[bind10-dev] ModuleCCSession() doesn't validate command?

JINMEI Tatuya / 神明達哉 jinmei at isc.org
Mon Jan 3 18:25:26 UTC 2011


If I read the code correctly, the ModuleCCSession doesn't validate the
syntax of incoming command against the module spec (while it validates
configuration updates).  In ModuleCCSession::checkCommand(), it passes
all incoming data except commands named "config_update" to the
"command_handler" callback mostly unconditionally (the only check is
whether the module name matches, btw, I suspect we should also confirm
the command name is valid in case it's not "config_update").  For
configuration updates, it calls handleConfigUpdate(), where
module_specification_.validate_config() validates the input.

My questions are:
1. is my understanding correct?
2. if so, shouldn't we also validate incoming commands?

---
JINMEI, Tatuya



More information about the bind10-dev mailing list