auth: Prevent more than one CNAME/SOA record in the same RRset

(cherry picked from commit 7f20132510ca9088304004504d34a2f9db5e0336)

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index a03a21ec208da60dbbbaae9747f77f0671f4a2be..9accb183fb63b1a7b994d7ac41c8e2f410a23c7d 100644 (file)
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -471,6 +471,7 @@ static void validateGatheredRRType(const DNSResourceRecord& rr) {
 }
 
 static void gatherRecords(const Json container, const DNSName& qname, const QType qtype, const int ttl, vector<DNSResourceRecord>& new_records, vector<DNSResourceRecord>& new_ptrs) {
+  static const std::set<uint16_t> onlyOneEntryTypes = { QType::CNAME, QType::SOA};
   UeberBackend B;
   DNSResourceRecord rr;
   rr.qname = qname;
@@ -479,7 +480,12 @@ static void gatherRecords(const Json container, const DNSName& qname, const QTyp
   rr.ttl = ttl;
 
   validateGatheredRRType(rr);
-  for(auto record : container["records"].array_items()) {
+  const auto& items = container["records"].array_items();
+  if (onlyOneEntryTypes.count(qtype.getCode()) != 0 && items.size() > 1) {
+    throw ApiException("RRset for "+rr.qname.toString()+"/"+rr.qtype.getName()+" has more than one record");
+  }
+
+  for(const auto& record : items) {
     string content = stringFromJson(record, "content");
     rr.disabled = boolFromJson(record, "disabled");