mirror of
https://github.com/nextcloud/server.git
synced 2026-04-21 14:23:17 -04:00
Merge pull request #27801 from nextcloud/enh/noid/hardening-dns-pin-middleware
Ignore subdomain for soa queries
This commit is contained in:
kesselb
GitHub
commit
9f04a7c71e
1 changed files with 28 additions and 13 deletions
|
|
@ -41,6 +41,28 @@ class DnsPinMiddleware {
|
|||
$this->localAddressChecker = $localAddressChecker;
|
||||
}
|
||||
|
||||
/**
|
||||
* Fetch soa record for a target
|
||||
*
|
||||
* @param string $target
|
||||
* @return array|null
|
||||
*/
|
||||
private function soaRecord(string $target): ?array {
|
||||
$labels = explode('.', $target);
|
||||
|
||||
$top = count($labels) >= 2 ? array_pop($labels) : '';
|
||||
$second = array_pop($labels);
|
||||
|
||||
$hostname = $second . '.' . $top;
|
||||
$responses = dns_get_record($hostname, DNS_SOA);
|
||||
|
||||
if ($responses === false || count($responses) === 0) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return reset($responses);
|
||||
}
|
||||
|
||||
private function dnsResolve(string $target, int $recursionCount) : array {
|
||||
if ($recursionCount >= 10) {
|
||||
return [];
|
||||
|
|
@ -49,24 +71,19 @@ class DnsPinMiddleware {
|
|||
$recursionCount = $recursionCount++;
|
||||
$targetIps = [];
|
||||
|
||||
$soaDnsEntry = dns_get_record($target, DNS_SOA);
|
||||
if (isset($soaDnsEntry[0]) && isset($soaDnsEntry[0]['minimum-ttl'])) {
|
||||
$dnsNegativeTtl = $soaDnsEntry[0]['minimum-ttl'];
|
||||
} else {
|
||||
$dnsNegativeTtl = null;
|
||||
}
|
||||
$soaDnsEntry = $this->soaRecord($target);
|
||||
$dnsNegativeTtl = $soaDnsEntry['minimum-ttl'] ?? null;
|
||||
|
||||
$dnsTypes = [DNS_A, DNS_AAAA, DNS_CNAME];
|
||||
foreach ($dnsTypes as $key => $dnsType) {
|
||||
foreach ($dnsTypes as $dnsType) {
|
||||
if ($this->negativeDnsCache->isNegativeCached($target, $dnsType)) {
|
||||
unset($dnsTypes[$key]);
|
||||
continue;
|
||||
}
|
||||
|
||||
$dnsResponses = dns_get_record($target, $dnsType);
|
||||
$canHaveCnameRecord = true;
|
||||
if (count($dnsResponses) > 0) {
|
||||
foreach ($dnsResponses as $key => $dnsResponse) {
|
||||
foreach ($dnsResponses as $dnsResponse) {
|
||||
if (isset($dnsResponse['ip'])) {
|
||||
$targetIps[] = $dnsResponse['ip'];
|
||||
$canHaveCnameRecord = false;
|
||||
|
|
@ -78,10 +95,8 @@ class DnsPinMiddleware {
|
|||
$canHaveCnameRecord = true;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if ($dnsNegativeTtl !== null) {
|
||||
$this->negativeDnsCache->setNegativeCacheForDnsType($target, $dnsType, $dnsNegativeTtl);
|
||||
}
|
||||
} elseif ($dnsNegativeTtl !== null) {
|
||||
$this->negativeDnsCache->setNegativeCacheForDnsType($target, $dnsType, $dnsNegativeTtl);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue