From bfb3fb0a92bb02308797661eb549fc34d3711122 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Kolly?= <marc-andre@kolly.de>
Date: Mon, 29 Jul 2019 11:36:34 +0200
Subject: [PATCH] Add Regex to check for invalid CAA entry

---
 lib/Froxlor/Api/Commands/DomainZones.php | 11 +++++++++--
 lng/english.lng.php                      |  1 +
 lng/german.lng.php                       |  1 +
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/Froxlor/Api/Commands/DomainZones.php b/lib/Froxlor/Api/Commands/DomainZones.php
index e717d7c7..9e233fec 100644
--- a/lib/Froxlor/Api/Commands/DomainZones.php
+++ b/lib/Froxlor/Api/Commands/DomainZones.php
@@ -139,8 +139,15 @@ class DomainZones extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
 		} elseif ($type == 'AAAA' && filter_var($content, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) === false) {
 			$errors[] = $this->lng['error']['dns_aaaarec_noipv6'];
 		} elseif ($type == 'CAA' && ! empty($content)) {
-			// check that CAA content is enclosed in " "
-			$content = \Froxlor\Dns\Dns::encloseTXTContent($content);
+			$re = '/(?\'critical\'\d)\h*(?\'type\'iodef|issue|issuewild)\h*(?\'value\'(?\'issuevalue\'"(?\'domain\'(?=.{3,128}$)(?>(?>[a-zA-Z0-9]+[a-zA-Z0-9-]*[a-zA-Z0-9]+|[a-zA-Z0-9]+)\.)*(?>[a-zA-Z]{2,}|[a-zA-Z0-9]{2,}\.[a-zA-Z]{2,}))[;\h]*(?\'parameters\'(?>[a-zA-Z0-9]{1,60}=[a-zA-Z0-9]{1,60}\h*)+)?")|(?\'iodefvalue\'"(?\'url\'(mailto:.*|http:\/\/.*|https:\/\/.*))"))/';
+			preg_match($re, $content, $matches);
+
+			if (empty($matches)) {
+				$errors[] = $this->lng['error']['dns_content_invalid'];
+			} else {
+				// check that CAA content is enclosed in " "
+				$content = \Froxlor\Dns\Dns::encloseTXTContent($matches[0]);
+			}
 		} elseif ($type == 'CNAME' || $type == 'DNAME') {
 			// check for trailing dot
 			if (substr($content, - 1) == '.') {
diff --git a/lng/english.lng.php b/lng/english.lng.php
index 4996b77e..aad8a566 100644
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -1892,6 +1892,7 @@ $lng['tasks']['backup_customerfiles'] = 'Backup job for customer %loginname%';
 
 $lng['error']['dns_domain_nodns'] = 'DNS is not enabled for this domain';
 $lng['error']['dns_content_empty'] = 'No content given';
+$lng['error']['dns_content_invalid'] = 'DNS content invalid';
 $lng['error']['dns_arec_noipv4'] = 'No valid IP address for A-record given';
 $lng['error']['dns_aaaarec_noipv6'] = 'No valid IP address for AAAA-record given';
 $lng['error']['dns_mx_prioempty'] = 'Invalid MX priority given';
diff --git a/lng/german.lng.php b/lng/german.lng.php
index eb861056..9c335afe 100644
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1543,6 +1543,7 @@ $lng['tasks']['backup_customerfiles'] = 'Datensicherung für Kunde %loginname%';
 
 $lng['error']['dns_domain_nodns'] = 'DNS ist für diese Domain nicht aktiviert';
 $lng['error']['dns_content_empty'] = 'Keinen Inhalt angegeben';
+$lng['error']['dns_content_invalid'] = 'DNS Eintrag ungültig';
 $lng['error']['dns_arec_noipv4'] = 'Keine gültige IP-Adresse für A-Eintrag angegeben';
 $lng['error']['dns_aaaarec_noipv6'] = 'Keine gültige IP-Adresse für AAAA-Eintrag angegeben';
 $lng['error']['dns_mx_prioempty'] = 'Ungültige MX Priorität angegeben';