X-Git-Url: https://git.ralfj.de/dyn-nsupdate.git/blobdiff_plain/9600b17be11c899d4c5d0be19eb96b3d67f1da39..b6c27c8de6efd9a11739ea184308802ea5cb7d04:/nsupd-wrapper/dyn-nsupdate.cpp?ds=sidebyside diff --git a/nsupd-wrapper/dyn-nsupdate.cpp b/nsupd-wrapper/dyn-nsupdate.cpp index d133369..2acf3c0 100644 --- a/nsupd-wrapper/dyn-nsupdate.cpp +++ b/nsupd-wrapper/dyn-nsupdate.cpp @@ -20,10 +20,6 @@ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -* -* The views and conclusions contained in the software and documentation are those -* of the authors and should not be interpreted as representing official policies, -* either expressed or implied, of the FreeBSD Project. */ #include @@ -56,8 +52,15 @@ static void write(int fd, const char *str) int main(int argc, const char ** argv) { try { - static const regex regex_ipv4("\\d{1,3}(\\.\\d{1,3}){3}|"); - static const regex regex_ipv6("[a-fA-F0-9]{1,4}(:[a-fA-F0-9]{1,4}){7}|"); + // These regular expressions are not supposed to be fully precise: nsupdate will check the addresses, too. + // However, they have to make sure that there can be no injection attacks. +#define GROUP "[0-9]{1,3}" + static const regex regex_ipv4(GROUP "(\\." GROUP "){3}|"); +#undef GROUP +#define GROUP "[a-fA-F0-9]{1,4}" + static const regex regex_ipv6("(" GROUP "(::?" GROUP "){0,6})?::?" GROUP "|"); +#undef GROUP + static const regex regex_password("[a-zA-Z0-9.:;,_-]+"); static const regex regex_domain("[a-zA-Z0-9.]+"); @@ -106,6 +109,14 @@ int main(int argc, const char ** argv) pt::ini_parser::read_ini(CONFIG_FILE, config); std::string nsupdate = config.get("nsupdate"); unsigned server_port = config.get("port", 53); + std::string keyfile = config.get("keyfile", ""); + std::string key = config.get("key", ""); + + /* check for some invalid configurations */ + if (keyfile.size() > 0 && key.size() > 0) { + std::cerr << "You can only have either a keyfile or a key set. Please fix your configuration." << std::endl; + exit(1); + } /* Given the domain, check whether the password matches */ optional correct_password = config.get_optional(pt::ptree::path_type(domain+"/password", '/')); @@ -136,7 +147,15 @@ int main(int argc, const char ** argv) exit(1); } /* exec nsupdate */ - execl(nsupdate.c_str(), nsupdate.c_str(), "-p", std::to_string(server_port).c_str(), "-l", (char *)NULL); + if (keyfile.size() > 0) { + execl(nsupdate.c_str(), nsupdate.c_str(), "-k", keyfile.c_str(), "-p", std::to_string(server_port).c_str(), "-l", (char *)NULL); + } + else if (key.size() > 0) { + execl(nsupdate.c_str(), nsupdate.c_str(), "-y", key.c_str(), "-p", std::to_string(server_port).c_str(), "-l", (char *)NULL); + } + else { + execl(nsupdate.c_str(), nsupdate.c_str(), "-p", std::to_string(server_port).c_str(), "-l", (char *)NULL); + } /* There was an error */ std::cerr << "There was an error executing nsupdate." << std::endl; exit(1);