Bug 12428

Summary: The WUI allows hostname containing white space
Product: IPFire Reporter: Bernhard Bitsch <bbitsch>
Component: ---Assignee: Adolf Belka <adolf.belka>
Status: CLOSED FIXED QA Contact:
Severity: Balancing    
Priority: Will only affect a few users CC: adolf.belka, ip.fire, michael.tremer, peter.mueller
Version: 2   
Hardware: all   
OS: All   

Description Bernhard Bitsch 2020-06-08 20:22:26 UTC
In hosts.cgi it is possible to define host names containg spaces.
This is not allowed by RFC 1132. And thus unbound doesn't like it.
hosts.cgi checks the validity of the name with the function validhostname ( located in /var/ipfire/general-functions.pl ).

The error can be corrected by replacement of 

  if ($hostname !~ /^[a-zA-Z0-9-\s]*$/) {
      return 0;}
  # First character can only be a letter or a digit
  if (substr ($hostname, 0, 1) !~ /^[a-zA-Z0-9]*$/) {
      return 0;}
  # Last character can only be a letter or a digit
  if (substr ($hostname, -1, 1) !~ /^[a-zA-Z0-9]*$/) {
      return 0;}

with 
   # First and last character can only be letter or decimal digit
   # else letter, decimal digits and hyphen are allowed
   if ($hostname != /^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$/) {
	return 0; }		

This modification should be applied with other possible modifications to the general-functions.pl file.
Comment 1 Bernhard Bitsch 2020-06-08 21:02:36 UTC
The lines should read

   # First and last character can only be letter or decimal digit
   # else letter, decimal digits and hyphen are allowed
   if ($hostname !~ /^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$/) {
	return 0; }	

Sorry, for posting too fast. (:

In testing this modification, I had to restart unbound manually ( after clean-up of my host definitions ). Maybe there is another problem also.
Comment 2 Michael Tremer 2020-06-09 09:08:27 UTC
Hello Bernhard,

could you please put this in a patch and submit it to the mailing list?

I think the solution looks good.

Best,
-Michael
Comment 3 Adolf Belka 2020-10-06 21:11:18 UTC
Hi Bernhard,

Do you still plan to provide a patch for this fix for spaces in hostnames?

Looking through general-functions.pl it might be worth it, for consistency, to also do the same check in function validfqdn as the same check is carried out for the hostname portion of the fqdn.

Regards,
Adolf.
Comment 4 Adolf Belka 2020-12-20 09:15:17 UTC
I will pick this up and submit Bernhard's proposal as a patch to the mailing list.

If I am stepping on any toes then please just unassign me from this bug.
Comment 5 Bernhard Bitsch 2020-12-20 09:47:07 UTC
From my side this is ok.
Sorry, forgot to do it myself. But if I remember right, at the time I opened this ticket there were several activities in cleaning up and correcting general-functions.pl.
Comment 6 Adolf Belka 2020-12-30 09:37:07 UTC
Fix provided by Bernhard Bitsch converted into patch.

Patch implemented in testbed system and confirmed working. Spaces in hostnames result in an error message for invalid hostname.

https://patchwork.ipfire.org/patch/3774/
Comment 7 Adolf Belka 2020-12-30 09:44:08 UTC
*** Bug 12401 has been marked as a duplicate of this bug. ***
Comment 8 Adolf Belka 2021-01-02 13:17:26 UTC
After further testing I realised that the regex would fail if the hostname had less than two characters whereas a hostname can go down to one character according to the rfc definitions. So I had to update the patch to fix that

After further thinking and searching I also realised that the validfqdn subroutine also needed to be updated to be consistent with the validhostname and validdomainname subroutines. So I also updated that in the patch.

I then tested the patch in my testbed system against IPFire pages using hostnames, domain names and FQDN's. The patch worked for all. Also tested with single characters in the hostname and domain name and up to 63 characters in one of the octets.
I also confirmed that having a zero octet (ie ..) in the domain name also was flagged as being invalid.

New patch submitted to patchwork and the development list:-

https://patchwork.ipfire.org/patch/3779/
Comment 11 Adolf Belka 2021-03-08 17:44:12 UTC
fix patch has been released with Core Update 154