diff --git a/epp/src/epp-check.php b/epp/src/epp-check.php index abcd4dd..b7968ee 100644 --- a/epp/src/epp-check.php +++ b/epp/src/epp-check.php @@ -76,6 +76,11 @@ function processHostCheck($conn, $db, $xml, $trans) { foreach ($hosts as $host) { $host = (string)$host; + if (preg_match('/^\.[a-z]{2,}$/i', $host) || preg_match('/^[a-z]{2,}$/i', $host)) { + sendEppError($conn, $db, 2306, 'Host name must be fully qualified (FQDN)', $clTRID, $trans); + return; + } + // Validation for host name if (!validateHostName($host)) { sendEppError($conn, $db, 2005, 'Invalid host name', $clTRID, $trans); diff --git a/epp/src/epp-create.php b/epp/src/epp-create.php index 422e286..4e5d351 100644 --- a/epp/src/epp-create.php +++ b/epp/src/epp-create.php @@ -71,7 +71,7 @@ function processContactCreate($conn, $db, $xml, $clid, $database_type, $trans) { } if ($postalInfoIntOrg) { - if (preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntOrg) || !preg_match('/^[a-zA-Z0-9\-\&\,\.\/\s]{5,}$/', $postalInfoIntOrg)) { + if (preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntOrg) || !preg_match('/^[a-zA-Z0-9\-\'\&\,\.\/\s]{5,}$/', $postalInfoIntOrg)) { sendEppError($conn, $db, 2005, 'Invalid contact:org', $clTRID, $trans); return; } @@ -213,6 +213,10 @@ function processContactCreate($conn, $db, $xml, $clid, $database_type, $trans) { $contactCreate = $xml->command->create->children('urn:ietf:params:xml:ns:contact-1.0')->create; + if (isset($contactCreate->voice) && trim((string) $contactCreate->voice) === '') { + sendEppError($conn, $db, 2003, 'Voice element must not be empty if provided', $clTRID, $trans); + return; + } $voice = (string) $contactCreate->voice; $voice_x = (string) $contactCreate->voice->attributes()->x; if ($voice && (!preg_match('/^\+\d{1,3}\.\d{1,14}$/', $voice) || strlen($voice) > 17)) { @@ -422,13 +426,13 @@ function processHostCreate($conn, $db, $xml, $clid, $database_type, $trans) { } // v6 IP validation - if ($addr_type === 'v6' && !filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + if ($addr_type === 'v6' && !filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE)) { sendEppError($conn, $db, 2005, 'Invalid host:addr v6', $clTRID, $trans); return; } // v4 IP validation - if ($addr_type !== 'v6' && !filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) { + if ($addr_type !== 'v6' && !filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE)) { sendEppError($conn, $db, 2005, 'Invalid host:addr v4', $clTRID, $trans); return; } @@ -461,7 +465,7 @@ function processHostCreate($conn, $db, $xml, $clid, $database_type, $trans) { $stmt->execute(); while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) { - if (strpos($hostName, $row['name']) !== false) { + if (preg_match('/\.' . preg_quote($row['name'], '/') . '$/i', $hostName)) { $domain_exist = true; $clid_domain = $row['clid']; $superordinate_dom = $row['id']; @@ -533,6 +537,36 @@ function processHostCreate($conn, $db, $xml, $clid, $database_type, $trans) { sendEppResponse($conn, $xml); } else { + $parts = explode('.', $hostName, 2); + $superordinate = $parts[1] ?? null; + + if (!$superordinate) { + sendEppError($conn, $db, 2005, 'Invalid host:name format', $clTRID, $trans); + return; + } + + // Check if domain exists + $stmt = $db->prepare("SELECT id FROM domain WHERE name = :name LIMIT 1"); + $stmt->execute([':name' => $superordinate]); + $domain_id = $stmt->fetchColumn(); + $stmt->closeCursor(); + + if (!