From f0e7d8a3c73aad9deb0f811816cb76f5343fc3a7 Mon Sep 17 00:00:00 2001 From: Pinga <121483313+getpinga@users.noreply.github.com> Date: Tue, 11 Feb 2025 10:53:21 +0200 Subject: [PATCH] Fixes to prevent IDN script mixing --- cp/bootstrap/helper.php | 7 ++++++- epp/src/helpers.php | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/cp/bootstrap/helper.php b/cp/bootstrap/helper.php index ec94190..aa22c01 100644 --- a/cp/bootstrap/helper.php +++ b/cp/bootstrap/helper.php @@ -281,8 +281,13 @@ function validate_label($domain, $db) { return 'Zone is not supported'; } + // Prevent mixed IDN & ASCII domains + if ((strpos($parts['domain'], 'xn--') === 0) !== (strpos($parts['tld'], 'xn--') === 0)) { + return 'Invalid domain name: IDN (xn--) domains must have both an IDN domain and TLD.'; + } + // IDN-specific validation (only if the domain contains Punycode) - if (strpos($parts['domain'], 'xn--') === 0) { + if (strpos($parts['domain'], 'xn--') === 0 && strpos($parts['tld'], 'xn--') === 0) { $label = idn_to_utf8($parts['domain'], IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46); // Fetch the IDN regex for the given TLD diff --git a/epp/src/helpers.php b/epp/src/helpers.php index de37358..bf49f0a 100644 --- a/epp/src/helpers.php +++ b/epp/src/helpers.php @@ -255,8 +255,13 @@ function validate_label($domain, $pdo) { return 'Zone is not supported'; } + // Prevent mixed IDN & ASCII domains + if ((strpos($parts['domain'], 'xn--') === 0) !== (strpos($parts['tld'], 'xn--') === 0)) { + return 'Invalid domain name: IDN (xn--) domains must have both an IDN domain and TLD.'; + } + // IDN-specific validation (only if the domain contains Punycode) - if (strpos($parts['domain'], 'xn--') === 0) { + if (strpos($parts['domain'], 'xn--') === 0 && strpos($parts['tld'], 'xn--') === 0) { $label = idn_to_utf8($parts['domain'], IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46); // Fetch the IDN regex for the given TLD