BIND 10 master, updated. dbc27ca22d408ac333583edfce29c7651268f8f3 [master] Merge branch 'trac2027' with minor conflict

BIND 10 source code commits bind10-changes at lists.isc.org
Fri Jun 15 10:03:18 UTC 2012 

The branch, master has been updated
       via  dbc27ca22d408ac333583edfce29c7651268f8f3 (commit)
       via  dcafee23dccbdf2f4b77ffc57d4a485ab4334455 (commit)
       via  d84cc75031f45e6a11c06775443f860d46282567 (commit)
       via  58abcc59fb63e4f06f8b5b1406b8f1c4674fe814 (commit)
      from  ef5d56d8dbbf4a5e01d6256828d599d51fc74cf9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit dbc27ca22d408ac333583edfce29c7651268f8f3
Merge: ef5d56d dcafee2
Author: Jelte Jansen <jelte at isc.org>
Date:   Fri Jun 15 11:36:52 2012 +0200

    [master] Merge branch 'trac2027' with minor conflict
    
    Conflicts:
    	src/lib/python/isc/ddns/tests/session_tests.py

-----------------------------------------------------------------------

Summary of changes:
 src/lib/python/isc/ddns/session.py             |    7 ++++++-
 src/lib/python/isc/ddns/tests/session_tests.py |   19 +++++++++++++++++--
 2 files changed, 23 insertions(+), 3 deletions(-)

-----------------------------------------------------------------------
diff --git a/src/lib/python/isc/ddns/session.py b/src/lib/python/isc/ddns/session.py
index 04030c3..366bc8b 100644
--- a/src/lib/python/isc/ddns/session.py
+++ b/src/lib/python/isc/ddns/session.py
@@ -242,12 +242,17 @@ class UpdateSession:
         '''
         try:
             self._get_update_zone()
+            # Contrary to what RFC2136 specifies, we do ACL checks before
+            # prerequisites. It's now generally considered to be a bad
+            # idea, and actually does harm such as information
+            # leak. It should make more sense to prevent any security issues
+            # by performing ACL check as early as possible.
+            self.__check_update_acl(self.__zname, self.__zclass)
             self._create_diff()
             prereq_result = self.__check_prerequisites()
             if prereq_result != Rcode.NOERROR():
                 self.__make_response(prereq_result)
                 return UPDATE_ERROR, self.__zname, self.__zclass
-            self.__check_update_acl(self.__zname, self.__zclass)
             update_result = self.__do_update()
             if update_result != Rcode.NOERROR():
                 self.__make_response(update_result)
diff --git a/src/lib/python/isc/ddns/tests/session_tests.py b/src/lib/python/isc/ddns/tests/session_tests.py
index 0239bb1..f7c2d3c 100644
--- a/src/lib/python/isc/ddns/tests/session_tests.py
+++ b/src/lib/python/isc/ddns/tests/session_tests.py
@@ -657,12 +657,12 @@ class SessionTest(SessionTestBase):
         self.assertEqual(str(expected_soa),
                          str(session._UpdateSession__added_soa))
 
-    def check_full_handle_result(self, expected, updates):
+    def check_full_handle_result(self, expected, updates, prerequisites=[]):
         '''Helper method for checking the result of a full handle;
            creates an update session, and fills it with the list of rrsets
            from 'updates'. Then checks if __handle()
            results in a response with rcode 'expected'.'''
-        msg = create_update_msg([TEST_ZONE_RECORD], [], updates)
+        msg = create_update_msg([TEST_ZONE_RECORD], prerequisites, updates)
         zconfig = ZoneConfig(set(), TEST_RRCLASS, self._datasrc_client,
                              self._acl_map)
         session = UpdateSession(msg, TEST_CLIENT4, zconfig)
@@ -902,6 +902,21 @@ class SessionTest(SessionTestBase):
                                 [ b'\x00\x0a\x04mail\x07example\x03org\x00' ])
         self.rrset_update_del_rrset_mx = rrset_update_del_rrset_mx
 
+    def test_acl_before_prereq(self):
+        name_in_use_no = create_rrset("foo.example.org", RRClass.ANY(),
+                                      RRType.ANY(), 0)
+
+        # Test a prerequisite that would fail
+        self.check_full_handle_result(Rcode.NXDOMAIN(), [], [ name_in_use_no ])
+
+        # Change ACL so that it would be denied
+        self._acl_map = {(TEST_ZONE_NAME, TEST_RRCLASS):
+                             REQUEST_LOADER.load([{"action": "REJECT"}])}
+
+        # The prerequisite should now not be reached; it should fail on the
+        # ACL
+        self.check_full_handle_result(Rcode.REFUSED(), [], [ name_in_use_no ])
+
     def test_prescan(self):
         '''Test whether the prescan succeeds on data that is ok, and whether
            if notices the SOA if present'''

More information about the bind10-changes mailing list