[bind10-dev] ModuleCCSession() doesn't validate command?
jelte at isc.org
Mon Jan 3 20:53:41 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 01/03/2011 07:25 PM, JINMEI Tatuya / 神明達哉 wrote:
> If I read the code correctly, the ModuleCCSession doesn't validate the
> syntax of incoming command against the module spec (while it validates
> configuration updates). In ModuleCCSession::checkCommand(), it passes
> all incoming data except commands named "config_update" to the
> "command_handler" callback mostly unconditionally (the only check is
> whether the module name matches, btw, I suspect we should also confirm
> the command name is valid in case it's not "config_update"). For
> configuration updates, it calls handleConfigUpdate(), where
> module_specification_.validate_config() validates the input.
> My questions are:
> 1. is my understanding correct?
> 2. if so, shouldn't we also validate incoming commands?
spot on twice. In fact the needed code is already there and shouldn't be too
hard to extend to commands, i'll create a ticket
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the bind10-dev