[PR #6] [MERGED] Fix security bugs (missing access checks, csrf token), fix other bugs (edit records, ..), add some features (masters for slaves, ...) #130

New issue

Closed

opened 2026-02-28 01:21:08 +03:00 by kerem · 0 comments

kerem commented

2026-02-28 01:21:08 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/tuxis-ie/nsedit/pull/6
Author: @stbuehler
Created: 10/5/2014
Status: ✅ Merged
Merged: 10/6/2014
Merged by: @tuxis-ie

Base: master ← Head: pull

📝 Commits (3)

54fb62b Rewrite/Refactoring
9226420 Improve UI
e8f071f Rework session handling; add CSRF tokens and autologin

📊 Changes

8 files changed (+1115 additions, -467 deletions)

View changed files

📝 css/base.css (+28 -0)
📝 includes/config.inc.php-dist (+6 -4)
📝 includes/misc.inc.php (+75 -27)
📝 includes/session.inc.php (+249 -65)
📝 includes/wefactauth.inc.php (+0 -2)
📝 index.php (+228 -110)
📝 users.php (+65 -19)
📝 zones.php (+464 -240)

📄 Description

add a lot of permission checks:
zone edits were completely unchecked (after login); only list and creation were
protected.
reduce regular expression usage
don't use user provided names/ids/urls for requests; instead use them
to search for the zone in the list of all zones.
rename 'label' to 'name' in template records ('name' is used in all
other places)
make 'localhost' default $apisid
add 'soa_edit' default
remove gen_pw/pwgen caller; use openssl instead for random password
fix a lot of bugs (editrecord, TXT quoting, name checking, ...)
improve record sorting
add CSS classes to fields
use monospace font for field values
min-width for record content edit field, stretch label and content
to dialog width
max-width for record content table cell, explicit (percent) column
sizes
text-align: right numbers
display raw data in cells with $('').text(...)
add DNSSEC info and masters for slave zones
add some RR types and disable distinction from address .arpa zone;
show all types for every field
rework session handling; add CSRF tokens and autologin

Sadly the code was in a very bad shape. I'm still not happy with index.php; mixing php, html and javascript like that is horrible.

The monospace font for the fields is just my own preference - if this is a problem I can undo it. Also jtables makes it very hard to style the column width - the CSS rules now are working on my screen, but don't scale well (test with long content, like TLSA records - a long hex string the browser doesn't like to break).

Also it might be nice to use more consistent names overall ('label' vs 'name', 'username' vs 'emailaddress', edit, update, list, ...).

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/tuxis-ie/nsedit/pull/6 **Author:** [@stbuehler](https://github.com/stbuehler) **Created:** 10/5/2014 **Status:** ✅ Merged **Merged:** 10/6/2014 **Merged by:** [@tuxis-ie](https://github.com/tuxis-ie) **Base:** `master` ← **Head:** `pull` --- ### 📝 Commits (3) - [`54fb62b`](https://github.com/tuxis-ie/nsedit/commit/54fb62b471c4336658215cf9aa6bca632cc21178) Rewrite/Refactoring - [`9226420`](https://github.com/tuxis-ie/nsedit/commit/922642005d6f5665c05e66b827d6554cc611e28f) Improve UI - [`e8f071f`](https://github.com/tuxis-ie/nsedit/commit/e8f071f67ce658cf1f25e65a4cf07d82a020cb93) Rework session handling; add CSRF tokens and autologin ### 📊 Changes **8 files changed** (+1115 additions, -467 deletions) <details> <summary>View changed files</summary> 📝 `css/base.css` (+28 -0) 📝 `includes/config.inc.php-dist` (+6 -4) 📝 `includes/misc.inc.php` (+75 -27) 📝 `includes/session.inc.php` (+249 -65) 📝 `includes/wefactauth.inc.php` (+0 -2) 📝 `index.php` (+228 -110) 📝 `users.php` (+65 -19) 📝 `zones.php` (+464 -240) </details> ### 📄 Description - add a lot of permission checks: zone edits were completely unchecked (after login); only list and creation were protected. - reduce regular expression usage - don't use user provided names/ids/urls for requests; instead use them to search for the zone in the list of all zones. - rename 'label' to 'name' in template records ('name' is used in all other places) - make 'localhost' default $apisid - add 'soa_edit' default - remove gen_pw/pwgen caller; use openssl instead for random password - fix a lot of bugs (editrecord, TXT quoting, name checking, ...) - improve record sorting - add CSS classes to fields - use monospace font for field values - min-width for record content edit field, stretch label and content to dialog width - max-width for record content table cell, explicit (percent) column sizes - text-align: right numbers - display raw data in cells with $('<span>').text(...) - add DNSSEC info and masters for slave zones - add some RR types and disable distinction from address .arpa zone; show all types for every field - rework session handling; add CSRF tokens and autologin Sadly the code was in a very bad shape. I'm still not happy with index.php; mixing php, html and javascript like that is horrible. The monospace font for the fields is just my own preference - if this is a problem I can undo it. Also jtables makes it very hard to style the column width - the CSS rules now are working on my screen, but don't scale well (test with long content, like TLSA records - a long hex string the browser doesn't like to break). Also it might be nice to use more consistent names overall ('label' vs 'name', 'username' vs 'emailaddress', edit, update, list, ...). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>