dhcp: unbound_watcher: validate client hostnames

2026-03-18 18:44:44 +00:00 · 2023-06-19 13:49:39 +02:00 · 2023-06-19 13:49:39 +02:00 · 02aae56f05
commit 02aae56f05
parent ca3945b8ca
1 changed files with 18 additions and 7 deletions
--- a/src/opnsense/scripts/dhcp/unbound_watcher.py
+++ b/src/opnsense/scripts/dhcp/unbound_watcher.py
@ -36,6 +36,7 @@ import time
 import tempfile
 import argparse
 import syslog
+import re
 from configparser import ConfigParser
 sys.path.insert(0, "/usr/local/opnsense/site-python")
 from daemonize import Daemonize
@ -62,6 +63,10 @@ def unbound_control(commands, input=None, output_stream=None):
    if output_stream:
        output_stream.seek(0)

+def valid_hostname(hostname):
+    hostname = hostname.rstrip('.')
+    correct = re.compile("(?!-)[A-Z0-9-]{1,63}(?<!-)$", re.IGNORECASE)
+    return all(correct.match(part) for part in hostname.split('.'))

 class UnboundLocalData:
    def __init__(self):
@ -144,13 +149,19 @@ def run_watcher(target_filename, default_domain, watch_file, config):
        for lease in dhcpdleases.watch():
            if 'ends' in lease and lease['ends'] > time.time() \
                    and 'client-hostname' in lease and 'address' in lease and lease['client-hostname']:
-                address = ipaddress.ip_address(lease['address'])
-                lease['domain'] = default_domain
-                for lease_config in lease_configs:
-                    if lease_config['start'] <= address <= lease_config['end']:
-                        lease['domain'] = lease_config['domain']
-                cached_leases[lease['address']] = lease
-                dhcpd_changed = True
+                if valid_hostname(lease['client-hostname']):
+                    address = ipaddress.ip_address(lease['address'])
+                    lease['domain'] = default_domain
+                    for lease_config in lease_configs:
+                        if lease_config['start'] <= address <= lease_config['end']:
+                            lease['domain'] = lease_config['domain']
+                    cached_leases[lease['address']] = lease
+                    dhcpd_changed = True
+                else:
+                    syslog.syslog(
+                        syslog.LOG_WARNING,
+                        "dhcpd leases: %s not a valid hostname, ignoring" % cached_leases[address]['client-hostname']
+                    )

        remove_rr = list()
        add_rr = list()