diff --git a/cp/app/Controllers/ContactsController.php b/cp/app/Controllers/ContactsController.php index c923287..4fcc692 100644 --- a/cp/app/Controllers/ContactsController.php +++ b/cp/app/Controllers/ContactsController.php @@ -528,6 +528,13 @@ class ContactsController extends Controller $uri = $request->getUri()->getPath(); if ($args) { + $args = trim($args); + + if (!preg_match('/^[a-zA-Z0-9\-]+$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid contact ID format'); + return $response->withHeader('Location', '/contacts')->withStatus(302); + } + $contact = $db->selectRow('SELECT id, identifier, voice, fax, email, nin, nin_type, crdate, clid, disclose_voice, disclose_fax, disclose_email FROM contact WHERE identifier = ?', [ $args ]); @@ -585,6 +592,13 @@ class ContactsController extends Controller $uri = $request->getUri()->getPath(); if ($args) { + $args = trim($args); + + if (!preg_match('/^[a-zA-Z0-9\-]+$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid contact ID format'); + return $response->withHeader('Location', '/contacts')->withStatus(302); + } + $contact = $db->selectRow('SELECT id, identifier, voice, fax, email, nin, nin_type, crdate, clid, disclose_voice, disclose_fax, disclose_email FROM contact WHERE identifier = ?', [ $args ]); @@ -992,6 +1006,13 @@ class ContactsController extends Controller $uri = $request->getUri()->getPath(); if ($args) { + $args = trim($args); + + if (!preg_match('/^[a-zA-Z0-9\-]+$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid contact ID format'); + return $response->withHeader('Location', '/contacts')->withStatus(302); + } + $contact_id = $db->selectValue('SELECT id FROM contact WHERE identifier = ?', [ $args ]); diff --git a/cp/app/Controllers/DomainsController.php b/cp/app/Controllers/DomainsController.php index 93fa1b4..ad775be 100644 --- a/cp/app/Controllers/DomainsController.php +++ b/cp/app/Controllers/DomainsController.php @@ -780,6 +780,13 @@ class DomainsController extends Controller $uri = $request->getUri()->getPath(); if ($args) { + $args = strtolower(trim($args)); + + if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid domain name format'); + return $response->withHeader('Location', '/domains')->withStatus(302); + } + $domain = $db->selectRow('SELECT id, name, registrant, crdate, exdate, lastupdate, clid, idnlang, rgpstatus FROM domain WHERE name = ?', [ $args ]); @@ -858,6 +865,13 @@ class DomainsController extends Controller $uri = $request->getUri()->getPath(); if ($args) { + $args = strtolower(trim($args)); + + if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid domain name format'); + return $response->withHeader('Location', '/domains')->withStatus(302); + } + $domain = $db->selectRow('SELECT id, name, registrant, crdate, exdate, lastupdate, clid, idnlang, rgpstatus FROM domain WHERE name = ?', [ $args ]); @@ -1551,6 +1565,13 @@ class DomainsController extends Controller $uri = $request->getUri()->getPath(); if ($args) { + $args = strtolower(trim($args)); + + if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid domain name format'); + return $response->withHeader('Location', '/domains')->withStatus(302); + } + $domain = $db->selectRow('SELECT id, name, registrant, crdate, exdate, lastupdate, clid, idnlang, rgpstatus FROM domain WHERE name = ?', [ $args ]); @@ -1620,6 +1641,13 @@ class DomainsController extends Controller $uri = $request->getUri()->getPath(); if ($args) { + $args = strtolower(trim($args)); + + if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid domain name format'); + return $response->withHeader('Location', '/domains')->withStatus(302); + } + $domain = $db->selectRow('SELECT id, name, tldid, registrant, crdate, exdate, clid, crid, upid, trdate, trstatus, reid, redate, acid, acdate, rgpstatus, addPeriod, autoRenewPeriod, renewPeriod, renewedDate, transferPeriod FROM domain WHERE name = ?', [ $args ]); @@ -2238,7 +2266,17 @@ class DomainsController extends Controller //if ($request->getMethod() === 'POST') { $data = $request->getParsedBody(); $db = $this->container->get('db'); - $domainName = $args ?? null; + + if ($args) { + $args = strtolower(trim($args)); + + if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid domain name format'); + return $response->withHeader('Location', '/domains')->withStatus(302); + } + + $domainName = $args ?? null; + } if (!$domainName) { $this->container->get('flash')->addMessage('error', 'Please provide the domain name'); @@ -2403,7 +2441,17 @@ class DomainsController extends Controller //if ($request->getMethod() === 'POST') { $data = $request->getParsedBody(); $db = $this->container->get('db'); - $domainName = $args ?? null; + + if ($args) { + $args = strtolower(trim($args)); + + if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid domain name format'); + return $response->withHeader('Location', '/domains')->withStatus(302); + } + + $domainName = $args ?? null; + } if (!$domainName) { $this->container->get('flash')->addMessage('error', 'Please provide the domain name'); @@ -2458,7 +2506,17 @@ class DomainsController extends Controller //if ($request->getMethod() === 'POST') { $data = $request->getParsedBody(); $db = $this->container->get('db'); - $domainName = $args ?? null; + + if ($args) { + $args = strtolower(trim($args)); + + if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid domain name format'); + return $response->withHeader('Location', '/domains')->withStatus(302); + } + + $domainName = $args ?? null; + } if (!