Closed (fixed)
Project:
Hostmaster (Aegir)
Version:
6.x-0.4-alpha3
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
19 Mar 2011 at 07:21 UTC
Updated:
19 Apr 2011 at 19:31 UTC
I noticed this when someone entered full URL with http:// in the aliases, breaking web server configuration (or at least breaking web server reload due to broken configuration). Yet, it is possible to enter *valid* arbitrary configuration using domain aliases text area. Patch linked. It silently drops any invalid aliases. It is a quick fix, but maybe some error should be also displayed.
The fix: http://drupalcode.org/sandbox/omega8cc/1074912.git/commit/e85a76a
Comments
Comment #1
joestewart commentedThe patch seemed to work great except when an alias entered was a single word. _hosting_valid_fqdn() shouldn't allow this should it?
Comment #2
omega8cc commentedThe
_hosting_valid_fqdn()regex allows this probably to still accepts simplelocalnameinstall, so you don't need to use the dot in the name, yet, then it is no longerFQDNcheck, I agree.Also, current regex allows you to use IP address as a site name and you can enter the dot at the end (which is wrong).
In my setup I don't allow IP addresses and the domain should start with a letter (probably too restrictive these days, but it is per RFC1035):
Comment #3
anarcat commentedI originally wrote the regex as you did, but it was changed because registrars actually allow domains to start with numbers. Also, a domain name actually ends with a dot, it's just optional.
Comment #4
anarcat commentedFix committed.
Comment #5
anarcat commentedI also contacted the security team about this. I don't think this issue should have been reported in the trackers, according to http://drupal.org/node/101494
Comment #7
anarcat commentedIn fact, reporting it in the trackers was okay because we're not stable yet, according to the security team.