Merge pull request #17191 from miodvallat/50x.sa-2026-05

auth 5.0: backport SA 2026-05 fixes

Author: miodvallat

ext/yahttp/yahttp/reqresp.cpp

@@ -40,7 +40,19 @@ namespace YaHTTP {
   }
 
   template <class T>
-  bool AsyncLoader<T>::feed(const std::string& somedata) {
+  bool AsyncLoader<T>::feed(const std::string& somedata)
+  {
+    if (state < 2) {
+      headersize += somedata.length(); // maye include some body data, we don't know yet...
+      if (headersize > target->max_header_size) {
+        if (target->kind == YAHTTP_TYPE_REQUEST) {
+          throw ParseError("Request header too large");
+        }
+        else {
+          throw ParseError("Response header too large");
+        }
+      }
+    }
     buffer.append(somedata);
     while(state < 2) {
       int cr=0;
@@ -155,8 +167,8 @@ namespace YaHTTP {
         maxbody = minbody;
       }
       if (minbody < 1) return true; // guess there isn't anything left.
-      if (target->kind == YAHTTP_TYPE_REQUEST && static_cast<ssize_t>(minbody) > target->max_request_size) throw ParseError("Max request body size exceeded");
-      else if (target->kind == YAHTTP_TYPE_RESPONSE && static_cast<ssize_t>(minbody) > target->max_response_size) throw ParseError("Max response body size exceeded");
+      if (target->kind == YAHTTP_TYPE_REQUEST && minbody > target->max_request_size) throw ParseError("Max request body size exceeded");
+      else if (target->kind == YAHTTP_TYPE_RESPONSE && minbody > target->max_response_size) throw ParseError("Max response body size exceeded");
     }
 
     if (maxbody == 0) hasBody = false;
@@ -175,20 +187,23 @@ namespace YaHTTP {
           buffer.copy(buf, pos);
           buf[pos]=0; // just in case...
           buffer.erase(buffer.begin(), buffer.begin()+pos+1); // remove line from buffer
-          if (sscanf(buf, "%x", &chunk_size) != 1) {
+          if (sscanf(buf, "%zx", &chunk_size) != 1) {
             throw ParseError("Unable to parse chunk size");
           }
           if (chunk_size == 0) { state = 3; break; } // last chunk
-          if (chunk_size > (std::numeric_limits<decltype(chunk_size)>::max() - 2)) {
+          if (chunk_size > (std::numeric_limits<decltype(chunk_size)>::max() - 2) || chunk_size > maxbody) {
             throw ParseError("Chunk is too large");
           }
         } else {
           int crlf=1;
-          if (buffer.size() < static_cast<size_t>(chunk_size+1)) return false; // expect newline
+          if (buffer.size() < chunk_size+1) return false; // expect newline
           if (buffer.at(chunk_size) == '\r') {
-            if (buffer.size() < static_cast<size_t>(chunk_size+2) || buffer.at(chunk_size+1) != '\n') return false; // expect newline after carriage return
+            if (buffer.size() < chunk_size+2 || buffer.at(chunk_size+1) != '\n') return false; // expect newline after carriage return
             crlf=2;
           } else if (buffer.at(chunk_size) != '\n') return false;
+          if (bodybuf.str().length() + chunk_size > maxbody) {
+            throw ParseError("Chunked body is too large");
+          }
           std::string tmp = buffer.substr(0, chunk_size);
           buffer.erase(buffer.begin(), buffer.begin()+chunk_size+crlf);
           bodybuf << tmp;

ext/yahttp/yahttp/reqresp.hpp

@@ -20,6 +20,10 @@ namespace funcptr = boost;
 
 #include <algorithm>
 
+#ifndef YAHTTP_MAX_HEADER_SIZE
+#define YAHTTP_MAX_HEADER_SIZE (100 * 1024)
+#endif
+
 #ifndef YAHTTP_MAX_REQUEST_SIZE
 #define YAHTTP_MAX_REQUEST_SIZE 2097152
 #endif
@@ -108,6 +112,7 @@ namespace YaHTTP {
 #endif
       max_request_size = YAHTTP_MAX_REQUEST_SIZE;
       max_response_size = YAHTTP_MAX_RESPONSE_SIZE;
+      max_header_size = YAHTTP_MAX_HEADER_SIZE;
       url = "";
       method = "";
       statusText = "";
@@ -130,6 +135,7 @@ namespace YaHTTP {
       this->parameters = rhs.parameters; this->getvars = rhs.getvars;
       this->body = rhs.body; this->max_request_size = rhs.max_request_size;
       this->max_response_size = rhs.max_response_size; this->version = rhs.version;
+      this->max_header_size = rhs.max_header_size;
 #ifdef HAVE_CPP_FUNC_PTR
       this->renderer = rhs.renderer;
 #endif
@@ -143,6 +149,7 @@ namespace YaHTTP {
       this->parameters = rhs.parameters; this->getvars = rhs.getvars;
       this->body = rhs.body; this->max_request_size = rhs.max_request_size;
       this->max_response_size = rhs.max_response_size; this->version = rhs.version;
+      this->max_header_size = rhs.max_header_size;
 #ifdef HAVE_CPP_FUNC_PTR
       this->renderer = rhs.renderer;
 #endif
@@ -166,8 +173,9 @@ namespace YaHTTP {
 
