From b45749542640b5e77da71f14c312473e7aa9465d Mon Sep 17 00:00:00 2001
From: Mark Schouten <mark@tuxis.nl>
Date: Mon, 26 May 2014 12:04:24 +0200
Subject: [PATCH] Add validation and 'htmlspecialchars' to keep Teun from
 breaking stuff

---
 includes/misc.inc.php |  1 +
 users.php             |  7 +++++++
 zones.php             | 12 ++++++++++++
 3 files changed, 20 insertions(+)

diff --git a/includes/misc.inc.php b/includes/misc.inc.php
index 555cd89..26f54a8 100644
--- a/includes/misc.inc.php
+++ b/includes/misc.inc.php
@@ -21,6 +21,7 @@ function get_all_users() {
     $r = $db->query('SELECT id, emailaddress, isadmin FROM users');
     $ret = array();
     while ($row = $r->fetchArray()) {
+        $row['emailaddress'] = htmlspecialchars($row['emailaddress']);
         array_push($ret, $row);
     }
 
diff --git a/users.php b/users.php
index ea9487d..9b7b9e1 100644
--- a/users.php
+++ b/users.php
@@ -14,11 +14,18 @@ if (isset($_GET['action'])) {
     _jtable_respond(null, 'error', 'No action given');
 }
 
+function _valid_user($name) {
+    return ( bool ) ! preg_match( '/^[a-z0-9@_.-]+$/i' , $name );
+}
+
 
 if ($action == "list") {
     $users = get_all_users();
     _jtable_respond($users);
 } elseif ($action == "create" or $action == "update") {
+    if (_valid_user($_POST['emailaddress']) === FALSE) {
+        _jtable_respond(null, 'error', "Please only use [a-z0-9@_/.-] for usernames");
+    }
     $isadmin = $_POST['isadmin'] ? $_POST['isadmin'] : '0';
     if (add_user($_POST['emailaddress'], $isadmin, $_POST['password']) === TRUE) {
         unset($_POST['password']);
diff --git a/zones.php b/zones.php
index 0324ab1..73b7a2d 100644
--- a/zones.php
+++ b/zones.php
@@ -41,11 +41,18 @@ function _do_curl($method, $opts = null, $type = 'post') {
     }
 }
 
+function _valid_label($name) {
+    return ( bool ) ! preg_match( '/^[a-z0-9_/.-]+$/i' , $name );
+}
+
 function _create_record($name, $records, $input, $zoneurl) {
     global $defaults;
 
     $content = ($input['type'] == "TXT") ? '"'.$input['content'].'"' : $input['content'];
 
+    if (_valid_label($input['name']) === FALSE) {
+        _jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]");
+    }
     if (is_ascii($content) === FALSE or is_ascii($input['name']) === FALSE) {
         _jtable_respond(null, 'error', "Please only use ASCII-characters in your fields");
     }
@@ -143,6 +150,7 @@ if ($action == "list" or $action== "listslaves") {
         if (check_owner($zone['name']) === FALSE)
             continue;
 
+        $zone['name'] = htmlspecialchars($zone['name']);
         $zone['owner'] = get_zone_owner($zone['name']);
         if ($action == "listslaves" and $zone['kind'] == "Slave") {
             array_push($return, $zone);
@@ -153,6 +161,9 @@ if ($action == "list" or $action== "listslaves") {
     usort($return, "zonesort");
     _jtable_respond($return);
 } elseif ($action == "create") {
+    if (_valid_label($_POST['name']) === FALSE) {
+        _jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]");
+    }
     if ($_POST['kind'] != null and $_POST['name'] != null) {
         $nameservers = array();
         if ($_POST['kind'] != "Slave") {
@@ -205,6 +216,7 @@ if ($action == "list" or $action== "listslaves") {
     $any = array();
     foreach ($rows['records'] as $idx => $record) {
         $rows['records'][$idx]['id'] = json_encode($record);
+        $record['name'] = htmlspecialchars($record['name']);
         if ($record['type'] == 'SOA') { array_push($soa, $rows['records'][$idx]); }
         elseif ($record['type'] == 'NS') { array_push($ns, $rows['records'][$idx]); }
         elseif ($record['type'] == 'MX') { array_push($mx, $rows['records'][$idx]); }