$domain_id) { + sendEppError($conn, $db, 2303, 'Superordinate domain does not exist for host:name', $clTRID, $trans); + return; + } + + // Check if the domain belongs to same registrar + $stmt = $db->prepare("SELECT clid FROM domain WHERE name = :name LIMIT 1"); + $stmt->execute([':name' => $superordinate]); + $domain_clid = $stmt->fetchColumn(); + $stmt->closeCursor(); + + if ($clid != $domain_clid) { + sendEppError($conn, $db, 2201, 'The superordinate domain belongs to another registrar', $clTRID, $trans); + return; + } + $stmt = $db->prepare("INSERT INTO host (name,clid,crid,crdate) VALUES(?,?,?,CURRENT_TIMESTAMP(3))"); $stmt->execute([$hostName, $clid, $clid]); @@ -588,21 +622,32 @@ function processDomainCreate($conn, $db, $xml, $clid, $database_type, $trans, $m } if ($launch_extension_enabled && isset($launch_create)) { + $xml->registerXPathNamespace('launch', 'urn:ietf:params:xml:ns:launch-1.0'); + $xml->registerXPathNamespace('signedMark', 'urn:ietf:params:xml:ns:signedMark-1.0'); + $launch_phase_node = $launch_create->xpath('launch:phase')[0] ?? null; $launch_phase = $launch_phase_node ? (string)$launch_phase_node : null; $launch_phase_name = $launch_phase_node ? (string)$launch_phase_node['name'] : null; - $smd_encodedSignedMark = $launch_create->xpath('smd:encodedSignedMark')[0] ?? null; - $launch_notice = $launch_create->xpath('launch:notice')[0] ?? null; - $launch_noticeID = $launch_notice ? (string) $launch_notice->xpath('launch:noticeID')[0] ?? null : null; - $launch_notAfter = $launch_notice ? (string) $launch_notice->xpath('launch:notAfter')[0] ?? null : null; - $launch_acceptedDate = $launch_notice ? (string) $launch_notice->xpath('launch:acceptedDate')[0] ?? null : null; + + $xpath = '//*[namespace-uri()="urn:ietf:params:xml:ns:signedMark-1.0" and local-name()="encodedSignedMark"]'; + $smd_encodedSignedMark = $xml->xpath($xpath)[0] ?? null; + $smd_encodedSignedMark = $smd_encodedSignedMark ? preg_replace('/\s+/', '', (string)$smd_encodedSignedMark) : null; + + $launch_notice_exists = $xml->xpath('//launch:notice'); + if (!empty($launch_notice_exists)) { + $launch_noticeID = (string) ($xml->xpath('//launch:noticeID')[0] ?? ''); + $launch_notAfter = (string) ($xml->xpath('//launch:notAfter')[0] ?? ''); + $launch_acceptedDate = (string) ($xml->xpath('//launch:acceptedDate')[0] ?? ''); + } else { + $launch_noticeID = $launch_notAfter = $launch_acceptedDate = null; + } // Validate and handle each specific case if ($launch_phase === 'sunrise' && $smd_encodedSignedMark) { // Parse and validate SMD encoded signed mark later } elseif ($launch_phase === 'claims') { // Check for missing notice elements and validate dates - if (!$launch_notice || !$launch_noticeID || !$launch_notAfter || !$launch_acceptedDate) { + if (!$launch_notice_exists || !$launch_noticeID || !$launch_notAfter || !$launch_acceptedDate) { sendEppError($conn, $db, 2003, 'Missing required elements in claims phase', $clTRID, $trans); return; } @@ -1033,12 +1078,12 @@ function processDomainCreate($conn, $db, $xml, $clid, $database_type, $trans, $m $addr_type = (string) ($node['ip'] ?? 'v4'); if ($addr_type == 'v6') { - if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE)) { sendEppError($conn, $db, 2005, 'Invalid domain:hostAddr v6', $clTRID, $trans); return; } } else { - if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) || $hostAddr === '127.0.0.1') { + if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE) || $hostAddr === '127.0.0.1') { sendEppError($conn, $db, 2005, 'Invalid domain:hostAddr v4', $clTRID, $trans); return; } @@ -1111,12 +1156,12 @@ function processDomainCreate($conn, $db, $xml, $clid, $database_type, $trans, $m $addr_type = isset($node['ip']) ? (string) $node['ip'] : 'v4'; if ($addr_type === 'v6') { - if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE)) { sendEppError($conn, $db, 2005, 'Invalid domain:hostAddr v6', $clTRID, $trans); return; } } else { - if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) || $hostAddr === '127.0.0.1') { + if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE) || $hostAddr === '127.0.0.1') { sendEppError($conn, $db, 2005, 'Invalid domain:hostAddr v4', $clTRID, $trans); return; } diff --git a/epp/src/epp-info.php b/epp/src/epp-info.php index d1a503c..3040ff2 100644 --- a/epp/src/epp-info.php +++ b/epp/src/epp-info.php @@ -1,6 +1,6 @@ command->info->children('urn:ietf:params:xml:ns:contact-1.0')->info->{'id'}; $clTRID = (string) $xml->command->clTRID; @@ -38,6 +38,12 @@ function processContactInfo($conn, $db, $xml, $trans) { return; } + $clid = getClid($db, $clid); + if ($clid !== $contact[0]['clid']) { + sendEppError($conn, $db, 2201, 'Client is not the sponsor of the contact object', $clTRID, $trans); + return; + } + // Extract the first row for contact data $contactRow = $contact[0]; diff --git a/epp/src/epp-update.php b/epp/src/epp-update.php index c0bcee9..7f03cd9 100644 --- a/epp/src/epp-update.php +++ b/epp/src/epp-update.php @@ -55,7 +55,7 @@ function processContactUpdate($conn, $db, $xml, $clid, $database_type, $trans) { $stmt->closeCursor(); if ($contactRem) { - $statusList = $xml->xpath('//contact:status/@s', $contactRem); + $statusList = $contactRem[0]->xpath('contact:status/@s'); if (count($statusList) == 0) { sendEppError($conn, $db, 2005, 'At least one status element MUST be present', $clTRID, $trans); @@ -80,7 +80,7 @@ function processContactUpdate($conn, $db, $xml, $clid, $database_type, $trans) { } if ($contactAdd) { - $statusList = $xml->xpath('//contact:status/@s', $contactAdd); + $statusList = $contactAdd[0]->xpath('contact:status/@s'); if (count($statusList) == 0) { sendEppError($conn, $db, 2005, 'At least one status element MUST be present', $clTRID, $trans); @@ -94,7 +94,7 @@ function processContactUpdate($conn, $db, $xml, $clid, $database_type, $trans) { return; } - if (count($xml->xpath('contact:status[@s="' . $status . '"]', $contactRem)) == 0) { + if (!$contactRem || count($contactRem[0]->xpath('contact:status[@s="' . $status . '"]')) == 0) { $stmt = $db->prepare("SELECT id FROM contact_status WHERE contact_id = :contact_id AND status = :status LIMIT 1"); $stmt->execute([':contact_id' => $contact_id, ':status' => $status]); $contactStatusId = $stmt->fetchColumn(); @@ -113,6 +113,17 @@ function processContactUpdate($conn, $db, $xml, $clid, $database_type, $trans) { $postalInfoInt = null; $postalInfoLoc = null; + $postalInfoAllNodes = $xml->xpath('//contact:postalInfo'); + + foreach ($postalInfoAllNodes as $node) { + $typeAttr = (string) $node['type']; + + if ($typeAttr !== 'int' && $typeAttr !== 'loc') { + sendEppError($conn, $db, 2003, 'Invalid postalInfo type attribute: must be "int" or "loc"', $clTRID, $trans); + return; + } + } + $postalInfoIntNodes = $xml->xpath("//contact:postalInfo[@type='int']"); if (count($postalInfoIntNodes) > 0) { @@ -150,40 +161,64 @@ function processContactUpdate($conn, $db, $xml, $clid, $database_type, $trans) { return; } - if (preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntName) || !preg_match('/^[a-zA-Z0-9\-\&\,\.\/\s]{5,}$/', $postalInfoIntName)) { + if ( + preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntName) || + !preg_match('/^[a-zA-Z0-9\-\&\,\.