From 721a4c43493e9b50192f71811265a9e17fe31a4d Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Fri, 9 Feb 2018 12:43:03 +0100
Subject: [PATCH] Validate the adminFqdn in dns setup route

---
 src/setup.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/setup.js b/src/setup.js
index 5441049b9..63a71fc88 100644
--- a/src/setup.js
+++ b/src/setup.js
@@ -186,9 +186,11 @@ function dnsSetup(adminFqdn, domain, zoneName, provider, dnsConfig, tlsConfig, c
 
     if (gWebadminStatus.configuring || gWebadminStatus.restoring) return callback(new SetupError(SetupError.BAD_STATE, 'Already restoring or configuring'));
 
+    if (!tld.isValid(adminFqdn) || !adminFqdn.endsWith(domain)) return callback(new SetupError(SetupError.BAD_FIELD, 'adminFqdn must be a subdomain of domain'));
+
     if (!zoneName) zoneName = tld.getDomain(domain) || domain;
 
-    debug('dnsSetup: Setting up Cloudron with domain %s and zone %s', domain, zoneName);
+    debug(`dnsSetup: Setting up Cloudron with domain ${domain} and zone ${zoneName} using admin fqdn ${adminFqdn}`);
 
     function done(error) {
         if (error && error.reason === DomainError.BAD_FIELD) return callback(new SetupError(SetupError.BAD_FIELD, error.message));