Permalink
Browse files

API: be more strict when parsing record contents

Fixes #2113.
(cherry picked from commit 1e5b9ab)
  • Loading branch information...
1 parent 2f72b7c commit 2b06977d5b93e82b021427b40c8277faea24ed64 @zeha zeha committed with mind04 Feb 7, 2015
Showing with 36 additions and 1 deletion.
  1. +12 −1 pdns/ws-auth.cc
  2. +24 −0 regression-tests.api/test_Zones.py
View
@@ -407,10 +407,21 @@ static void gatherRecords(const Value& container, vector<DNSResourceRecord>& new
try {
shared_ptr<DNSRecordContent> drc(DNSRecordContent::mastermake(rr.qtype.getCode(), 1, rr.content));
string tmp = drc->serialize(rr.qname);
+ if (rr.qtype.getCode() != QType::AAAA) {
+ tmp = drc->getZoneRepresentation();
+ if (!pdns_iequals(tmp, rr.content)) {
+ throw std::runtime_error("Not in expected format (parsed as '"+tmp+"')");
+ }
+ } else {
+ struct in6_addr tmpbuf;
+ if (inet_pton(AF_INET6, rr.content.c_str(), &tmpbuf) != 1 || rr.content.find('.') != string::npos) {
+ throw std::runtime_error("Invalid IPv6 address");
+ }
+ }
}
catch(std::exception& e)
{
- throw ApiException("Record "+rr.qname+"/"+rr.qtype.getName()+" "+rr.content+": "+e.what());
+ throw ApiException("Record "+rr.qname+"/"+rr.qtype.getName()+" '"+rr.content+"': "+e.what());
}
if ((rr.qtype.getCode() == QType::A || rr.qtype.getCode() == QType::AAAA) &&
@@ -727,6 +727,30 @@ def test_rrset_unknown_type(self):
self.assertEquals(r.status_code, 422)
self.assertIn('unknown type', r.json()['error'])
+ def test_create_zone_with_leading_space(self):
+ # Actual regression.
+ payload, zone = self.create_zone()
+ name = payload['name']
+ rrset = {
+ 'changetype': 'replace',
+ 'name': name,
+ 'type': 'A',
+ 'records': [
+ {
+ "name": name,
+ "type": "A",
+ "ttl": 3600,
+ "content": " 4.3.2.1",
+ "disabled": False
+ }
+ ]
+ }
+ payload = {'rrsets': [rrset]}
+ r = self.session.patch(self.url("/servers/localhost/zones/" + name), data=json.dumps(payload),
+ headers={'content-type': 'application/json'})
+ self.assertEquals(r.status_code, 422)
+ self.assertIn('Not in expected format', r.json()['error'])
+
def test_zone_rr_delete_out_of_zone(self):
payload, zone = self.create_zone()
name = payload['name']

0 comments on commit 2b06977

Please sign in to comment.