From 41e4135f71d21075e015408aa83e1b5dde4434f7 Mon Sep 17 00:00:00 2001
From: "Michael Kaufmann (d00p)" <d00p@froxlor.org>
Date: Wed, 18 May 2016 09:03:14 +0200
Subject: [PATCH 1/2] do not allow punycode input in domain-names

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
---
 admin_domains.php   | 19 +++++++++++++------
 install/froxlor.sql |  2 +-
 lng/english.lng.php |  2 ++
 lng/german.lng.php  |  2 ++
 4 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/admin_domains.php b/admin_domains.php
index 5fbabda4..26dcf406 100644
--- a/admin_domains.php
+++ b/admin_domains.php
@@ -282,10 +282,23 @@ if ($page == 'domains' || $page == 'overview') {
 					standard_error('admin_domain_emailsystemhostname');
 				}
 
+				if (strpos($_POST['domain'], '--') !== false) {
+					standard_error('domain_nopunycode');
+				}
+
 				$domain = $idna_convert->encode(preg_replace(array(
 					'/\:(\d)+$/',
 					'/^https?\:\/\//'
 				), '', validate($_POST['domain'], 'domain')));
+
+				// Check whether domain validation is enabled and if, validate the domain
+				if (Settings::Get('system.validate_domain') && ! validateDomain($domain)) {
+					standard_error(array(
+						'stringiswrong',
+						'mydomain'
+					));
+				}
+
 				$subcanemaildomain = intval($_POST['subcanemaildomain']);
 
 				$isemaildomain = 0;
@@ -679,12 +692,6 @@ if ($page == 'domains' || $page == 'overview') {
 						'stringisempty',
 						'mydomain'
 					));
-				} // Check whether domain validation is enabled and if, validate the domain
-elseif (Settings::Get('system.validate_domain') && ! validateDomain($domain)) {
-					standard_error(array(
-						'stringiswrong',
-						'mydomain'
-					));
 				} elseif ($documentroot == '') {
 					standard_error(array(
 						'stringisempty',
diff --git a/install/froxlor.sql b/install/froxlor.sql
index 178b9135..38747109 100644
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -556,7 +556,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('panel', 'password_numeric', '0'),
 	('panel', 'password_special_char_required', '0'),
 	('panel', 'password_special_char', '!?<>§$%+#=@'),
-	('panel', 'version', '0.9.35.1'),
+	('panel', 'version', '0.9.36'),
 	('panel', 'db_version', '201604270');
 
 
diff --git a/lng/english.lng.php b/lng/english.lng.php
index 2db8a344..9b8f4b1c 100644
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -1988,3 +1988,5 @@ $lng['serversettings']['backupenabled']['description'] = "If activated, the cust
 $lng['extras']['path_protection_label'] = '<strong class="red">Important</strong>';
 $lng['extras']['path_protection_info'] = '<strong class="red">We strongly recommend protecting the given path, see "Extras" -> "Directory protection"</strong>';
 $lng['tasks']['backup_customerfiles'] = 'Backup job for customer %loginname%';
+
+$lng['error']['domain_nopunycode'] = 'You must not specify punycode (IDNA). The domain will automatically be converted';
diff --git a/lng/german.lng.php b/lng/german.lng.php
index ec8bc35f..956afd80 100644
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1641,3 +1641,5 @@ $lng['serversettings']['backupenabled']['description'] = "Wenn dies aktiviert is
 $lng['extras']['path_protection_label'] = '<strong class="red">Wichtig</strong>';
 $lng['extras']['path_protection_info'] = '<strong class="red">Wir raten dringend dazu den angegebenen Pfad zu schützen, siehe "Extras" -> "Verzeichnisschutz"</strong>';
 $lng['tasks']['backup_customerfiles'] = 'Datensicherung für Kunde %loginname%';
+
+$lng['error']['domain_nopunycode'] = 'Die Eingabe von Punycode (IDNA) ist nicht notwendig. Die Domain wird automatisch konvertiert.';

From eb70e619c9dbffc6d837fc80f169e930ead57464 Mon Sep 17 00:00:00 2001
From: "Michael Kaufmann (d00p)" <d00p@froxlor.org>
Date: Wed, 18 May 2016 10:28:13 +0200
Subject: [PATCH 2/2] also check for punycode when customer adds a subdomain

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
---
 customer_domains.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/customer_domains.php b/customer_domains.php
index d7bdbc9b..1464d512 100644
--- a/customer_domains.php
+++ b/customer_domains.php
@@ -247,6 +247,11 @@ if ($page == 'overview') {
 	} elseif ($action == 'add') {
 		if ($userinfo['subdomains_used'] < $userinfo['subdomains'] || $userinfo['subdomains'] == '-1') {
 			if (isset($_POST['send']) && $_POST['send'] == 'send') {
+
+				if (strpos($_POST['subdomain'], '--') !== false) {
+					standard_error('domain_nopunycode');
+				}
+
 				$subdomain = $idna_convert->encode(preg_replace(array('/\:(\d)+$/', '/^https?\:\/\//'), '', validate($_POST['subdomain'], 'subdomain', '', 'subdomainiswrong')));
 				$domain = $idna_convert->encode($_POST['domain']);
 				$domain_stmt = Database::prepare("SELECT * FROM `" . TABLE_PANEL_DOMAINS . "`