From 0ac674ceac95e51b2f5943aaa447ddd225540f60 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 18 Mar 2022 17:26:21 +0100
Subject: [PATCH] Firewall - Aliases : tighten fqdn validation to avoid
 mistypes as 192.168.01.1 from being accepted as domain name.

---
 src/opnsense/mvc/app/library/OPNsense/Firewall/Util.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/Util.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/Util.php
index 9190223b9..e0d449a5b 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Util.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Util.php
@@ -242,7 +242,13 @@ class Util
     public static function isDomain($domain)
     {
         $pattern = '/^(?:(?:[a-z\pL0-9]|[a-z\pL0-9][a-z\pL0-9\-]*[a-z\pL0-9])\.)*(?:[a-z\pL0-9]|[a-z\pL0-9][a-z\pL0-9\-]*[a-z\pL0-9])$/iu';
-        if (preg_match($pattern, $domain)) {
+        $parts = explode(".", $domain);
+        if (ctype_digit($parts[0]) && ctype_digit($parts[count($parts)-1])) {
+            // according to rfc1123 2.1
+            //   a valid host name can never have the dotted-decimal form #.#.#.#, since at least the highest-level
+            //   component label will be alphabetic.
+            return false;
+        } elseif (preg_match($pattern, $domain)) {
             return true;
         }
         return false;