From e90b4e38b136a05d44211f20f79c22e7edb8e73b Mon Sep 17 00:00:00 2001 From: Christian Hofstaedtler Date: Mon, 28 Apr 2014 12:44:00 +0200 Subject: [PATCH] API: Don't crash when given non-string as nameserver Fixes #1375. --- pdns/ws-auth.cc | 6 ++++++ regression-tests.api/test_Zones.py | 15 +++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc index 0cf9dec7a..1d6dc1bc9 100644 --- a/pdns/ws-auth.cc +++ b/pdns/ws-auth.cc @@ -419,6 +419,12 @@ static void apiServerZones(HttpRequest* req, HttpResponse* resp) { if (!nameservers.IsArray() || nameservers.Size() == 0) throw ApiException("Need at least one nameserver"); + for (SizeType i = 0; i < nameservers.Size(); ++i) { + if (!nameservers[i].IsString()) { + throw ApiException("Nameservers must be strings."); + } + } + // no going back after this if(!B.createDomain(zonename)) throw ApiException("Creating domain '"+zonename+"' failed"); diff --git a/regression-tests.api/test_Zones.py b/regression-tests.api/test_Zones.py index 451bba361..e8ea4f6d2 100644 --- a/regression-tests.api/test_Zones.py +++ b/regression-tests.api/test_Zones.py @@ -76,6 +76,21 @@ class AuthZones(ApiTestCase): self.assertEquals(data[k], payload[k]) self.assertEquals(data['id'], expected_id) + def test_CreateZoneWithNameserversNonString(self): + # ensure we don't crash + name = unique_zone_name() + payload = { + 'name': name, + 'kind': 'Native', + 'nameservers': [{'a': 'ns1.example.com'}] # invalid + } + print payload + r = self.session.post( + self.url("/servers/localhost/zones"), + data=json.dumps(payload), + headers={'content-type': 'application/json'}) + self.assertEquals(r.status_code, 422) + def test_GetZoneWithSymbols(self): payload, data = self.create_zone(name='foo/bar.'+unique_zone_name()) name = payload['name'] -- 2.49.0