From: Julien Cristau <jcristau@debian.org>
Date: Tue, 8 Oct 2019 17:35:51 +0000 (+0200)
Subject: ud-mailgate: block punycode DNS entries
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=commitdiff_plain;h=8c7672a550946d7e2554381a195048ab8c8e20bc

ud-mailgate: block punycode DNS entries

Keep an exception for a single existing domain.
---

diff --git a/ud-mailgate b/ud-mailgate
index 0d6d330..baaf08a 100755
--- a/ud-mailgate
+++ b/ud-mailgate
@@ -371,6 +371,10 @@ def DoDNS(Str, Attrs, DnRecord):
        aaaarecord is None:
         return None
 
+    # Check for punycode.  We ought to validate it before we allow it in our zone.
+    if Str.lower().startswith('xn--') and Str.lower() != 'xn--mnchen-3ya':
+        return "Punycode not allowed: " + Str
+
     # Check if the name is already taken
     G = re.match(r'^([-\w+]+)\s', Str)
     if G is None: