Many fixes for security.
This commit is contained in:
parent
6f5cc58c21
commit
a0d32ba8fe
|
@ -99,6 +99,18 @@ a:hover {
|
|||
form {
|
||||
text-align: center;
|
||||
}
|
||||
.error-messages {
|
||||
background-color: #ffdddd;
|
||||
border: 1px solid #ff0000;
|
||||
color: #ff0000;
|
||||
margin: 10px 0;
|
||||
padding: 10px;
|
||||
border-radius: 5px;
|
||||
}
|
||||
|
||||
.error-messages p {
|
||||
margin: 5px 0;
|
||||
}
|
||||
|
||||
/* Aligning form inputs to the left */
|
||||
form input[type="text"],
|
||||
|
|
|
@ -81,7 +81,7 @@ fclose($logFile);
|
|||
|
||||
// Git commit and push if there are changes
|
||||
if ($changes) {
|
||||
// exec('git add .');
|
||||
// exec('git commit -m "Updated DNS files"');
|
||||
// exec('git push origin master');
|
||||
exec('git add .');
|
||||
exec('git commit -m "Updated DNS files"');
|
||||
exec('git push origin master');
|
||||
}
|
|
@ -3,9 +3,35 @@ require_once 'initdb.php';
|
|||
|
||||
session_start();
|
||||
|
||||
// Initialize error messages array if not set
|
||||
if (!isset($_SESSION['error_messages'])) {
|
||||
$_SESSION['error_messages'] = [];
|
||||
}
|
||||
|
||||
// Session timeout logic
|
||||
$timeout = 1800; // 30 minutes in seconds
|
||||
if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $timeout)) {
|
||||
// Last request was more than 30 minutes ago
|
||||
session_unset(); // Unset $_SESSION variable
|
||||
session_destroy(); // Destroy session data
|
||||
header("Location: /?page=login"); // Redirect to login page
|
||||
exit;
|
||||
}
|
||||
|
||||
$_SESSION['last_activity'] = time(); // Update last activity time
|
||||
|
||||
// Check if user IP or user agent has changed
|
||||
if ((isset($_SESSION['user_ip']) && $_SESSION['user_ip'] !== $_SERVER['REMOTE_ADDR']) ||
|
||||
(isset($_SESSION['user_agent']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT'])) {
|
||||
session_unset();
|
||||
session_destroy();
|
||||
header("Location: /?page=login");
|
||||
exit;
|
||||
}
|
||||
|
||||
// Redirect to login if not logged in
|
||||
if (!isset($_SESSION['username'])) {
|
||||
header("Location: https://tildenic.org/?page=login");
|
||||
header("Location: /?page=login");
|
||||
exit;
|
||||
}
|
||||
|
||||
|
@ -14,22 +40,41 @@ $restrictedDomains = ['master.tilde', 'nic.tilde', 'tilde.tilde']; // Add more a
|
|||
|
||||
// Function to register domain
|
||||
function registerDomain($domain, $userId, $pdo, $restrictedDomains) {
|
||||
// Ensure '.tilde' is appended only once
|
||||
if (!str_ends_with($domain, '.tilde')) {
|
||||
$domain .= '.tilde';
|
||||
}
|
||||
|
||||
// Debug: Output the full domain name
|
||||
// echo "Attempting to register domain: " . htmlspecialchars($domain) . "<br>";
|
||||
|
||||
// Validate domain format (excluding the '.tilde' part)
|
||||
$domainNameWithoutSuffix = str_replace('.tilde', '', $domain);
|
||||
if (!preg_match('/^[a-zA-Z0-9\-]+$/', $domainNameWithoutSuffix)) {
|
||||
// echo "Error: Invalid domain format detected.<br>"; // Debug message
|
||||
return "Error: Invalid domain format. Only letters, numbers, and hyphens are allowed.";
|
||||
}
|
||||
|
||||
if (in_array($domain, $restrictedDomains)) {
|
||||
// echo "Error: Domain is restricted.<br>"; // Debug message
|
||||
return "Error: The domain '$domain' cannot be registered.";
|
||||
}
|
||||
|
||||
try {
|
||||
$stmt = $pdo->prepare("INSERT INTO domains (user_id, domain_name) VALUES (?, ?)");
|
||||
$stmt->execute([$userId, $domain]);
|
||||
// echo "Domain registered successfully.<br>"; // Debug message
|
||||
return "Domain registered successfully: " . htmlspecialchars($domain);
|
||||
} catch (PDOException $e) {
|
||||
// echo "Database error occurred.<br>"; // Debug message
|
||||
if ($e->getCode() == 23000) {
|
||||
return "Error: The domain '$domain' is already registered.";