     std::string body; //<! the actual content
 
-    ssize_t max_request_size; //<! maximum size of request
-    ssize_t max_response_size;  //<! maximum size of response
+    size_t max_request_size; //<! maximum size of request
+    size_t max_response_size; //<! maximum size of response
+    size_t max_header_size; //<! maximum size of headers
     bool is_multipart; //<! if the request is multipart, prevents Content-Length header
 #ifdef HAVE_CPP_FUNC_PTR
     funcptr::function<size_t(const HTTPBase*,std::ostream&,bool)> renderer; //<! rendering function
@@ -301,10 +309,11 @@ namespace YaHTTP {
 
     std::string buffer; //<! read buffer 
     bool chunked; //<! whether we are parsing chunked data
-    int chunk_size; //<! expected size of next chunk
+    size_t chunk_size; //<! expected size of next chunk
     std::ostringstream bodybuf; //<! buffer for body
     size_t maxbody; //<! maximum size of body
     size_t minbody; //<! minimum size of body
+    size_t headersize;                 
     bool hasBody; //<! are we expecting body
 
     void keyValuePair(const std::string &keyvalue, std::string &key, std::string &value); //<! key value pair parser helper
@@ -315,6 +324,7 @@ namespace YaHTTP {
       pos = 0; state = 0; this->target = target_;
       hasBody = false;
       buffer = "";
+      headersize = 0;
       this->target->initialize();
     }; //<! Initialize the parser for target and clear state
     bool feed(const std::string& somedata); //<! Feed data to the parser

modules/bindbackend/bindbackend2.cc

@@ -1492,7 +1492,29 @@ BB2DomainInfo Bind2Backend::createDomainEntry(const ZoneName& domain, const stri
 
 bool Bind2Backend::createSecondaryDomain(const string& ipAddress, const ZoneName& domain, const string& /* nameserver */, const string& account)
 {
-  string filename = getArg("autoprimary-destdir") + '/' + domain.toStringNoDot();
+  std::string domainname = domain.toStringNoDot();
+
+  // Reject domain name if it embeds quotes; this may happen if 8bit-dns is
+  // used, and bind currently does not allow for character escapes in zone
+  // names.
+  if (domainname.find_first_of("\"") != std::string::npos) {
+    SLOG(g_log << Logger::Error << d_logprefix
+               << " Unable to accept autosecondary zone '" << domain
+               << "' from autoprimary " << ipAddress
+               << " due to unauthorized characters in domain name for bind configuration file"
+               << endl,
+         d_slog->error(Logr::Error, "unauthorized characters in domain name for bind configuration file", "Unable to accept autosecondary zone", "zone", Logging::Loggable(domain), "autoprimary address", Logging::Loggable(ipAddress)));
+    throw PDNSException("Unauthorized characters in domain name for bind configuration file");
+  }
+
+  string filename = getArg("autoprimary-destdir") + '/';
+  if (domainname.empty()) {
+    filename.append("rootzone.");
+  }
+  else {
+    // Make sure the zone file name does not contain path separators.
+    filename.append(boost::replace_all_copy(domainname, "/", "\\047"));
+  }
 
   g_log << Logger::Warning << d_logprefix
         << " Writing bind config zone statement for superslave zone '" << domain
@@ -1508,8 +1530,8 @@ bool Bind2Backend::createSecondaryDomain(const string& ipAddress, const ZoneName
     }
 
     c_of << endl;
-    c_of << "# AutoSecondary zone '" << domain.toString() << "' (added: " << nowTime() << ") (account: " << account << ')' << endl;
-    c_of << "zone \"" << domain.toStringNoDot() << "\" {" << endl;
+    c_of << "# AutoSecondary zone '" << domainname << "' (added: " << nowTime() << ") (account: " << account << ')' << endl;
+    c_of << "zone \"" << domainname << "\" {" << endl;
     c_of << "\ttype secondary;" << endl;
     c_of << "\tfile \"" << filename << "\";" << endl;
     c_of << "\tprimaries { " << ipAddress << "; };" << endl;

modules/ldapbackend/native.cc

@@ -281,7 +281,7 @@ void LdapBackend::lookup_tree(const QType& qtype, const DNSName& qname, DNSPacke
 
   stringtok(parts, toLower(qname.toString()), ".");
   for (auto i = parts.crbegin(); i != parts.crend(); i++) {
-    dn = "dc=" + *i + "," + dn;
+    dn = "dc=" + d_pldap->escape(*i) + "," + dn;
   }
 
   g_log << Logger::Debug << d_myname << " Search = basedn: " << dn + getArg("basedn") << ", filter: " << filter << ", qtype: " << qtype.toString() << endl;

modules/ldapbackend/powerldap.cc

@@ -392,22 +392,68 @@ const string PowerLDAP::getError(int rc)
   return ldapGetError(d_ld, rc);
 }
 
