feat: ignore .localdomain and (pi).hole local domains
This commit is contained in:
parent
397bc65998
commit
1c3786616f
183
certtest/go.php
183
certtest/go.php
|
@ -1,183 +0,0 @@
|
|||
<?php
|
||||
|
||||
$protocol = "https";
|
||||
include_once($_SERVER['DOCUMENT_ROOT'] . '/inc/origin.class.php');
|
||||
include_once($_SERVER['DOCUMENT_ROOT'] . '/inc/config.php');
|
||||
|
||||
originHelper\origin::check($config['allowed-origins']);
|
||||
|
||||
if (isset($_GET['protocol'])) {
|
||||
$protocol = $_GET['protocol'];
|
||||
}
|
||||
if (!($protocol == "https" || $protocol == "smtp" || $protocol == "ftp")) {
|
||||
die("the script only supports connection types of https, smtp or ftp");
|
||||
}
|
||||
$port = 0;
|
||||
if (isset($_GET['port'])) {
|
||||
$port = intval($_GET['port']);
|
||||
}
|
||||
if (!is_int($port) || $port <= 0 || $port >= 65535) {
|
||||
die("port must be numeric");
|
||||
}
|
||||
$domain = "";
|
||||
if (isset($_GET['domain'])) {
|
||||
$domain = $_GET['domain'];
|
||||
}
|
||||
if (!preg_match('/^(((?!-))(xn--|_{1,1})?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.){1,}(xn--)?([a-z0-9\-]{1,61}|[a-z0-9-]{1,30}\.[a-z]{2,})$/', $domain)) {
|
||||
die("invalid domain provided.");
|
||||
}
|
||||
if (preg_match('/^.*\.local$/', $domain)) {
|
||||
die("domains with .local are not allowed!");
|
||||
}
|
||||
if (!fixed_gethostbyname($domain)) {
|
||||
die("could not resolve host $domain (no ip-addresses allowed due to ssl-certificate cn and security)");
|
||||
}
|
||||
$options = 0;
|
||||
if (isset($_GET['options'])) {
|
||||
$options = abs(intval($_GET['options']));
|
||||
}
|
||||
if (!is_int($options) || $options < 0 || $options >= 64) {
|
||||
$options = 0;
|
||||
}
|
||||
|
||||
$extparams = "";
|
||||
if ($options > 0) {
|
||||
if ($options & 1) {
|
||||
$extparams .= "-showcerts ";
|
||||
}
|
||||
if ($options & 2) {
|
||||
$extparams .= "-no_tls1 ";
|
||||
}
|
||||
if ($options & 4) {
|
||||
$extparams .= "-no_tls1_1 ";
|
||||
}
|
||||
if ($options & 8) {
|
||||
$extparams .= "-no_tls1_2 ";
|
||||
}
|
||||
if ($options & 16) {
|
||||
$extparams .= "-no_tls1_3 ";
|
||||
}
|
||||
if ($options & 32) {
|
||||
$extparams .= "-tlsextdebug ";
|
||||
}
|
||||
}
|
||||
$starttls = "";
|
||||
if ($protocol == "smtp" || $protocol == "ftp") {
|
||||
$starttls = "-starttls $protocol ";
|
||||
}
|
||||
$cmd = "/usr/bin/openssl s_client -CApath /etc/ssl/certs/ -connect " . escapeshellarg("$domain:$port") . " $starttls$extparams < " . __DIR__ . "/quit.txt 2>&1";
|
||||
/*
|
||||
if [ "$1" = "smtp" ]; then
|
||||
echo "connecting smtp to $2 on port $3"
|
||||
/usr/bin/timeout 5 /bin/sh -c "echo 'quit' | /usr/bin/openssl s_client -CApath /etc/ssl/certs/ -connect $2:$3 -starttls smtp $extraparams" || echo "timeout!"
|
||||
else
|
||||
if [ "$1" = "ftp" ]; then
|
||||
/usr/bin/timeout 5 /bin/sh -c "echo 'quit' | /usr/bin/openssl s_client -CApath /etc/ssl/certs/ -connect $2:$3 -starttls ftp $extraparams" || echo "timeout!"
|
||||
else
|
||||
echo "connecting https to $2 on port $3"
|
||||
/usr/bin/timeout 5 /bin/sh -c "echo 'quit' | /usr/bin/openssl s_client -CApath /etc/ssl/certs/ -connect $2:$3 $extraparams" || echo "timeout!"
