Changeset 761 for trunk/dns.cgi


Ignore:
Timestamp:
06/13/17 17:18:56 (7 years ago)
Author:
Kris Deugau
Message:

/trunk

Fix a taint issue using Net::DNS for AXFR with a hostname. Inexplicably,
looking up the IP ourselves and passing that (still tainted!) string in
as the connect host works just fine.

Probably needs further review with newer Net::DNS versions to make sure
this still works, or find a different workaround.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/dns.cgi

    r760 r761  
    17341734    my @results;
    17351735    foreach my $domain (@domlist) {
     1736##fixme: Net::DNS has made changes somewhere between 0.66something (~~ Debian wheezy) and
     1737# 0.81 (~~ Debian jessie) that cause taint failures when providing a hostname as a nameserver
     1738# for AXFR.  A proper fix may boil down to "split AXFR into its own script".  Feh.
     1739# For now, we'll just convert the requested AXFR host to an IP, and pass that down the chain instead.
     1740      my $nsip = gethostbyname($webvar{ifrom});
     1741      use Socket;
     1742      $nsip = inet_ntoa($nsip);
     1743      # strangely enough we don't seem to need to detaint:
     1744      #($nsip) = ($nsip =~ /^([a-fA-F0-9:.]+)$/);
    17361745      my %row;
    1737       my ($code,$msg) = $dnsdb->importAXFR($webvar{ifrom}, $domain, $webvar{group},
     1746      my ($code,$msg) = $dnsdb->importAXFR($nsip, $domain, $webvar{group},
    17381747        status => $webvar{domactive}, rwsoa => $webvar{rwsoa}, rwns => $webvar{rwns},
    17391748        newttl => ($webvar{forcettl} ? $webvar{newttl} : 0),
Note: See TracChangeset for help on using the changeset viewer.