
|
||||||
<li><a href="https://tildegit.org/tildenic/.tilde/wiki/Setting-up-a-.tilde-DNS-server" target="_blank">Self-host information</a></li>
|
<li><a href="https://tildegit.org/tildenic/.tilde/wiki/Setting-up-a-.tilde-DNS-server" target="_blank">Self-host information</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
<p><strong>NOTE!</strong> None of the servers currently listed are functional. They are old IP addresses. New servers will be online very soon!</p>
|
|
||||||
<h3>
|
<h3>
|
||||||
<a href="https://opennic.org/" target="_blank">OpenNIC Information</a>
|
<a href="https://opennic.org/" target="_blank">OpenNIC Information</a>
|
||||||
</h3>
|
</h3>
|
||||||
|
|
|
@ -3,9 +3,35 @@ require_once 'initdb.php';
|
||||||
|
|
||||||
session_start();
|
session_start();
|
||||||
|
|
||||||
|
// Initialize error messages array if not set
|
||||||
|
if (!isset($_SESSION['error_messages'])) {
|
||||||
|
$_SESSION['error_messages'] = [];
|
||||||
|
}
|
||||||
|
|
||||||
|
// Session timeout logic
|
||||||
|
$timeout = 1800; // 30 minutes in seconds
|
||||||
|
if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $timeout)) {
|
||||||
|
// Last request was more than 30 minutes ago
|
||||||
|
session_unset(); // Unset $_SESSION variable
|
||||||
|
session_destroy(); // Destroy session data
|
||||||
|
header("Location: /?page=login"); // Redirect to login page
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
$_SESSION['last_activity'] = time(); // Update last activity time
|
||||||
|
|
||||||
|
// Check if user IP or user agent has changed
|
||||||
|
if ((isset($_SESSION['user_ip']) && $_SESSION['user_ip'] !== $_SERVER['REMOTE_ADDR']) ||
|
||||||
|
(isset($_SESSION['user_agent']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT'])) {
|
||||||
|
session_unset();
|
||||||
|
session_destroy();
|
||||||
|
header("Location: /?page=login");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
// Redirect to login if not logged in
|
// Redirect to login if not logged in
|
||||||
if (!isset($_SESSION['username'])) {
|
if (!isset($_SESSION['username'])) {
|
||||||
header("Location: https://tildenic.org/?page=login");
|
header("Location: /?page=login");
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -24,31 +50,76 @@ function getUserDomains($userId, $pdo) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Function to remove a domain
|
// Function to remove a domain
|
||||||
function removeDomain($domainId, $pdo) {
|
function removeDomain($domainId, $userId, $pdo) {
|
||||||
|
// First, verify that the domain belongs to the user
|
||||||
|
$stmt = $pdo->prepare("SELECT COUNT(*) FROM domains WHERE id = ? AND user_id = ?");
|
||||||
|
$stmt->execute([$domainId, $userId]);
|
||||||
|
$count = $stmt->fetchColumn();
|
||||||
|
|
||||||
|
if ($count == 0) {
|
||||||
|
// The domain does not belong to the user
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Proceed with deletion since the domain belongs to the user
|
||||||
$stmt = $pdo->prepare("DELETE FROM domains WHERE id = ?");
|
$stmt = $pdo->prepare("DELETE FROM domains WHERE id = ?");
|
||||||
$stmt->execute([$domainId]);
|
$stmt->execute([$domainId]);
|
||||||
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
// Function to update domain's IP address
|
// Function to update domain's IP address
|
||||||
function updateDomainIP($domainId, $ipAddress, $pdo) {
|
function updateDomainIP($domainId, $userId, $ipAddress, $pdo) {
|
||||||
$stmt = $pdo->prepare("UPDATE domains SET ip_address = ? WHERE id = ?"); // Updating ip_address
|
// Validate the IP address
|
||||||
|
if (!filter_var($ipAddress, FILTER_VALIDATE_IP)) {
|
||||||
|
// The IP address is not valid
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify that the domain belongs to the user
|
||||||
|
$stmt = $pdo->prepare("SELECT COUNT(*) FROM domains WHERE id = ? AND user_id = ?");
|
||||||
|
$stmt->execute([$domainId, $userId]);
|
||||||
|
$count = $stmt->fetchColumn();
|
||||||
|
|
||||||
|
if ($count == 0) {
|
||||||
|
// The domain does not belong to the user
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Proceed with IP address update since the domain belongs to the user
|
||||||
|
$stmt = $pdo->prepare("UPDATE domains SET ip_address = ? WHERE id = ?");
|
||||||
$stmt->execute([$ipAddress, $domainId]);
|
$stmt->execute([$ipAddress, $domainId]);
|
||||||
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Handle domain removal
|
// Handle domain removal
|
||||||
if (isset($_GET['remove'])) {
|
if (isset($_GET['remove'])) {
|
||||||
removeDomain($_GET['remove'], $pdo);
|
$userId = getUserId($_SESSION['username'], $pdo);
|
||||||
|
$domainId = $_GET['remove'];
|
||||||
|
|
||||||
|
$result = removeDomain($domainId, $userId, $pdo);
|
||||||
|
if ($result !== true) {
|
||||||
|
$_SESSION['error_messages'][] = "Error: You do not have permission to delete this domain.";
|
||||||
|
} else {
|
||||||
header("Location: https://tildenic.org/?page=user_domains");
|
header("Location: https://tildenic.org/?page=user_domains");
|
||||||
exit;
|
exit;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
// Handle IP address update
|
