net-dns/pdns/files/CVE-2017-15091-4.0.4.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

diff -ru pdns-4.0.4.orig/pdns/ws-auth.cc pdns-4.0.4/pdns/ws-auth.cc
--- pdns-4.0.4.orig/pdns/ws-auth.cc	2017-06-22 22:07:25.000000000 +0200
+++ pdns-4.0.4/pdns/ws-auth.cc	2017-11-02 18:07:20.986764858 +0100
@@ -860,7 +860,7 @@
 static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) {
   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
 
-  if(req->method != "PUT")
+  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
     throw HttpMethodNotAllowedException();
 
   UeberBackend B;
@@ -879,7 +879,7 @@
 static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) {
   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
 
-  if(req->method != "PUT")
+  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
     throw HttpMethodNotAllowedException();
 
   UeberBackend B;
@@ -1191,7 +1191,7 @@
 }
 
 void apiServerCacheFlush(HttpRequest* req, HttpResponse* resp) {
-  if(req->method != "PUT")
+  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
     throw HttpMethodNotAllowedException();
 
   DNSName canon = apiNameToDNSName(req->getvars["domain"]);