search

hestiacp / hestiacp

Hestia Control Panel | A lightweight and powerful control panel for the modern web.
https://hestiacp.com
GNU General Public License v3.0
3.31k stars 674 forks source link

[Bug] DNS records with a newline or tab in them cause a 500 error in the web interface #4197

Open serversonic opened 9 months ago

serversonic commented 9 months ago

Describe the bug

This is probably an edge issue but I am currently manually synchronising records between a legacy web based DNS management system and a Hestia based system by copying and pasting prior to migration, and if the entries, specifically SPF records, are copied direct from the web site to the Hestia record editing page, they include a tab at the beginning of the copied text. The record is saved, but attempting to go back to the zone page returns a 500 error. Editing the zone manually does not resolve the issue and the only way I have found to do it is to restore from a backup. If I copy the copied text into a text editor and copy to the Hestia interface from there, it works, so there is a workaround, however this suggests to me that TXT records are not being escaped fully.

Tell us how to replicate the bug

  1. Go to a DNS zone page
  2. Click on a record's edit button
  3. Paste the record from the legacy web interface
  4. Save the edited record
  5. Press the 'Back' button

Which components are affected by this bug?

Control Panel Web Interface

Hestia Control Panel Version

1.8.11

Operating system

Debian 12

Log capture

No response

Skamasle commented 9 months ago

Hi

I cant reproduce this, from where can copy some record ?

I try copy record from old dns manage ( 4psa ) and when copy this add some tabs, but hestia just say is invalid record.

serversonic commented 8 months ago

Hello - The source application was a very old custom system whose interface is largely written in javascript. At the moment I have to manually synchronise by copy and pasting. I could only see the foreign character, which looked like a CR, in the clipboard. The old system should be being retired soon so it may be a very edge issue. I'll try and reproduce it,

Simon

Anuril commented 5 months ago

I'd be interested in fixing this, as it hints to failing input sanitation. Can you please provide some text that breaks it?

serversonic commented 5 months ago

My original issue appeared to be due to copy and pasting a DNS entry that started with a space, not a CR as previously described, so something like this:

hostname (note the space)

I have since seen a similar issue with a customer copying and pasting a line in a similar way, leaving in spaces and quotes, something like this:

" example_entry " (invalid spaces and quote marks) causing named to stop serving the zone file. I would be inclined to agree that it's an input sanitisation issue in that respect but also that there's probably a case for checking a zone file before it's deployed.

Anuril commented 5 months ago

I can't seem to replicate this on Debian 11 with Hestia 1.8.11. Can you provide more information - which field do you use to paste the "bad text" ?

serversonic commented 5 months ago

I think I've managed to reproduce the combination that caused the original issue as I'm copying and pasting more links from the application. It looks like the character combination is a space, then a right angled bracket ('>') then a tab. I wondered if this was some kind of non-printable character but from the site code it looks like a parsing error in the javascript that renders the page which is exposing the right angle bracket from a HTML tag.- I spotted it when pasting an email address from the site into a spreadsheet this time. The combination caused the email address to paste into the cell next to the one I was targetting.