// Handle IP address update
|
||||||
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['update_ip'])) {
|
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['update_ip'])) {
|
||||||
$domainId = $_POST['domain_id'];
|
$domainId = $_POST['domain_id'];
|
||||||
|
$userId = getUserId($_SESSION['username'], $pdo);
|
||||||
$ipAddress = $_POST['ip_address'];
|
$ipAddress = $_POST['ip_address'];
|
||||||
updateDomainIP($domainId, $ipAddress, $pdo);
|
|
||||||
|
$result = updateDomainIP($domainId, $userId, $ipAddress, $pdo);
|
||||||
|
if ($result !== true) {
|
||||||
|
$_SESSION['error_messages'][] = "Error: Invalid IP address or you do not have permission to update the IP address for this domain.";
|
||||||
|
} else {
|
||||||
header("Location: https://tildenic.org/?page=user_domains");
|
header("Location: https://tildenic.org/?page=user_domains");
|
||||||
exit;
|
exit;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
// Handle logout
|
// Handle logout
|
||||||
if (isset($_POST['logout'])) {
|
if (isset($_POST['logout'])) {
|
||||||
|
@ -56,21 +127,60 @@ if (isset($_POST['logout'])) {
|
||||||
header("Location: https://tildenic.org/?page=login");
|
header("Location: https://tildenic.org/?page=login");
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
// Handle form submission
|
// Handle form submission for domain removal
|
||||||
if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['remove_domain'])) {
|
||||||
$domainId = $_POST['domain_id'];
|
$domainId = $_POST['domain_id'];
|
||||||
|
$userId = getUserId($_SESSION['username'], $pdo);
|
||||||
|
|
||||||
if (isset($_POST['update_ip'])) {
|
if (!removeDomain($domainId, $userId, $pdo)) {
|
||||||
// Update IP address
|
$_SESSION['error_messages'][] = "Error: You do not have permission to delete this domain.";
|
||||||
$ipAddress = $_POST['ip_address'];
|
} else {
|
||||||
updateDomainIP($domainId, $ipAddress, $pdo);
|
|
||||||
} elseif (isset($_POST['remove_domain'])) {
|
|
||||||
// Remove domain
|
|
||||||
removeDomain($domainId, $pdo);
|
|
||||||
}
|
|
||||||
|
|
||||||
header("Location: https://tildenic.org/?page=user_domains");
|
header("Location: https://tildenic.org/?page=user_domains");
|
||||||
exit;
|
exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Redirect to the user domains page after processing the form
|
||||||
|
if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
||||||
|
header("Location: https://tildenic.org/?page=user_domains");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Function to validate and update IP addresses for a user's domains
|
||||||
|
function validateAndUpdateIPs($userId, $pdo) {
|
||||||
|
// Fetch all domains for the user
|
||||||
|
$stmt = $pdo->prepare("SELECT id, ip_address FROM domains WHERE user_id = ?");
|
||||||
|
$stmt->execute([$userId]);
|
||||||
|
$domains = $stmt->fetchAll();
|
||||||
|
|
||||||
|
$invalidIPs = [];
|
||||||
|
|
||||||
|
foreach ($domains as $domain) {
|
||||||
|
$domainId = $domain['id'];
|
||||||
|
$ipAddress = $domain['ip_address'];
|
||||||
|
|
||||||
|
// Check if the IP address is valid
|
||||||
|
if (!empty($ipAddress) && !filter_var($ipAddress, FILTER_VALIDATE_IP)) {
|
||||||
|
// IP address is invalid, update the domain to remove the IP address
|
||||||
|
$updateStmt = $pdo->prepare("UPDATE domains SET ip_address = NULL WHERE id = ?");
|
||||||
|
$updateStmt->execute([$domainId]);
|
||||||
|
|
||||||
|
// Add to the list of domains with invalid IPs
|
||||||
|
$invalidIPs[] = $domainId;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return $invalidIPs;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// When the user accesses their domain management page
|
||||||
|
$userId = getUserId($_SESSION['username'], $pdo);
|
||||||
|
$invalidIPDomains = validateAndUpdateIPs($userId, $pdo);
|
||||||
|
|
||||||
|
if (!empty($invalidIPDomains)) {
|
||||||
|
// Inform the user that some IP addresses were invalid and have been removed
|
||||||
|
echo "Invalid IP addresses were found and removed from the following domains: " . implode(", ", $invalidIPDomains) . ". Please update them.";
|
||||||
}
|
}
|
||||||
|
|
||||||
$userId = getUserId($_SESSION['username'], $pdo);
|
$userId = getUserId($_SESSION['username'], $pdo);
|
||||||
|
@ -99,6 +209,15 @@ $domains = getUserDomains($userId, $pdo);
|
||||||
<?php endif; ?>
|
<?php endif; ?>
|
||||||
</nav>
|
</nav>
|
||||||
</header>
|
</header>
|
||||||
|
<!-- Error message display -->
|
||||||
|
<?php if (!empty($_SESSION['error_messages'])): ?>
|
||||||
|
<div class="error-messages">
|
||||||
|
<?php foreach ($_SESSION['error_messages'] as $message): ?>
|
||||||
|
<p><?php echo htmlspecialchars($message); ?></p>
|
||||||
|
<?php endforeach; ?>
|
||||||
|
<?php $_SESSION['error_messages'] = []; // Clear error messages after displaying ?>
|
||||||
|
</div>
|
||||||
|
<?php endif; ?><br>
|
||||||
<h2>Your Domains</h2>
|
<h2>Your Domains</h2>
|
||||||
<ul>
|
<ul>
|
||||||
<?php foreach ($domains as $domain): ?>
|
<?php foreach ($domains as $domain): ?>
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
2024-01-13 13:12:01 - Updated named.conf.local
|
Loading…
Reference in New Issue