Improved nameserver validation (WHOIS)

2025-07-25 03:48:24 +02:00 · 2025-04-23 12:29:20 +03:00 · 2025-04-23 12:29:20 +03:00 · db00aaffeb
commit db00aaffeb
parent 6f7f767547
3 changed files with 46 additions and 6 deletions
--- a/whois/port43/helpers.php
+++ b/whois/port43/helpers.php
@ -112,4 +112,44 @@ function updatePermittedIPs($pool, $permittedIPsTable) {
    foreach ($permittedIPs as $ip) {
        $permittedIPsTable->set($ip, ['addr' => $ip]);
    }
+}
+
+function isValidHostname($hostname) {
+    $hostname = trim($hostname);
+
+    // Convert IDN (Unicode) to ASCII if necessary
+    if (mb_detect_encoding($hostname, 'ASCII', true) === false) {
+        $hostname = idn_to_ascii($hostname, IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46);
+        if ($hostname === false) {
+            return false; // Invalid IDN conversion
+        }
+    }
+
+    // Ensure there is at least **one dot** (to prevent single-segment hostnames)
+    if (substr_count($hostname, '.') < 1) {
+        return false;
+    }
+
+    // Regular expression for validating a hostname
+    $pattern = '/^((xn--[a-zA-Z0-9-]{1,63}|[a-zA-Z0-9-]{1,63})\.)*([a-zA-Z0-9-]{1,63}|xn--[a-zA-Z0-9-]{2,63})$/';
+
+    // Ensure it matches the hostname pattern
+    if (!preg_match($pattern, $hostname)) {
+        return false;
+    }
+
+    // Ensure no label exceeds 63 characters
+    $labels = explode('.', $hostname);
+    foreach ($labels as $label) {
+        if (strlen($label) > 63) {
+            return false;
+        }
+    }
+
+    // Ensure full hostname is not longer than 255 characters
+    if (strlen($hostname) > 255) {
+        return false;
+    }
+
+    return true;
 }
--- a/whois/port43/start_whois.php
+++ b/whois/port43/start_whois.php
@ -657,12 +657,12 @@ $server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool
                        $nameserver = $convertedDomain;
                    }
                }
-                
-                if (!preg_match('/^((xn--[a-zA-Z0-9-]{1,63}|[a-zA-Z0-9-]{1,63})\.){2,}(xn--[a-zA-Z0-9-]{2,63}|[a-zA-Z]{2,63})$/', $nameserver)) {
+
+                if (!isValidHostname($nameserver)) {
                    $server->send($fd, "Nameserver contains invalid characters or is not in the correct format.");
                    $server->close($fd);
                }
-                
+
                $query = "SELECT name,clid FROM host WHERE name = :nameserver";
                $stmt = $pdo->prepare($query);
                $stmt->bindParam(':nameserver', $nameserver, PDO::PARAM_STR);
--- a/whois/port43/whois_limited.php
+++ b/whois/port43/whois_limited.php
@ -295,12 +295,12 @@ $server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool
                        $nameserver = $convertedDomain;
                    }
                }
-                
-                if (!preg_match('/^((xn--[a-zA-Z0-9-]{1,63}|[a-zA-Z0-9-]{1,63})\.){2,}(xn--[a-zA-Z0-9-]{2,63}|[a-zA-Z]{2,63})$/', $nameserver)) {
+
+                if (!isValidHostname($nameserver)) {
                    $server->send($fd, "Nameserver contains invalid characters or is not in the correct format.");
                    $server->close($fd);
                }
-                
+
                $query = "SELECT name,clid FROM host WHERE name = :nameserver";
                $stmt = $pdo->prepare($query);
                $stmt->bindParam(':nameserver', $nameserver, PDO::PARAM_STR);