\/\s]{5,}$/', $postalInfoIntName) || + strlen($postalInfoIntName) > 255 + ) { sendEppError($conn, $db, 2005, 'Invalid contact:name', $clTRID, $trans); return; } if ($postalInfoIntOrg) { - if (preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntOrg) || !preg_match('/^[a-zA-Z0-9\-\&\,\.\/\s]{5,}$/', $postalInfoIntOrg)) { + if ( + preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntOrg) || + !preg_match('/^[a-zA-Z0-9\-\&\,\.\/\s]{5,}$/', $postalInfoIntOrg) || + strlen($postalInfoIntOrg) > 255 + ) { sendEppError($conn, $db, 2005, 'Invalid contact:org', $clTRID, $trans); return; } } if ($postalInfoIntStreet1) { - if (preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntStreet1) || !preg_match('/^[a-zA-Z0-9\-\&\,\.\/\s]{5,}$/', $postalInfoIntStreet1)) { + if ( + preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntStreet1) || + !preg_match('/^[a-zA-Z0-9\-\&\,\.\/\s]{5,}$/', $postalInfoIntStreet1) || + strlen($postalInfoIntStreet1) > 255 + ) { sendEppError($conn, $db, 2005, 'Invalid contact:street', $clTRID, $trans); return; } } if ($postalInfoIntStreet2) { - if (preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntStreet2) || !preg_match('/^[a-zA-Z0-9\-\&\,\.\/\s]{5,}$/', $postalInfoIntStreet2)) { + if ( + preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntStreet2) || + !preg_match('/^[a-zA-Z0-9\-\&\,\.\/\s]{5,}$/', $postalInfoIntStreet2) || + strlen($postalInfoIntStreet2) > 255 + ) { sendEppError($conn, $db, 2005, 'Invalid contact:street', $clTRID, $trans); return; } } if ($postalInfoIntStreet3) { - if (preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntStreet3) || !preg_match('/^[a-zA-Z0-9\-\&\,\.\/\s]{5,}$/', $postalInfoIntStreet3)) { + if ( + preg_match('/(^\-)|(^\,)|(^\.)|(\-\-)|(\,\,)|(\.\.)|(\-$)/', $postalInfoIntStreet3) || + !preg_match('/^[a-zA-Z0-9\-\&\,\.\/\s]{5,}$/', $postalInfoIntStreet3) || + strlen($postalInfoIntStreet3) > 255 + ) { sendEppError($conn, $db, 2005, 'Invalid contact:street', $clTRID, $trans); return; } } - if (preg_match('/(^\-)|(^\.)|(\-\-)|(\.\.)|(\.\-)|(\-\.)|(\-$)|(\.$)/', $postalInfoIntCity) || !preg_match('/^[a-z][a-z\-\.\'\s]{2,}$/i', $postalInfoIntCity)) { + if ( + preg_match('/(^\-)|(^\.)|(\-\-)|(\.\.)|(\.\-)|(\-\.)|(\-$)|(\.$)/', $postalInfoIntCity) || + !preg_match('/^[a-z][a-z\-\.\'\s]{2,}$/i', $postalInfoIntCity) || + strlen($postalInfoIntCity) > 255 + ) { sendEppError($conn, $db, 2005, 'Invalid contact:city', $clTRID, $trans); return; } @@ -466,6 +501,17 @@ function processContactUpdate($conn, $db, $xml, $clid, $database_type, $trans) { $e_authInfo_ext = $stmt_ext->fetchColumn(); $stmt_ext->closeCursor(); + $postalInfoAllNodes = $xml->xpath('//contact:postalInfo'); + + foreach ($postalInfoAllNodes as $node) { + $typeAttr = (string) $node['type']; + + if ($typeAttr !== 'int' && $typeAttr !== 'loc') { + sendEppError($conn, $db, 2003, 'Invalid postalInfo type attribute: must be "int" or "loc"', $clTRID, $trans); + return; + } + } + $postalInfo_int = $xml->xpath("//contact:postalInfo[@type='int']")[0] ?? null; if ($postalInfoInt) { $int_name = (string)($postalInfo_int->xpath("contact:name")[0] ?? ""); @@ -783,11 +829,15 @@ function processHostUpdate($conn, $db, $xml, $clid, $database_type, $trans) { foreach ($addr_list as $node) { $addr = (string) $node; - $addr_type = $node->attributes()->ip ?? 'v4'; + $addr_type = (string) ($node->attributes()->ip ?? 