From ee4ba9fba1f9d49396f3a4882a3239a83c5036d6 Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Tue, 17 Jun 2014 09:28:35 -0300
Subject: Be more careful with host parameter and make sure it's escaped when
 call shell functions

---
 usr/local/www/diag_dns.php | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/usr/local/www/diag_dns.php b/usr/local/www/diag_dns.php
index 98271d1..0c41824 100644
--- a/usr/local/www/diag_dns.php
+++ b/usr/local/www/diag_dns.php
@@ -38,16 +38,17 @@ require("guiconfig.inc");
 if ($_GET['host'])
 	$_POST = $_GET;
 
-if($_GET['createalias'] == "true") {
-	$host = trim($_POST['host']);
+$host = trim($_POST['host'], " \t\n\r\0\x0B[];\"'");
+$host_esc = escapeshellarg($host);
+
+if($_GET['createalias'] == "true" && (is_hostname($host) || is_ipaddr($host))) {
 	if($_GET['override'])
 		$override = true;
 	$a_aliases = &$config['aliases']['alias'];
 	$type = "hostname";
 	$resolved = gethostbyname($host);
 	if($resolved) {
-		$host = trim($_POST['host']);
-		$dig=`dig "$host" A | grep "$host" | grep -v ";" | awk '{ print $5 }'`;
+		$dig=`dig "{$host_esc}" A | grep "{$host_esc}" | grep -v ";" | awk '{ print $5 }'`;
 		$resolved = explode("\n", $dig);
 		$isfirst = true;
 		foreach($resolved as $re) {
@@ -93,8 +94,6 @@ if ($_POST) {
 	$reqdfieldsn = explode(",", "Host");
 
 	do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
-	$host = trim($_POST['host'], " \t\n\r\0\x0B[]");
-	$host_esc = escapeshellarg($host);
 	
 	if (!is_hostname($host) && !is_ipaddr($host)) {
 		$input_errors[] = gettext("Host must be a valid hostname or IP address.");
@@ -130,7 +129,7 @@ if ($_POST) {
 			$type = "hostname";
 			$resolved = gethostbyname($host);
 			if($resolved) {
-				$dig=`dig $host_esc A | grep $host_esc | grep -v ";" | awk '{ print $5 }'`;
+				$dig=`dig {$host_esc} A | grep {$host_esc} | grep -v ";" | awk '{ print $5 }'`;
 				$resolved = explode("\n", $dig);
 			}
 			$hostname = $host;
-- 
cgit v1.1