Don't allow site domain names to be IP addresses

But then you need to create separate validation for this, because now the same validation is used in other forms, where you edit legitimate IP used by server.

This means that you need an extra function like:

/**
 * Check if the FQDN or IP provided is valid.
 */
function _hosting_valid_fqdn_ip($fqdn) {
  # regex is an implementation of RFC1035
  #
  # We allow IPs here.
  #
  return (preg_match("/^([a-z0-9]([a-z0-9-]*[a-z0-9])?\.?)+[a-z0-9]+$/", $fqdn));
}

This should be used inside function hosting_server_validate instead of current function _hosting_valid_fqdn.

Then you need to modify function _hosting_valid_fqdn, so it will not allow IPs, so something like:

/**
 * Check if the FQDN provided is valid.
 *
 * @param $fqdn
 *   The Fully Qualified Domain Name (FQDN) to validate.
 * @return
 *   An integer greater than 0 if the $fqdn is valid, or 0 or FALSE if it not
 *   valid.
 */
function _hosting_valid_fqdn($fqdn) {
  # regex is an implementation of RFC1035
  # original: return preg_match("/^([a-z0-9]([a-z0-9-]*[a-z0-9])?\.?)+$/i", $fqdn);
  #
  # We don't allow IPs here.
  #
  return (preg_match("/^(\*\.)?([a-z0-9]([a-z0-9-]*[a-z0-9])?\.?)+[a-z0-9]+$/", $fqdn) && preg_match("/[a-z]+/", $fqdn));
}

Note that I have added support for domain wildcards here and don't allow the dot at the end (even if it is valid from the DNS perspective), which may not work in Apache, but works great in Nginx, so you will need just:

return preg_match("/^([a-z0-9]([a-z0-9-]*[a-z0-9])?\.?)+$/i", $fqdn) && preg_match("/[a-z]+/", $fqdn));

Of course you will need to modify also form_set_error messages in hosting_site.form.inc, hosting_migrate.module and hosting_alias.module, so it will say something like: "You have not specified a valid domain name. IP address is not allowed."

You need this on the validation function level, not on the form element(s) level, so you can do this once and it will work in all forms - also for Aliases, Clone and Migrate etc.

I don't get what the problem is here - there is validation for site names already, in the function _hosting_valid_fqdn(), called from various validate functions, see http://api.aegirproject.org/api/Hostmaster/modules--hosting--hosting.inc... for details.

Now as for allowing IP addresses, this is a side effect of allowing digits as the first characters in subdomains, something which was enabled about 4 years ago, in #317089: new site title/url generation purpose?, as some registrars do allow such domains to be registered, against RFC recommendations. We could complicate the regex by making sure (say) the last component doesn't start with a digit.

I wonder, though, what the problem is with having a site name be an IP address, can you expand on that?

(I believe that wildcard support should be processed in a separate issue, however. See #1193982: Wildcard subdomain support.)

This can be a problem when you have more than 1 client (like in the typical SaaS mode) hosted on the same instance, since any of them (and they will try that) can add the IP shared with others as "his own" alias, and display his website on this shared IP, while it could be used for something else, like Chive URL. Allowing this is something I don't like, but it is rather a matter of host policy, I guess.

Well, there's a difference between allowing it on a specific server and completely disallowing users to use that (accidental) feature... I find it actually pretty nice that you can make aegir answer on IP addresses, maybe we just need to add this as an alias to the main @hostmaster site to forbid people from stealing it at first, but then I wouldn't even bother with that. :)

In any case, I guess we'd need a patch to move forward from here.

I understand the naming problem - the hostname being a real IP. I found that was a cool feature.

Now why doesn't it work? is it that cookies are not being set properly?

We still need a patch before this is needs review.

Though it may prevent using an IP as a domain name, it prevents me from using my IDN. I tried cloning my site just recently (using Barracuda/Octopus, ver 2.0.5) and was notified I am not using a valid domain name which obviously is not true. Do please take IDNs into account as well.

@kunago - This issue is about site names being IP addresses. If you have other concerns regarding domain name validation, I encourage you to open a separate issue.

(I'm actually surprised we don't support internationalised site names... )

Regarding the original issue here, I think the current validation is sufficient, and unless there's a good case made against IP addresses being acceptable site names, I will simply close this issue...

Just a heads up that there is a work around to use IP address "named" sites: #2013683: IP addresses break Aegir login, cookies

alright, well if that's the only issue, let's followup there and close this non-bug.

Drupal 7 explicitly doesn't set cookies for IP and localhost, so we should disallow this by default to avoid confusion. Reopening this, because I have closed the other feature request as won't fix: https://drupal.org/node/2013683#comment-7508015

I think this is a silly mistake of Drupal core, but I am not sure I want to take up that bikeshed painting fest in the core issue queues.

I still think there's a case for Aegir to allow URIs to have IP addresses. At the very least, we should allow users to redirect from IP addresses to the main domain name.