fuse314
/
api.mayer.life
1
0
Fork 0
Code Issues Pull Requests Releases Activity

feat: ignore .localdomain and (pi).hole local domains

This commit is contained in:
Gottfried Mayer 2023-08-21 21:10:27 +00:00
parent 397bc65998
commit 1c3786616f
2 changed files with 2 additions and 185 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
certtest/go.php
View File

@ -1,183 +0,0 @@
<?php
$protocol = "https";
include_once($_SERVER['DOCUMENT_ROOT'] . '/inc/origin.class.php');
include_once($_SERVER['DOCUMENT_ROOT'] . '/inc/config.php');
originHelper\origin::check($config['allowed-origins']);
if (isset($_GET['protocol'])) {
$protocol = $_GET['protocol'];
}
if (!($protocol == "https" || $protocol == "smtp" || $protocol == "ftp")) {
die("the script only supports connection types of https, smtp or ftp");
}
$port = 0;
if (isset($_GET['port'])) {
$port = intval($_GET['port']);
}
if (!is_int($port) || $port <= 0 || $port >= 65535) {
die("port must be numeric");
}
$domain = "";
if (isset($_GET['domain'])) {
$domain = $_GET['domain'];
}
if (!preg_match('/^(((?!-))(xn--|_{1,1})?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.){1,}(xn--)?([a-z0-9\-]{1,61}|[a-z0-9-]{1,30}\.[a-z]{2,})$/', $domain)) {
die("invalid domain provided.");
}
if (preg_match('/^.*\.local$/', $domain)) {
die("domains with .local are not allowed!");
}
if (!fixed_gethostbyname($domain)) {
die("could not resolve host $domain (no ip-addresses allowed due to ssl-certificate cn and security)");
}
$options = 0;
if (isset($_GET['options'])) {
$options = abs(intval($_GET['options']));
}
if (!is_int($options) || $options < 0 || $options >= 64) {
$options = 0;
}
$extparams = "";
if ($options > 0) {
if ($options & 1) {
$extparams .= "-showcerts ";
}
if ($options & 2) {
$extparams .= "-no_tls1 ";
}
if ($options & 4) {
$extparams .= "-no_tls1_1 ";
}
if ($options & 8) {
$extparams .= "-no_tls1_2 ";
}
if ($options & 16) {
$extparams .= "-no_tls1_3 ";
}
if ($options & 32) {
$extparams .= "-tlsextdebug ";
}
}
$starttls = "";
if ($protocol == "smtp" || $protocol == "ftp") {
$starttls = "-starttls $protocol ";
}
$cmd = "/usr/bin/openssl s_client -CApath /etc/ssl/certs/ -connect " . escapeshellarg("$domain:$port") . " $starttls$extparams < " . __DIR__ . "/quit.txt 2>&1";
/*
if [ "$1" = "smtp" ]; then
echo "connecting smtp to $2 on port $3"
/usr/bin/timeout 5 /bin/sh -c "echo 'quit' | /usr/bin/openssl s_client -CApath /etc/ssl/certs/ -connect $2:$3 -starttls smtp $extraparams" || echo "timeout!"
else
if [ "$1" = "ftp" ]; then
/usr/bin/timeout 5 /bin/sh -c "echo 'quit' | /usr/bin/openssl s_client -CApath /etc/ssl/certs/ -connect $2:$3 -starttls ftp $extraparams" || echo "timeout!"
else
echo "connecting https to $2 on port $3"
/usr/bin/timeout 5 /bin/sh -c "echo 'quit' | /usr/bin/openssl s_client -CApath /etc/ssl/certs/ -connect $2:$3 $extraparams" || echo "timeout!"
fi
fi
*/
echo "$extparams\n";
//passthru($cmd, $output);
echo exec_timeout($cmd, 5);
function fixed_gethostbyname($host)
{
$ip = gethostbyname($host);
if ($ip != $host) {
return $ip;
} else return false;
}
// source: https://blog.dubbelboer.com/2012/08/24/execute-with-timeout.html
/**
* Execute a command and return it's output. Either wait until the command exits or the timeout has expired.
*
* @param string $cmd Command to execute.
* @param int $timeout Timeout in seconds.
* @return string Output of the command.
* @throws \Exception
*/
function exec_timeout(string $cmd, int $timeout): string
{
// File descriptors passed to the process.
$descriptors = array(
0 => array('pipe', 'r'), // stdin
1 => array('pipe', 'w'), // stdout
2 => array('pipe', 'w') // stderr
);
// Start the process.
$process = proc_open('exec ' . $cmd, $descriptors, $pipes);
if (!is_resource($process)) {
throw new \Exception('Could not execute process');
}
// Set the stdout stream to non-blocking.
stream_set_blocking($pipes[1], 0);
// Set the stderr stream to non-blocking.
stream_set_blocking($pipes[2], 0);
// Turn the timeout into microseconds.
$timeout = $timeout * 1000000;
// Output buffer.
$buffer = '';
$normalexit = false;
// While we have time to wait.
while ($timeout > 0) {
$start = microtime(true);
// Wait until we have output or the timer expired.
$read = array($pipes[1]);
$other = array();
stream_select($read, $other, $other, 0, (int)$timeout);
// Get the status of the process.
// Do this before we read from the stream,
// this way we can't lose the last bit of output if the process dies between these functions.
$status = proc_get_status($process);
// Read the contents from the buffer.
// This function will always return immediately as the stream is non-blocking.
$buffer .= stream_get_contents($pipes[1]);
if (!$status['running']) {
$normalexit = true;
// Break from this loop if the process exited before the timeout.
break;
}
// Subtract the number of microseconds that we waited.
$timeout -= (microtime(true) - $start) * 1000000;
}
// Check if there were any errors.
$errors = stream_get_contents($pipes[2]);
if (!empty($errors)) {
throw new \Exception($errors);
}
if (!$normalexit) {
$buffer .= "\nTimeout!";
}
// Kill the process in case the timeout expired and it's still running.
// If the process already exited this won't do anything.
proc_terminate($process, 9);
// Close all streams.
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
return $buffer;
}

4
certtest/go2.php
View File

@ -28,8 +28,8 @@ if (isset($_GET['domain'])) {
if (!preg_match('/^(((?!-))(xn--|_{1,1})?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.){1,}(xn--)?([a-z0-9\-]{1,61}|[a-z0-9-]{1,30}\.[a-z]{2,})$/', $domain)) {
dieWithMsg("invalid domain provided.");
}
if (preg_match('/^.*\.local$/', $domain)) {
dieWithMsg("domains with .local are not allowed!");
if (preg_match('/^.*\.(local(domain)?|hole)$/', $domain)) {
dieWithMsg("domains with .local or .localdomain are not allowed!");
}
if (!fixed_gethostbyname($domain)) {
dieWithMsg("could not resolve host $domain (no ip-addresses allowed due to ssl-certificate cn and security)");