|
||||
fi
|
||||
fi
|
||||
*/
|
||||
echo "$extparams\n";
|
||||
|
||||
//passthru($cmd, $output);
|
||||
echo exec_timeout($cmd, 5);
|
||||
|
||||
function fixed_gethostbyname($host)
|
||||
{
|
||||
$ip = gethostbyname($host);
|
||||
if ($ip != $host) {
|
||||
return $ip;
|
||||
} else return false;
|
||||
}
|
||||
|
||||
// source: https://blog.dubbelboer.com/2012/08/24/execute-with-timeout.html
|
||||
/**
|
||||
* Execute a command and return it's output. Either wait until the command exits or the timeout has expired.
|
||||
*
|
||||
* @param string $cmd Command to execute.
|
||||
* @param int $timeout Timeout in seconds.
|
||||
* @return string Output of the command.
|
||||
* @throws \Exception
|
||||
*/
|
||||
function exec_timeout(string $cmd, int $timeout): string
|
||||
{
|
||||
// File descriptors passed to the process.
|
||||
$descriptors = array(
|
||||
0 => array('pipe', 'r'), // stdin
|
||||
1 => array('pipe', 'w'), // stdout
|
||||
2 => array('pipe', 'w') // stderr
|
||||
);
|
||||
|
||||
// Start the process.
|
||||
$process = proc_open('exec ' . $cmd, $descriptors, $pipes);
|
||||
|
||||
if (!is_resource($process)) {
|
||||
throw new \Exception('Could not execute process');
|
||||
}
|
||||
|
||||
// Set the stdout stream to non-blocking.
|
||||
stream_set_blocking($pipes[1], 0);
|
||||
|
||||
// Set the stderr stream to non-blocking.
|
||||
stream_set_blocking($pipes[2], 0);
|
||||
|
||||
// Turn the timeout into microseconds.
|
||||
$timeout = $timeout * 1000000;
|
||||
|
||||
// Output buffer.
|
||||
$buffer = '';
|
||||
|
||||
$normalexit = false;
|
||||
// While we have time to wait.
|
||||
while ($timeout > 0) {
|
||||
$start = microtime(true);
|
||||
|
||||
// Wait until we have output or the timer expired.
|
||||
$read = array($pipes[1]);
|
||||
$other = array();
|
||||
stream_select($read, $other, $other, 0, (int)$timeout);
|
||||
|
||||
// Get the status of the process.
|
||||
// Do this before we read from the stream,
|
||||
// this way we can't lose the last bit of output if the process dies between these functions.
|
||||
$status = proc_get_status($process);
|
||||
|
||||
// Read the contents from the buffer.
|
||||
// This function will always return immediately as the stream is non-blocking.
|
||||
$buffer .= stream_get_contents($pipes[1]);
|
||||
|
||||
if (!$status['running']) {
|
||||
$normalexit = true;
|
||||
// Break from this loop if the process exited before the timeout.
|
||||
break;
|
||||
}
|
||||
|
||||
// Subtract the number of microseconds that we waited.
|
||||
$timeout -= (microtime(true) - $start) * 1000000;
|
||||
}
|
||||
|
||||
// Check if there were any errors.
|
||||
$errors = stream_get_contents($pipes[2]);
|
||||
|
||||
if (!empty($errors)) {
|
||||
throw new \Exception($errors);
|
||||
}
|
||||
|
||||
if (!$normalexit) {
|
||||
$buffer .= "\nTimeout!";
|
||||
}
|
||||
// Kill the process in case the timeout expired and it's still running.
|
||||
// If the process already exited this won't do anything.
|
||||
proc_terminate($process, 9);
|
||||
|
||||
// Close all streams.
|
||||
fclose($pipes[0]);
|
||||
fclose($pipes[1]);
|
||||
fclose($pipes[2]);
|
||||
|
||||
proc_close($process);
|
||||
|
||||
return $buffer;
|
||||
}
|
|
@ -28,8 +28,8 @@ if (isset($_GET['domain'])) {
|
|||
if (!preg_match('/^(((?!-))(xn--|_{1,1})?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.){1,}(xn--)?([a-z0-9\-]{1,61}|[a-z0-9-]{1,30}\.[a-z]{2,})$/', $domain)) {
|
||||
dieWithMsg("invalid domain provided.");
|
||||
}
|
||||
if (preg_match('/^.*\.local$/', $domain)) {
|
||||
dieWithMsg("domains with .local are not allowed!");
|
||||
if (preg_match('/^.*\.(local(domain)?|hole)$/', $domain)) {
|
||||
dieWithMsg("domains with .local or .localdomain are not allowed!");
|
||||
}
|
||||
if (!fixed_gethostbyname($domain)) {
|
||||
dieWithMsg("could not resolve host $domain (no ip-addresses allowed due to ssl-certificate cn and security)");
|
||||
|
|
Loading…
Reference in New Issue