109 lines
3.8 KiB
Diff
109 lines
3.8 KiB
Diff
From dd3531f120df2e9d249c6fddc062345c169db58e Mon Sep 17 00:00:00 2001
|
|
From: Beniamino Galvani <bgalvani@redhat.com>
|
|
Date: Fri, 14 Jul 2017 07:10:08 +0200
|
|
Subject: [PATCH] dns: perform the public-suffix check only for the
|
|
hostname-derived domain
|
|
|
|
The DNS manager drops from the search list domains that are public
|
|
suffixes to prevent a possible domain hijack when using two-labels
|
|
hostnames [1].
|
|
|
|
This is a problem now that every single-label domain can be a TLD
|
|
since this means that such domains can't be used in the search list.
|
|
|
|
While it's useful to apply such restriction to the domain
|
|
automatically derived from the system hostname, it seems wrong to drop
|
|
domains specified by users in the configuration or provided by DHCP.
|
|
|
|
This commit keeps the public-suffix check only for the
|
|
hostname-derived domain
|
|
|
|
[1] https://bugzilla.redhat.com/show_bug.cgi?id=812394
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1404350
|
|
(cherry picked from commit 5aa22ed8c9c1944f8843442912561dcec83a11b2)
|
|
(cherry picked from commit e80163c713cdd911cb79036f3f7b629040297c58)
|
|
---
|
|
src/dns/nm-dns-manager.c | 18 +++++++++---------
|
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/src/dns/nm-dns-manager.c b/src/dns/nm-dns-manager.c
|
|
index f443f34..952468e 100644
|
|
--- a/src/dns/nm-dns-manager.c
|
|
+++ b/src/dns/nm-dns-manager.c
|
|
@@ -158,12 +158,12 @@ G_DEFINE_TYPE (NMDnsManager, nm_dns_manager, NM_TYPE_EXPORTED_OBJECT)
|
|
#define NM_DNS_MANAGER_GET_PRIVATE(self) _NM_GET_PRIVATE(self, NMDnsManager, NM_IS_DNS_MANAGER)
|
|
|
|
static gboolean
|
|
-domain_is_valid (const gchar *domain)
|
|
+domain_is_valid (const gchar *domain, gboolean check_public_suffix)
|
|
{
|
|
if (*domain == '\0')
|
|
return FALSE;
|
|
#if WITH_LIBPSL
|
|
- if (psl_is_public_suffix (psl_builtin (), domain))
|
|
+ if (check_public_suffix && psl_is_public_suffix (psl_builtin (), domain))
|
|
return FALSE;
|
|
#endif
|
|
return TRUE;
|
|
@@ -312,7 +312,7 @@ merge_one_ip4_config (NMResolvConfData *rc, NMIP4Config *src)
|
|
const char *search;
|
|
|
|
search = nm_ip4_config_get_search (src, i);
|
|
- if (!domain_is_valid (search))
|
|
+ if (!domain_is_valid (search, FALSE))
|
|
continue;
|
|
add_string_item (rc->searches, search);
|
|
}
|
|
@@ -322,7 +322,7 @@ merge_one_ip4_config (NMResolvConfData *rc, NMIP4Config *src)
|
|
const char *domain;
|
|
|
|
domain = nm_ip4_config_get_domain (src, i);
|
|
- if (!domain_is_valid (domain))
|
|
+ if (!domain_is_valid (domain, FALSE))
|
|
continue;
|
|
add_string_item (rc->searches, domain);
|
|
}
|
|
@@ -382,7 +382,7 @@ merge_one_ip6_config (NMResolvConfData *rc, NMIP6Config *src, const char *iface)
|
|
const char *search;
|
|
|
|
search = nm_ip6_config_get_search (src, i);
|
|
- if (!domain_is_valid (search))
|
|
+ if (!domain_is_valid (search, FALSE))
|
|
continue;
|
|
add_string_item (rc->searches, search);
|
|
}
|
|
@@ -392,7 +392,7 @@ merge_one_ip6_config (NMResolvConfData *rc, NMIP6Config *src, const char *iface)
|
|
const char *domain;
|
|
|
|
domain = nm_ip6_config_get_domain (src, i);
|
|
- if (!domain_is_valid (domain))
|
|
+ if (!domain_is_valid (domain, FALSE))
|
|
continue;
|
|
add_string_item (rc->searches, domain);
|
|
}
|
|
@@ -923,7 +923,7 @@ merge_global_dns_config (NMResolvConfData *rc, NMGlobalDnsConfig *global_conf)
|
|
options = nm_global_dns_config_get_options (global_conf);
|
|
|
|
for (i = 0; searches && searches[i]; i++) {
|
|
- if (domain_is_valid (searches[i]))
|
|
+ if (domain_is_valid (searches[i], FALSE))
|
|
add_string_item (rc->searches, searches[i]);
|
|
}
|
|
|
|
@@ -1055,9 +1055,9 @@ _collect_resolv_conf_data (NMDnsManager *self, /* only for logging context, no o
|
|
if ( hostdomain
|
|
&& !nm_utils_ipaddr_valid (AF_UNSPEC, hostname)) {
|
|
hostdomain++;
|
|
- if (domain_is_valid (hostdomain))
|
|
+ if (domain_is_valid (hostdomain, TRUE))
|
|
add_string_item (rc.searches, hostdomain);
|
|
- else if (domain_is_valid (hostname))
|
|
+ else if (domain_is_valid (hostname, TRUE))
|
|
add_string_item (rc.searches, hostname);
|
|
}
|
|
}
|
|
--
|
|
2.9.3
|
|
|