Skip to content

Commit b6f77cb

Browse files
DerDreschnerDerDreschner
committed
fix(DnsPinning): Ensure to always lookup based on FQDN
Signed-off-by: David Dreschner <david.dreschner@nextcloud.com>
1 parent 753e6ee commit b6f77cb

File tree

2 files changed

+21
-15
lines changed

2 files changed

+21
-15
lines changed

lib/private/Http/Client/DnsPinMiddleware.php

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,9 @@ private function soaRecord(string $target): ?array {
3434
$top = count($labels) >= 2 ? array_pop($labels) : '';
3535
$second = array_pop($labels);
3636

37-
$hostname = $second . '.' . $top;
37+
// Before looking up any DNS record, we need to make sure the
38+
// provided target is an FQDN by adding a dot to the end.
39+
$hostname = $second . '.' . $top . '.';
3840
$responses = $this->dnsGetRecord($hostname, DNS_SOA);
3941

4042
if ($responses === false || count($responses) === 0) {
@@ -59,6 +61,10 @@ private function dnsResolve(string $target, int $recursionCount) : array {
5961
$dnsTypes = \defined('AF_INET6') || @inet_pton('::1')
6062
? [DNS_A, DNS_AAAA, DNS_CNAME]
6163
: [DNS_A, DNS_CNAME];
64+
65+
// Before looking up any DNS record, we need to make sure the
66+
// provided target is an FQDN by adding a dot to the end.
67+
$target = str_ends_with($target, '.') ? $target : "$target.";
6268
foreach ($dnsTypes as $dnsType) {
6369
if ($canHaveCnameRecord === false && $dnsType === DNS_CNAME) {
6470
continue;

tests/lib/Http/Client/DnsPinMiddlewareTest.php

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@ static function (RequestInterface $request, array $options) {
6161
->method('dnsGetRecord')
6262
->willReturnCallback(function (string $hostname, int $type) {
6363
// example.com SOA
64-
if ($hostname === 'example.com') {
64+
if ($hostname === 'example.com.') {
6565
return match ($type) {
6666
DNS_SOA => [
6767
[
@@ -76,7 +76,7 @@ static function (RequestInterface $request, array $options) {
7676
}
7777

7878
// example.com A, AAAA, CNAME
79-
if ($hostname === 'www.example.com') {
79+
if ($hostname === 'www.example.com.') {
8080
return match ($type) {
8181
DNS_A => [],
8282
DNS_AAAA => [],
@@ -93,7 +93,7 @@ static function (RequestInterface $request, array $options) {
9393
}
9494

9595
// example.net SOA
96-
if ($hostname === 'example.net') {
96+
if ($hostname === 'example.net.') {
9797
return match ($type) {
9898
DNS_SOA => [
9999
[
@@ -108,7 +108,7 @@ static function (RequestInterface $request, array $options) {
108108
}
109109

110110
// example.net A, AAAA, CNAME
111-
if ($hostname === 'www.example.net') {
111+
if ($hostname === 'www.example.net.') {
112112
return match ($type) {
113113
DNS_A => [
114114
[
@@ -154,7 +154,7 @@ static function (RequestInterface $request, array $options) {
154154
->method('dnsGetRecord')
155155
->willReturnCallback(function (string $hostname, int $type) {
156156
// example.com SOA
157-
if ($hostname === 'example.com') {
157+
if ($hostname === 'example.com.') {
158158
return match ($type) {
159159
DNS_SOA => [
160160
[
@@ -169,7 +169,7 @@ static function (RequestInterface $request, array $options) {
169169
}
170170

171171
// example.com A, AAAA, CNAME
172-
if ($hostname === 'www.example.com') {
172+
if ($hostname === 'www.example.com.') {
173173
return match ($type) {
174174
DNS_A => [],
175175
DNS_AAAA => [],
@@ -186,7 +186,7 @@ static function (RequestInterface $request, array $options) {
186186
}
187187

188188
// example.net SOA
189-
if ($hostname === 'example.net') {
189+
if ($hostname === 'example.net.') {
190190
return match ($type) {
191191
DNS_SOA => [
192192
[
@@ -201,7 +201,7 @@ static function (RequestInterface $request, array $options) {
201201
}
202202

203203
// example.net A, AAAA, CNAME
204-
if ($hostname === 'www.example.net') {
204+
if ($hostname === 'www.example.net.') {
205205
return match ($type) {
206206
DNS_A => [
207207
[
@@ -378,7 +378,7 @@ static function (RequestInterface $request, array $options): void {
378378
->method('dnsGetRecord')
379379
->willReturnCallback(function (string $hostname, int $type) {
380380
// example.com SOA
381-
if ($hostname === 'example.com') {
381+
if ($hostname === 'example.com.') {
382382
return match ($type) {
383383
DNS_SOA => [
384384
[
@@ -393,7 +393,7 @@ static function (RequestInterface $request, array $options): void {
393393
}
394394

395395
// example.com A, AAAA, CNAME
396-
if ($hostname === 'www.example.com') {
396+
if ($hostname === 'www.example.com.') {
397397
return match ($type) {
398398
DNS_A => [],
399399
DNS_AAAA => [],
@@ -410,7 +410,7 @@ static function (RequestInterface $request, array $options): void {
410410
}
411411

412412
// example.net SOA
413-
if ($hostname === 'example.net') {
413+
if ($hostname === 'example.net.') {
414414
return match ($type) {
415415
DNS_SOA => [
416416
[
@@ -425,7 +425,7 @@ static function (RequestInterface $request, array $options): void {
425425
}
426426

427427
// example.net A, AAAA, CNAME
428-
if ($hostname === 'www.example.net') {
428+
if ($hostname === 'www.example.net.') {
429429
return match ($type) {
430430
DNS_A => [
431431
[
@@ -496,7 +496,7 @@ static function (RequestInterface $request, array $options): void {
496496
$dnsQueries[] = $hostname . $type;
497497

498498
// example.com SOA
499-
if ($hostname === 'example.com') {
499+
if ($hostname === 'example.com.') {
500500
return match ($type) {
501501
DNS_SOA => [
502502
[
@@ -511,7 +511,7 @@ static function (RequestInterface $request, array $options): void {
511511
}
512512

513513
// example.net A, AAAA, CNAME
514-
if ($hostname === 'subsubdomain.subdomain.example.com') {
514+
if ($hostname === 'subsubdomain.subdomain.example.com.') {
515515
return match ($type) {
516516
DNS_A => [
517517
[

0 commit comments

Comments
 (0)