new file mode 100644

@@ -0,0 +1,45 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ *  Copyright (C) 2025 Lev Stipakov <lev@openvpn.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License along

+ *  with this program; if not, write to the Free Software Foundation, Inc.,

+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+ */

+

+static inline bool

+is_allowed_domain_ascii(unsigned char c)

+{

+    return (c >= 'A' && c <= 'Z')

+           || (c >= 'a' && c <= 'z')

+           || (c >= '0' && c <= '9')

+           || c == '.' || c == '-' || c == '_' || c >= 0x80;

+}

+

+static inline bool

+validate_domain(const char *domain)

+{

+    for (const char *ch = domain; *ch; ++ch)

+    {

+        if (!is_allowed_domain_ascii((unsigned char)*ch))

+        {

+            return false;

+        }

+    }

+

+    return true;

+}

@@ -46,6 +46,7 @@

 #include "win32.h"

 #include "block_dns.h"

 #include "networking.h"

+#include "domain_helper.h"

 #include "memdbg.h"

@@ -390,6 +391,12 @@ do_dns_domain_pwsh(bool add, const struct tuntap *tt)

         return;

     }

+    if (add && !validate_domain(tt->options.domain))

+    {

+        msg(M_WARN, "Failed to set DNS domain '%s' because it contains invalid characters", tt->options.domain);

+        return;

+    }

+

     struct argv argv = argv_new();

     argv_printf(&argv,

                 "%s%s -NoProfile -NonInteractive -Command Set-DnsClient -InterfaceIndex %lu -ConnectionSpecificSuffix '%s'",

@@ -40,6 +40,7 @@

 #include "validate.h"

 #include "block_dns.h"

 #include "ring_buffer.h"

+#include "domain_helper.h"

 #define IO_TIMEOUT  2000 /*ms*/

@@ -1216,6 +1217,12 @@ SetDNSDomain(const wchar_t *if_name, const char *domain, undo_lists_t *lists)

 {

     NET_IFINDEX if_index;

+    if (!validate_domain(domain))

+    {

+        MsgToEventLog(MSG_FLAGS_ERROR, TEXT("Failed to set DNS domain '%hs' because it contains invalid characters"), domain);

+        return ERROR_INVALID_DATA;

+    }

+

     DWORD err  = ConvertInterfaceNameToIndex(if_name, &if_index);

     if (err != ERROR_SUCCESS)

     {