[bind10-dev] ModuleCCSession() doesn't validate command?
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Mon Jan 3 18:25:26 UTC 2011
If I read the code correctly, the ModuleCCSession doesn't validate the
syntax of incoming command against the module spec (while it validates
configuration updates). In ModuleCCSession::checkCommand(), it passes
all incoming data except commands named "config_update" to the
"command_handler" callback mostly unconditionally (the only check is
whether the module name matches, btw, I suspect we should also confirm
the command name is valid in case it's not "config_update"). For
configuration updates, it calls handleConfigUpdate(), where
module_specification_.validate_config() validates the input.
My questions are:
1. is my understanding correct?
2. if so, shouldn't we also validate incoming commands?
More information about the bind10-dev