diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2017-07-14 07:10:08 +0200 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2017-07-17 17:04:28 +0200 |
commit | e80163c713cdd911cb79036f3f7b629040297c58 (patch) | |
tree | f6b7118f8422169c7ea85ea0a192e4ccd27cf3c2 | |
parent | beeb8df9ac93ad432c9533362d862c0c2466cd5e (diff) | |
download | NetworkManager-e80163c713cdd911cb79036f3f7b629040297c58.tar.gz |
dns: perform the public-suffix check only for the hostname-derived domain
The DNS manager drops from the search list domains that are public
suffixes to prevent a possible domain hijack when using two-labels
hostnames [1].
This is a problem now that every single-label domain can be a TLD
since this means that such domains can't be used in the search list.
While it's useful to apply such restriction to the domain
automatically derived from the system hostname, it seems wrong to drop
domains specified by users in the configuration or provided by DHCP.
This commit keeps the public-suffix check only for the
hostname-derived domain
[1] https://bugzilla.redhat.com/show_bug.cgi?id=812394
https://bugzilla.redhat.com/show_bug.cgi?id=1404350
(cherry picked from commit 5aa22ed8c9c1944f8843442912561dcec83a11b2)
-rw-r--r-- | src/dns/nm-dns-manager.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/src/dns/nm-dns-manager.c b/src/dns/nm-dns-manager.c index f443f340fa..952468e3d1 100644 --- a/src/dns/nm-dns-manager.c +++ b/src/dns/nm-dns-manager.c @@ -158,12 +158,12 @@ G_DEFINE_TYPE (NMDnsManager, nm_dns_manager, NM_TYPE_EXPORTED_OBJECT) #define NM_DNS_MANAGER_GET_PRIVATE(self) _NM_GET_PRIVATE(self, NMDnsManager, NM_IS_DNS_MANAGER) static gboolean -domain_is_valid (const gchar *domain) +domain_is_valid (const gchar *domain, gboolean check_public_suffix) { if (*domain == '\0') return FALSE; #if WITH_LIBPSL - if (psl_is_public_suffix (psl_builtin (), domain)) + if (check_public_suffix && psl_is_public_suffix (psl_builtin (), domain)) return FALSE; #endif return TRUE; @@ -312,7 +312,7 @@ merge_one_ip4_config (NMResolvConfData *rc, NMIP4Config *src) const char *search; search = nm_ip4_config_get_search (src, i); - if (!domain_is_valid (search)) + if (!domain_is_valid (search, FALSE)) continue; add_string_item (rc->searches, search); } @@ -322,7 +322,7 @@ merge_one_ip4_config (NMResolvConfData *rc, NMIP4Config *src) const char *domain; domain = nm_ip4_config_get_domain (src, i); - if (!domain_is_valid (domain)) + if (!domain_is_valid (domain, FALSE)) continue; add_string_item (rc->searches, domain); } @@ -382,7 +382,7 @@ merge_one_ip6_config (NMResolvConfData *rc, NMIP6Config *src, const char *iface) const char *search; search = nm_ip6_config_get_search (src, i); - if (!domain_is_valid (search)) + if (!domain_is_valid (search, FALSE)) continue; add_string_item (rc->searches, search); } @@ -392,7 +392,7 @@ merge_one_ip6_config (NMResolvConfData *rc, NMIP6Config *src, const char *iface) const char *domain; domain = nm_ip6_config_get_domain (src, i); - if (!domain_is_valid (domain)) + if (!domain_is_valid (domain, FALSE)) continue; add_string_item (rc->searches, domain); } @@ -923,7 +923,7 @@ merge_global_dns_config (NMResolvConfData *rc, NMGlobalDnsConfig *global_conf) options = nm_global_dns_config_get_options (global_conf); for (i = 0; searches && searches[i]; i++) { - if (domain_is_valid (searches[i])) + if (domain_is_valid (searches[i], FALSE)) add_string_item (rc->searches, searches[i]); } @@ -1055,9 +1055,9 @@ _collect_resolv_conf_data (NMDnsManager *self, /* only for logging context, no o if ( hostdomain && !nm_utils_ipaddr_valid (AF_UNSPEC, hostname)) { hostdomain++; - if (domain_is_valid (hostdomain)) + if (domain_is_valid (hostdomain, TRUE)) add_string_item (rc.searches, hostdomain); - else if (domain_is_valid (hostname)) + else if (domain_is_valid (hostname, TRUE)) add_string_item (rc.searches, hostname); } } |