-const string PowerLDAP::escape(const string& str)
+// Escape sensitive characters according to the rules in RFC4514, section 2.4
+// and RFC4515, section 3.
+const std::string PowerLDAP::escape(const string& input)
 {
-  string a;
-  string::const_iterator i;
-  char tmp[4];
-
-  for (i = str.begin(); i != str.end(); i++) {
-    // RFC4515 3
-    if ((unsigned char)*i == '*' || (unsigned char)*i == '(' || (unsigned char)*i == ')' || (unsigned char)*i == '\\' || (unsigned char)*i == '\0' || (unsigned char)*i > 127) {
-      snprintf(tmp, sizeof(tmp), "\\%02x", (unsigned char)*i);
-
-      a += tmp;
+  std::string out;
+  std::array<char, 1 + 3> hexbuf{};
+  auto length = input.length();
+
+  out.reserve(length);
+  for (decltype(length) pos = 0; pos < length; ++pos) {
+    uint8_t chr = static_cast<uint8_t>(input[pos]);
+    // Perform UTF-8 encoding of 8-bit values if needed
+    if (chr >= 0x80) {
+      ::snprintf(hexbuf.data(), hexbuf.size(), "\\%02X",
+                 static_cast<uint8_t>(0xc0 | ((chr >> 6) & 0x3f)));
+      out.append(hexbuf.data());
+      ::snprintf(hexbuf.data(), hexbuf.size(), "\\%02X",
+                 static_cast<uint8_t>(0x80 | (chr & 0x3f)));
+      out.append(hexbuf.data());
+    }
+    else {
+      bool escape4514{false};
+      bool escape4515{false};
+      // Characters which need escaping regardless of their position
+      switch (chr) {
+      case '"':
+      case '+':
+      case ',':
+      case ';':
+      case '<':
+      case '>':
+        escape4514 = true;
+        break;
+      case '*':
+      case '(':
+      case ')':
+      case '\\':
+      case '\0':
+        escape4515 = true;
+        break;
+      default:
+        break;
+      }
+      // Characters which need escaping if in first position
+      if (pos == 0) {
+        escape4514 |= chr == ' ' || chr == '#';
+      }
+      // Characters which need escaping if in last position
+      if (pos == length - 1) {
+        escape4514 |= chr == ' ';
+      }
+      if (escape4515) {
+        ::snprintf(hexbuf.data(), hexbuf.size(), "\\%02X", chr);
+        out.append(hexbuf.data());
+      }
+      else {
+        if (escape4514) {
+          out.append(1, '\\');
+        }
+        out.append(1, chr);
+      }
     }
-    else
-      a += *i;
   }
-
-  return a;
+  return out;
 }

pdns/dnswriter.cc

@@ -198,8 +198,12 @@ template <typename Container> void GenericDNSPacketWriter<Container>::xfrUnquote
     d_content.push_back(0);
     return;
   }
-  if(lenField)
+  if (lenField) {
+    if (text.length() > 255) {
+      throw runtime_error("invalid unquoted text length");
+    }
     d_content.push_back(text.length());
+  }
   d_content.insert(d_content.end(), text.c_str(), text.c_str() + text.length());
 }
 
@@ -410,11 +414,14 @@ template <typename Container> void GenericDNSPacketWriter<Container>::xfrSvcPara
       break;
     case SvcParam::alpn:
     {
-      uint16_t totalSize = param.getALPN().size(); // All 1 octet size headers for each value
+      size_t totalSize = param.getALPN().size(); // All 1 octet size headers for each value
       for (auto const &a : param.getALPN()) {
         totalSize += a.length();
       }
-      xfr16BitInt(totalSize);
+      if (totalSize > std::numeric_limits<uint16_t>::max()) {
+        throw runtime_error("invalid total length of alpn parameters");
+      }
+      xfr16BitInt(static_cast<uint16_t>(totalSize));
       for (auto const &a : param.getALPN()) {
         xfrUnquotedText(a, true); // will add the 1-byte length field
       }

pdns/rcpgenerator.cc

@@ -435,6 +435,9 @@ void RecordTextReader::xfrSvcParamKeyVals(set<SvcParam>& val) // NOLINT(readabil
           if (len == 0) {
             throw RecordTextException("ALPN values cannot be empty strings");
           }
+          if (len > 255) {
+            throw RecordTextException("Length of ALPN value goes over 255");
+          }
           if (len > v.length() - spos) {
             throw RecordTextException("Length of ALPN value goes over total length of alpn SVC Param");
           }
@@ -443,6 +446,11 @@ void RecordTextReader::xfrSvcParamKeyVals(set<SvcParam>& val) // NOLINT(readabil
         }
       } else {
         xfrSVCBValueList(value);
+        for (const auto& item : value) {
+          if (item.length() > 255) {
+            throw RecordTextException("Length of SVC ALPN value goes over 255");
+          }
+        }
       }
       if (value.empty()) {
         throw RecordTextException("value is required for SVC Param " + k);