'v4'); + if (!in_array($addr_type, ['v4', 'v6'])) { + sendEppError($conn, $db, 2005, 'host:addr ip attribute must be "v4" or "v6"', $clTRID, $trans); + return; + } if ($addr_type == 'v6') { // IPv6 validation and normalization - if (filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + if (filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE)) { $addr = normalize_v6_address($addr); $stmt = $db->prepare("SELECT id FROM host_addr WHERE host_id = ? AND addr = ? AND ip = '6' LIMIT 1"); $stmt->execute([$hostId, $addr]); @@ -804,7 +854,7 @@ function processHostUpdate($conn, $db, $xml, $clid, $database_type, $trans) { } } else { // IPv4 validation and normalization - if (filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) { + if (filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE)) { $addr = normalize_v4_address($addr); $stmt = $db->prepare("SELECT id FROM host_addr WHERE host_id = ? AND addr = ? AND ip = '4' LIMIT 1"); $stmt->execute([$hostId, $addr]); @@ -1023,7 +1073,7 @@ function processDomainUpdate($conn, $db, $xml, $clid, $database_type, $trans) { } $clid = getClid($db, $clid); - if ($clid != $row['clid']) { + if ($clid !== $row['clid']) { sendEppError($conn, $db, 2201, 'You do not have privileges to modify a domain name that belongs to another registrar', $clTRID, $trans); return; } @@ -1195,6 +1245,16 @@ function processDomainUpdate($conn, $db, $xml, $clid, $database_type, $trans) { if (count($hostObjList) > 0) { foreach ($hostObjList as $node) { $hostObj = strtoupper((string)$node); + $stmt = $db->prepare("SELECT id FROM host WHERE name = ? LIMIT 1"); + $stmt->execute([$hostObj]); + $hostExists = $stmt->fetchColumn(); + $stmt->closeCursor(); + + if (!$hostExists) { + sendEppError($conn, $db, 2303, "domain:hostObj $hostObj does not exist", $clTRID, $trans); + return; + } + if (preg_match('/[^A-Z0-9\.\-]/', $hostObj) || preg_match('/^-|^\.-|-\.-|^-|-$/', $hostObj)) { sendEppError($conn, $db, 2005, 'Invalid domain:hostObj', $clTRID, $trans); return; @@ -1269,12 +1329,12 @@ function processDomainUpdate($conn, $db, $xml, $clid, $database_type, $trans) { $addrType = (string)$addrType; if ($addrType === 'v6') { - if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE)) { sendEppError($conn, $db, 2005, 'Invalid domain:hostAddr v6', $clTRID, $trans); return; } } else { - if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) || $hostAddr == '127.0.0.1') { + if (!filter_var($hostAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE) || $hostAddr == '127.0.0.1') { sendEppError($conn, $db, 2005, 'Invalid domain:hostAddr v4', $clTRID, $trans); return; } @@ -1435,6 +1495,9 @@ function processDomainUpdate($conn, $db, $xml, $clid, $database_type, $trans) { sendEppError($conn, $db, 2400, 'Database error', $clTRID, $trans); return; } + } else { + sendEppError($conn, $db, 2303, "hostObj $hostObj does not exist", $clTRID, $trans); + return; } } @@ -1501,6 +1564,19 @@ function processDomainUpdate($conn, $db, $xml, $clid, $database_type, $trans) { foreach ($status_list as $node) { $status = (string) $node; + $stmt = $db->prepare("SELECT 1 FROM domain_status WHERE domain_id = :domain_id AND status = :status LIMIT 1"); + $stmt->execute([ + ':domain_id' => $domain_id, + ':status' => $status + ]); + $exists = $stmt->fetchColumn(); + $stmt->closeCursor(); + + if (!$exists) { + sendEppError($conn, $db, 2303, "Cannot remove status '$status': not present on domain", $clTRID, $trans); + return; + } + $stmt = $db->prepare("DELETE FROM domain_status WHERE domain_id = :domain_id AND status = :status"); $stmt->bindParam(':domain_id', $domain_id, PDO::PARAM_INT); $stmt->bindParam(':status', $status, PDO::PARAM_STR); @@ -2010,6 +2086,20 @@ function processDomainUpdate($conn, $db, $xml, $clid, $database_type, $trans) { } try { + // Check if DS record exists before attempting to delete + $stmt = $db->prepare("SELECT COUNT(*) FROM secdns WHERE domain_id = :domain_id AND keytag = :keyTag AND alg = :alg AND digesttype = :digestType AND digest = :digest"); + $stmt->execute([ + ':domain_id' => $domain_id, + ':keyTag' => $keyTag, + ':alg' => $alg, + ':digestType' => $digestType, + ':digest' => $digest + ]); + if ($stmt->fetchColumn() == 0) { + sendEppError($conn, $db, 2306, 'DS record not found for removal', $clTRID, $trans); + return; + } + $stmt = $db->prepare("DELETE FROM secdns WHERE domain_id = :domain_id AND keytag = :keyTag AND alg = :alg AND digesttype = :digestType AND digest = :digest"); $stmt->execute([ ':domain_id' => $domain_id, @@ -2060,6 +2150,20 @@ function processDomainUpdate($conn, $db, $xml, $clid, $database_type, $trans) { return; } + // Check if keyData exists before attempting to delete + $stmt = $db->prepare("SELECT COUNT(*) FROM secdns WHERE domain_id = :domain_id AND flags = :flags AND protocol = :protocol AND keydata_alg = :algKeyData AND pubkey = :pubKey"); + $stmt->execute([ + ':domain_id' => $domain_id, + ':flags' => $flags, + ':protocol' => $protocol, + ':algKeyData' => $algKeyData, + ':pubKey' => $pubKey + ]); + if ($stmt->fetchColumn() == 0) { + sendEppError($conn, $db, 2306, 'KeyData not found for removal', $clTRID, $trans); + return; + } + try { $stmt = $db->prepare("DELETE FROM secdns WHERE domain_id = :domain_id AND flags = :flags AND protocol = :protocol AND algKeyData = :algKeyData AND pubKey = :pubKey"); $stmt->execute([ @@ -2089,10 +2193,48 @@ function processDomainUpdate($conn, $db, $xml, $clid, $database_type, $trans) { if ($secDNSDataSet) { foreach ($secDNSDataSet as $secDNSData) { // Extract dsData elements - $keyTag = (int) $secDNSData->xpath('secDNS:keyTag')[0] ?? null; - $alg = (int) $secDNSData->xpath('secDNS:alg')[0] ?? null; - $digestType = (int) $secDNSData->xpath('secDNS:digestType')[0] ?? null; - $digest = (string) $secDNSData->xpath('secDNS:digest')[0] ?? null; + $keyTagNode = $secDNSData->xpath('secDNS:keyTag')[0] ?? null; + if (!isset($keyTagNode) || trim((string)$keyTagNode) === '') { + sendEppError($conn, $db, 2005, 'Missing or empty keyTag', $clTRID, $trans); + return; + } + $keyTag = (int) $keyTagNode; + + $algNode = $secDNSData->xpath('secDNS:alg')[0] ?? null; + if (!isset($algNode) || trim((string)$algNode) === '') { + sendEppError($conn, $db, 2005, 'Missing or empty algorithm', $clTRID, $trans); + return; + } + $alg = (int) $algNode; + $validAlgorithms = [8, 13, 14, 15, 16]; + if (!in_array($alg, $validAlgorithms)) { + sendEppError($conn, $db, 2006, 'Invalid algorithm', $clTRID, $trans); + return; + } + + $digestTypeNode = $secDNSData->xpath('secDNS:digestType')[0] ?? null; + if (!isset($digestTypeNode) || trim((string)$digestTypeNode) === '') { + sendEppError($conn, $db, 2005, 'Missing or empty digestType', $clTRID, $trans); + return; + } + $digestType = (int) $digestTypeNode; + $validDigests = [2 => 64, 4 => 96]; // SHA-256 and SHA-384 + if (!array_key_exists($digestType, $validDigests)) { + sendEppError($conn, $db, 2006, 'Unsupported digestType', $clTRID, $trans); + return; + } + + $digestNode = $secDNSData->xpath('secDNS:digest')[0] ?? null; + if (!isset($digestNode) || trim((string)$digestNode) === '') { + sendEppError($conn, $db, 2005, 'Missing or empty digest', $clTRID, $trans); + return; + } + $digest = (string) $digestNode; + if (strlen($digest) !== $validDigests[$digestType] || !ctype_xdigit($digest)) { + sendEppError($conn, $db, 2006, 'Invalid digest length or format', $clTRID, $trans); + return; + } + $maxSigLife = $secDNSData->xpath('secDNS:maxSigLife') ? (int) $secDNSData->xpath('secDNS:maxSigLife')[0] : null; // Data sanity checks