From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 12 Dec 2018 13:38:07 +0000 (+0100)
Subject: auth: Prevent more than one CNAME/SOA record in the same RRset
X-Git-Tag: auth-4.1.6~1^2~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b94a7c1a5d69514a2b83864a76094a93f5936de8;p=pdns

auth: Prevent more than one CNAME/SOA record in the same RRset

(cherry picked from commit 7f20132510ca9088304004504d34a2f9db5e0336)
---

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index a03a21ec2..9accb183f 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -471,6 +471,7 @@ static void validateGatheredRRType(const DNSResourceRecord& rr) {
 }
 
 static void gatherRecords(const Json container, const DNSName& qname, const QType qtype, const int ttl, vector<DNSResourceRecord>& new_records, vector<DNSResourceRecord>& new_ptrs) {
+  static const std::set<uint16_t> onlyOneEntryTypes = { QType::CNAME, QType::SOA};
   UeberBackend B;
   DNSResourceRecord rr;
   rr.qname = qname;
@@ -479,7 +480,12 @@ static void gatherRecords(const Json container, const DNSName& qname, const QTyp
   rr.ttl = ttl;
 
   validateGatheredRRType(rr);
-  for(auto record : container["records"].array_items()) {
+  const auto& items = container["records"].array_items();
+  if (onlyOneEntryTypes.count(qtype.getCode()) != 0 && items.size() > 1) {
+    throw ApiException("RRset for "+rr.qname.toString()+"/"+rr.qtype.getName()+" has more than one record");
+  }
+
+  for(const auto& record : items) {
     string content = stringFromJson(record, "content");
     rr.disabled = boolFromJson(record, "disabled");