|
||||
} else {
|
||||
return "Error: An error occurred while registering the domain.";
|
||||
}
|
||||
}
|
||||
return"Error: The domain '$domain' is already registered.";
|
||||
} else {
|
||||
return "Error: An error occurred while registering the domain.";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Function to get user ID
|
||||
function getUserId($username, $pdo) {
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
<?php
|
||||
require_once 'initdb.php';
|
||||
|
||||
session_start();
|
||||
|
||||
// Function to check user credentials
|
||||
|
@ -17,13 +16,42 @@ if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['login'])) {
|
|||
$password = $_POST['password'];
|
||||
|
||||
if (checkCredentials($username, $password, $pdo)) {
|
||||
// Regenerate session ID upon successful login
|
||||
session_regenerate_id();
|
||||
|
||||
$_SESSION['username'] = $username;
|
||||
$_SESSION['last_activity'] = time(); // track start of session
|
||||
$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR']; // store user IP
|
||||
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT']; // store user agent
|
||||
|
||||
header("Location: /?page=user_domains");
|
||||
exit;
|
||||
} else {
|
||||
$error = "Invalid username or password.";
|
||||
}
|
||||
}
|
||||
|
||||
// Session timeout logic
|
||||
$timeout = 1800; // 30 minutes in seconds
|
||||
if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $timeout)) {
|
||||
// last request was more than 30 minutes ago
|
||||
session_unset(); // unset $_SESSION variable
|
||||
session_destroy(); // destroy session data
|
||||
header("Location: /?page=login"); // redirect to login page
|
||||
exit;
|
||||
}
|
||||
|
||||
$_SESSION['last_activity'] = time(); // update last activity time
|
||||
|
||||
// Check if user IP or user agent has changed
|
||||
if (isset($_SESSION['user_ip']) && $_SESSION['user_ip'] !== $_SERVER['REMOTE_ADDR'] ||
|
||||
isset($_SESSION['user_agent']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT']) {
|
||||
session_unset();
|
||||
session_destroy();
|
||||
header("Location: /?page=login");
|
||||
exit;
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
<!DOCTYPE html>
|
||||
|
|
|
@ -53,15 +53,6 @@ function getDnsServersInfo() {
|
|||
$dnsServers = getDnsServersInfo();
|
||||
|
||||
// Function to check server status
|
||||
//function checkServerStatus($server) {
|
||||
// Ping command varies depending on the operating system
|
||||
// This is an example for a Unix-like system
|
||||
// $output = [];
|
||||
// $status = null;
|
||||
// exec("ping -c 1 -W 5000 " . escapeshellarg($server), $output, $status);
|
||||
//
|
||||
// return $status === 0 ? "Online" : "Offline";
|
||||
//}
|
||||
function checkServerStatus($server) {
|
||||
$port = 53; // DNS port, change if necessary
|
||||
$timeout = 10; // Timeout in seconds
|
||||
|
@ -107,7 +98,6 @@ function checkServerStatus($server) {
|
|||
<ul>
|
||||
<li><a href="https://tildegit.org/tildenic/.tilde/wiki/Setting-up-a-.tilde-DNS-server" target="_blank">Self-host information</a></li>
|
||||
</ul>
|
||||
<p><strong>NOTE!</strong> None of the servers currently listed are functional. They are old IP addresses. New servers will be online very soon!</p>
|
||||
<h3>
|
||||
<a href="https://opennic.org/" target="_blank">OpenNIC Information</a>
|
||||
</h3>
|
||||
|
|
|
@ -3,9 +3,35 @@ require_once 'initdb.php';
|
|||
|
||||
session_start();
|
||||
|
||||
// Initialize error messages array if not set
|
||||
if (!isset($_SESSION['error_messages'])) {
|
||||
$_SESSION['error_messages'] = [];
|
||||
}
|
||||
|
||||
// Session timeout logic
|
||||
$timeout = 1800; // 30 minutes in seconds
|
||||
if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $timeout)) {
|
||||
