diff options
| author | kesselb <mail@danielkesselberg.de> | 2021-07-06 18:55:25 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-07-06 18:55:25 +0200 |
| commit | 9f04a7c71e71d6d6085539ab7f37db729d8aeadd (patch) | |
| tree | a579af00f6ffdf6128a5418e6619f12a7d596747 /lib/private/Http | |
| parent | 5e7206d23a33df21d23619fe61d29c809000cdb6 (diff) | |
| parent | b6530e5e822ee635eeb5a54e6630efcf6129c8c1 (diff) | |
| download | nextcloud-server-9f04a7c71e71d6d6085539ab7f37db729d8aeadd.tar.gz nextcloud-server-9f04a7c71e71d6d6085539ab7f37db729d8aeadd.zip | |
Merge pull request #27801 from nextcloud/enh/noid/hardening-dns-pin-middleware
Ignore subdomain for soa queries
Diffstat (limited to 'lib/private/Http')
| -rw-r--r-- | lib/private/Http/Client/DnsPinMiddleware.php | 41 |
1 files changed, 28 insertions, 13 deletions
diff --git a/lib/private/Http/Client/DnsPinMiddleware.php b/lib/private/Http/Client/DnsPinMiddleware.php index 900173bb506..135ae52f4bd 100644 --- a/lib/private/Http/Client/DnsPinMiddleware.php +++ b/lib/private/Http/Client/DnsPinMiddleware.php @@ -41,6 +41,28 @@ class DnsPinMiddleware { $this->localAddressChecker = $localAddressChecker; } + /** + * Fetch soa record for a target + * + * @param string $target + * @return array|null + */ + private function soaRecord(string $target): ?array { + $labels = explode('.', $target); + + $top = count($labels) >= 2 ? array_pop($labels) : ''; + $second = array_pop($labels); + + $hostname = $second . '.' . $top; + $responses = dns_get_record($hostname, DNS_SOA); + + if ($responses === false || count($responses) === 0) { + return null; + } + + return reset($responses); + } + private function dnsResolve(string $target, int $recursionCount) : array { if ($recursionCount >= 10) { return []; @@ -49,24 +71,19 @@ class DnsPinMiddleware { $recursionCount = $recursionCount++; $targetIps = []; - $soaDnsEntry = dns_get_record($target, DNS_SOA); - if (isset($soaDnsEntry[0]) && isset($soaDnsEntry[0]['minimum-ttl'])) { - $dnsNegativeTtl = $soaDnsEntry[0]['minimum-ttl']; - } else { - $dnsNegativeTtl = null; - } + $soaDnsEntry = $this->soaRecord($target); + $dnsNegativeTtl = $soaDnsEntry['minimum-ttl'] ?? null; $dnsTypes = [DNS_A, DNS_AAAA, DNS_CNAME]; - foreach ($dnsTypes as $key => $dnsType) { + foreach ($dnsTypes as $dnsType) { if ($this->negativeDnsCache->isNegativeCached($target, $dnsType)) { - unset($dnsTypes[$key]); continue; } $dnsResponses = dns_get_record($target, $dnsType); $canHaveCnameRecord = true; if (count($dnsResponses) > 0) { - foreach ($dnsResponses as $key => $dnsResponse) { + foreach ($dnsResponses as $dnsResponse) { if (isset($dnsResponse['ip'])) { $targetIps[] = $dnsResponse['ip']; $canHaveCnameRecord = false; @@ -78,10 +95,8 @@ class DnsPinMiddleware { $canHaveCnameRecord = true; } } - } else { - if ($dnsNegativeTtl !== null) { - $this->negativeDnsCache->setNegativeCacheForDnsType($target, $dnsType, $dnsNegativeTtl); - } + } elseif ($dnsNegativeTtl !== null) { + $this->negativeDnsCache->setNegativeCacheForDnsType($target, $dnsType, $dnsNegativeTtl); } } |