$domainName) { $this->container->get('flash')->addMessage('error', 'Please provide the domain name'); @@ -2513,8 +2571,18 @@ class DomainsController extends Controller //if ($request->getMethod() === 'POST') { $data = $request->getParsedBody(); $db = $this->container->get('db'); - $domainName = $args ?? null; - + + if ($args) { + $args = strtolower(trim($args)); + + if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid domain name format'); + return $response->withHeader('Location', '/domains')->withStatus(302); + } + + $domainName = $args ?? null; + } + if (!$domainName) { $this->container->get('flash')->addMessage('error', 'Please provide the domain name'); return $response->withHeader('Location', '/transfers')->withStatus(302); @@ -2578,7 +2646,17 @@ class DomainsController extends Controller //if ($request->getMethod() === 'POST') { $data = $request->getParsedBody(); $db = $this->container->get('db'); - $domainName = $args ?? null; + + if ($args) { + $args = strtolower(trim($args)); + + if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid domain name format'); + return $response->withHeader('Location', '/domains')->withStatus(302); + } + + $domainName = $args ?? null; + } if (!$domainName) { $this->container->get('flash')->addMessage('error', 'Please provide the domain name'); diff --git a/cp/app/Controllers/FinancialsController.php b/cp/app/Controllers/FinancialsController.php index 3e50506..efd2174 100644 --- a/cp/app/Controllers/FinancialsController.php +++ b/cp/app/Controllers/FinancialsController.php @@ -22,10 +22,11 @@ class FinancialsController extends Controller { return view($response,'admin/financials/invoices.twig'); } - + public function viewInvoice(Request $request, Response $response, $args) { $invoiceNumberPattern = '/^[A-Za-z]+\d+-?\d+$/'; + $args = trim($args); if (preg_match($invoiceNumberPattern, $args)) { $invoiceNumber = $args; // valid format diff --git a/cp/app/Controllers/HostsController.php b/cp/app/Controllers/HostsController.php index 1da7884..4ababfc 100644 --- a/cp/app/Controllers/HostsController.php +++ b/cp/app/Controllers/HostsController.php @@ -274,6 +274,8 @@ class HostsController extends Controller $uri = $request->getUri()->getPath(); function isValidHostname($hostname) { + $hostname = trim($hostname); + // Check for IDN and convert to ASCII if necessary if (mb_detect_encoding($hostname, 'ASCII', true) === false) { $hostname = idn_to_ascii($hostname, 0, INTL_IDNA_VARIANT_UTS46); @@ -343,6 +345,8 @@ class HostsController extends Controller $uri = $request->getUri()->getPath(); function isValidHostname($hostname) { + $hostname = trim($hostname); + // Check for IDN and convert to ASCII if necessary if (mb_detect_encoding($hostname, 'ASCII', true) === false) { $hostname = idn_to_ascii($hostname, 0, INTL_IDNA_VARIANT_UTS46); @@ -541,6 +545,8 @@ class HostsController extends Controller $uri = $request->getUri()->getPath(); function isValidHostname($hostname) { + $hostname = trim($hostname); + // Check for IDN and convert to ASCII if necessary if (mb_detect_encoding($hostname, 'ASCII', true) === false) { $hostname = idn_to_ascii($hostname, 0, INTL_IDNA_VARIANT_UTS46); diff --git a/cp/app/Controllers/RegistrarsController.php b/cp/app/Controllers/RegistrarsController.php index e1364fd..dae12d3 100644 --- a/cp/app/Controllers/RegistrarsController.php +++ b/cp/app/Controllers/RegistrarsController.php @@ -298,6 +298,13 @@ class RegistrarsController extends Controller $uri = $request->getUri()->getPath(); if ($args) { + $args = trim(preg_replace('/\s+/', ' ', $args)); + + if (!preg_match('/^[a-zA-Z0-9\s]+$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid registrar'); + return $response->withHeader('Location', '/registrars')->withStatus(302); + } + $registrar = $db->selectRow('SELECT * FROM registrar WHERE name = ?', [ $args ]); @@ -367,6 +374,13 @@ class RegistrarsController extends Controller $uri = $request->getUri()->getPath(); if ($args) { + $args = trim($args); + + if (!preg_match('/^[a-z0-9]+$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid registrar'); + return $response->withHeader('Location', '/registrars')->withStatus(302); + } + $registrar = $db->selectRow('SELECT * FROM registrar WHERE clid = ?', [ $args ]); diff --git a/cp/app/Controllers/SystemController.php b/cp/app/Controllers/SystemController.php index 450570d..f2dff44 100644 --- a/cp/app/Controllers/SystemController.php +++ b/cp/app/Controllers/SystemController.php @@ -459,6 +459,13 @@ class SystemController extends Controller $db = $this->container->get('db'); if ($args) { + $args = trim($args); + + if (!preg_match('/^\.[a-zA-Z0-9]+(\.[a-zA-Z0-9]+)?[^\.]$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid TLD format'); + return $response->withHeader('Location', '/registry/tlds')->withStatus(302); + } + $validators = [ 'extension' => v::stringType()->notEmpty()->length(3, 64), 'createm0' => v::numericVal()->between(0.00, 9999999.99, true), @@ -743,6 +750,13 @@ class SystemController extends Controller $uri = $request->getUri()->getPath(); if ($args) { + $args = trim($args); + + if (!preg_match('/^\.[a-zA-Z0-9]+(\.[a-zA-Z0-9]+)?[^\.]$/', $args)) { + $this->container->get('flash')->addMessage('error', 'Invalid TLD format'); + return $response->withHeader('Location', '/registry/tlds')->withStatus(302); + } + $tld = $db->selectRow('SELECT id, tld, idn_table, secure FROM domain_tld WHERE tld = ?', [ $args ]);