// Last request was more than 30 minutes ago
|
||||
session_unset(); // Unset $_SESSION variable
|
||||
session_destroy(); // Destroy session data
|
||||
header("Location: /?page=login"); // Redirect to login page
|
||||
exit;
|
||||
}
|
||||
|
||||
$_SESSION['last_activity'] = time(); // Update last activity time
|
||||
|
||||
// Check if user IP or user agent has changed
|
||||
if ((isset($_SESSION['user_ip']) && $_SESSION['user_ip'] !== $_SERVER['REMOTE_ADDR']) ||
|
||||
(isset($_SESSION['user_agent']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT'])) {
|
||||
session_unset();
|
||||
session_destroy();
|
||||
header("Location: /?page=login");
|
||||
exit;
|
||||
}
|
||||
|
||||
// Redirect to login if not logged in
|
||||
if (!isset($_SESSION['username'])) {
|
||||
header("Location: https://tildenic.org/?page=login");
|
||||
header("Location: /?page=login");
|
||||
exit;
|
||||
}
|
||||
|
||||
|
@ -24,31 +50,76 @@ function getUserDomains($userId, $pdo) {
|
|||
}
|
||||
|
||||
// Function to remove a domain
|
||||
function removeDomain($domainId, $pdo) {
|
||||
function removeDomain($domainId, $userId, $pdo) {
|
||||
// First, verify that the domain belongs to the user
|
||||
$stmt = $pdo->prepare("SELECT COUNT(*) FROM domains WHERE id = ? AND user_id = ?");
|
||||
$stmt->execute([$domainId, $userId]);
|
||||
$count = $stmt->fetchColumn();
|
||||
|
||||
if ($count == 0) {
|
||||
// The domain does not belong to the user
|
||||
return false;
|
||||
}
|
||||
|
||||
// Proceed with deletion since the domain belongs to the user
|
||||
$stmt = $pdo->prepare("DELETE FROM domains WHERE id = ?");
|
||||
$stmt->execute([$domainId]);
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
// Function to update domain's IP address
|
||||
function updateDomainIP($domainId, $ipAddress, $pdo) {
|
||||
$stmt = $pdo->prepare("UPDATE domains SET ip_address = ? WHERE id = ?"); // Updating ip_address
|
||||
function updateDomainIP($domainId, $userId, $ipAddress, $pdo) {
|
||||
// Validate the IP address
|
||||
if (!filter_var($ipAddress, FILTER_VALIDATE_IP)) {
|
||||
// The IP address is not valid
|
||||
return false;
|
||||
}
|
||||
|
||||
// Verify that the domain belongs to the user
|
||||
$stmt = $pdo->prepare("SELECT COUNT(*) FROM domains WHERE id = ? AND user_id = ?");
|
||||
$stmt->execute([$domainId, $userId]);
|
||||
$count = $stmt->fetchColumn();
|
||||
|
||||
if ($count == 0) {
|
||||
// The domain does not belong to the user
|
||||
return false;
|
||||
}
|
||||
|
||||
// Proceed with IP address update since the domain belongs to the user
|
||||
$stmt = $pdo->prepare("UPDATE domains SET ip_address = ? WHERE id = ?");
|
||||
$stmt->execute([$ipAddress, $domainId]);
|
||||
return true;
|
||||
}
|
||||
|
||||
// Handle domain removal
|
||||
if (isset($_GET['remove'])) {
|
||||
removeDomain($_GET['remove'], $pdo);
|
||||
$userId = getUserId($_SESSION['username'], $pdo);
|
||||
$domainId = $_GET['remove'];
|
||||
|
||||
$result = removeDomain($domainId, $userId, $pdo);
|
||||
if ($result !== true) {
|
||||
$_SESSION['error_messages'][] = "Error: You do not have permission to delete this domain.";
|
||||
} else {
|
||||
header("Location: https://tildenic.org/?page=user_domains");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Handle IP address update
|
||||
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['update_ip'])) {
|
||||
$domainId = $_POST['domain_id'];
|
||||
$userId = getUserId($_SESSION['username'], $pdo);
|
||||
$ipAddress = $_POST['ip_address'];
|
||||
updateDomainIP($domainId, $ipAddress, $pdo);
|
||||
|
||||
$result = updateDomainIP($domainId, $userId, $ipAddress, $pdo);
|
||||
if ($result !== true) {
|
||||
$_SESSION['error_messages'][] = "Error: Invalid IP address or you do not have permission to update the IP address for this domain.";
