auth: make sure Lua axfrfilter() does not insert out of zone data

author Kees Monshouwer <mind04@monshouwer.org>

Sun, 4 Jun 2017 11:31:54 +0000 (13:31 +0200)

committer mind04 <mind04@monshouwer.org>

Mon, 12 Jun 2017 19:21:15 +0000 (21:21 +0200)
author Kees Monshouwer <mind04@monshouwer.org>
Sun, 4 Jun 2017 11:31:54 +0000 (13:31 +0200)
committer mind04 <mind04@monshouwer.org>
Mon, 12 Jun 2017 19:21:15 +0000 (21:21 +0200)
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc

index f89313d6daf7b484fd1efaccfc9114dfda48026e..ff492c377bfb913bbb0fd2a9c6a78af8ddc5d5d1 100644 (file)
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -264,6 +264,10 @@ static vector<DNSResourceRecord> doAxfr(const ComboAddress& raddr, const DNSName
        }
  
        for(DNSResourceRecord& rr :  out) {
+        if(!rr.qname.isPartOf(domain)) {
+          L<<Logger::Error<<"Lua axfrfilter() filter tried to sneak in out-of-zone data '"<<i->qname<<"'|"<<i->qtype.getName()<<" during AXFR of zone '"<<domain<<"', ignoring"<<endl;
+          continue;
+        }
          if(!processRecordForZS(domain, firstNSEC3, rr, zs))
            continue;
          if(rr.qtype.getCode() == QType::SOA) {
author	Kees Monshouwer <mind04@monshouwer.org>
	Sun, 4 Jun 2017 11:31:54 +0000 (13:31 +0200)
committer	mind04 <mind04@monshouwer.org>
	Mon, 12 Jun 2017 19:21:15 +0000 (21:21 +0200)