|
||||
} else {
|
||||
header("Location: https://tildenic.org/?page=user_domains");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
// Handle logout
|
||||
if (isset($_POST['logout'])) {
|
||||
|
@ -56,21 +127,60 @@ if (isset($_POST['logout'])) {
|
|||
header("Location: https://tildenic.org/?page=login");
|
||||
exit;
|
||||
}
|
||||
// Handle form submission
|
||||
if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
||||
// Handle form submission for domain removal
|
||||
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['remove_domain'])) {
|
||||
$domainId = $_POST['domain_id'];
|
||||
$userId = getUserId($_SESSION['username'], $pdo);
|
||||
|
||||
if (isset($_POST['update_ip'])) {
|
||||
// Update IP address
|
||||
$ipAddress = $_POST['ip_address'];
|
||||
updateDomainIP($domainId, $ipAddress, $pdo);
|
||||
} elseif (isset($_POST['remove_domain'])) {
|
||||
// Remove domain
|
||||
removeDomain($domainId, $pdo);
|
||||
}
|
||||
|
||||
if (!removeDomain($domainId, $userId, $pdo)) {
|
||||
$_SESSION['error_messages'][] = "Error: You do not have permission to delete this domain.";
|
||||
} else {
|
||||
header("Location: https://tildenic.org/?page=user_domains");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
// Redirect to the user domains page after processing the form
|
||||
if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
||||
header("Location: https://tildenic.org/?page=user_domains");
|
||||
exit;
|
||||
}
|
||||
|
||||
// Function to validate and update IP addresses for a user's domains
|
||||
function validateAndUpdateIPs($userId, $pdo) {
|
||||
// Fetch all domains for the user
|
||||
$stmt = $pdo->prepare("SELECT id, ip_address FROM domains WHERE user_id = ?");
|
||||
$stmt->execute([$userId]);
|
||||
$domains = $stmt->fetchAll();
|
||||
|
||||
$invalidIPs = [];
|
||||
|
||||
foreach ($domains as $domain) {
|
||||
$domainId = $domain['id'];
|
||||
$ipAddress = $domain['ip_address'];
|
||||
|
||||
// Check if the IP address is valid
|
||||
if (!empty($ipAddress) && !filter_var($ipAddress, FILTER_VALIDATE_IP)) {
|
||||
// IP address is invalid, update the domain to remove the IP address
|
||||
$updateStmt = $pdo->prepare("UPDATE domains SET ip_address = NULL WHERE id = ?");
|
||||
$updateStmt->execute([$domainId]);
|
||||
|
||||
// Add to the list of domains with invalid IPs
|
||||
$invalidIPs[] = $domainId;
|
||||
}
|
||||
}
|
||||
|
||||
return $invalidIPs;
|
||||
}
|
||||
|
||||
|
||||
// When the user accesses their domain management page
|
||||
$userId = getUserId($_SESSION['username'], $pdo);
|
||||
$invalidIPDomains = validateAndUpdateIPs($userId, $pdo);
|
||||
|
||||
if (!empty($invalidIPDomains)) {
|
||||
// Inform the user that some IP addresses were invalid and have been removed
|
||||
echo "Invalid IP addresses were found and removed from the following domains: " . implode(", ", $invalidIPDomains) . ". Please update them.";
|
||||
}
|
||||
|
||||
$userId = getUserId($_SESSION['username'], $pdo);
|
||||
|
@ -99,6 +209,15 @@ $domains = getUserDomains($userId, $pdo);
|
|||
<?php endif; ?>
|
||||
</nav>
|
||||
</header>
|
||||
<!-- Error message display -->
|
||||
<?php if (!empty($_SESSION['error_messages'])): ?>
|
||||
<div class="error-messages">
|
||||
<?php foreach ($_SESSION['error_messages'] as $message): ?>
|
||||
<p><?php echo htmlspecialchars($message); ?></p>
|
||||
<?php endforeach; ?>
|
||||
<?php $_SESSION['error_messages'] = []; // Clear error messages after displaying ?>
|
||||
</div>
|
||||
<?php endif; ?><br>
|
||||
<h2>Your Domains</h2>
|
||||
<ul>
|
||||
<?php foreach ($domains as $domain): ?>
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
2024-01-13 13:12:01 - Updated named.conf.local
|
Loading…
Reference in New Issue