diff options
| author |  Chris O'Haver <cohaver@infoblox.com>
| 2022-05-01 08:57:03 -0400 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2022-05-01 05:57:03 -0700 |
| commit | c4bc1a5471e8829fab317b4693e476c6b416a09c (patch) | |
| tree | 2af847dfe0b9c800f1efb95e89a67db4f7753864 /plugin/cache/handler.go | |
| parent | 5a4437bb23e383ebb7c8fce6c8fbce802831d986 (diff) | |
| download | coredns-c4bc1a5471e8829fab317b4693e476c6b416a09c.tar.gz coredns-c4bc1a5471e8829fab317b4693e476c6b416a09c.tar.zst coredns-c4bc1a5471e8829fab317b4693e476c6b416a09c.zip | |
plugin/cache: Fix cache poisoning exploit (#5174)
Diffstat (limited to 'plugin/cache/handler.go')
| -rw-r--r-- | plugin/cache/handler.go | 27 |
1 files changed, 6 insertions, 21 deletions
diff --git a/plugin/cache/handler.go b/plugin/cache/handler.go index b7adc3a9e..2b4c89350 100644 --- a/plugin/cache/handler.go +++ b/plugin/cache/handler.go @@ -89,38 +89,23 @@ func (c *Cache) shouldPrefetch(i *item, now time.Time) bool { // Name implements the Handler interface. func (c *Cache) Name() string { return "cache" } -func (c *Cache) get(now time.Time, state request.Request, server string) (*item, bool) { - k := hash(state.Name(), state.QType()) - cacheRequests.WithLabelValues(server, c.zonesMetricLabel).Inc() - - if i, ok := c.ncache.Get(k); ok && i.(*item).ttl(now) > 0 { - cacheHits.WithLabelValues(server, Denial, c.zonesMetricLabel).Inc() - return i.(*item), true - } - - if i, ok := c.pcache.Get(k); ok && i.(*item).ttl(now) > 0 { - cacheHits.WithLabelValues(server, Success, c.zonesMetricLabel).Inc() - return i.(*item), true - } - cacheMisses.WithLabelValues(server, c.zonesMetricLabel).Inc() - return nil, false -} - // getIgnoreTTL unconditionally returns an item if it exists in the cache. func (c *Cache) getIgnoreTTL(now time.Time, state request.Request, server string) *item { k := hash(state.Name(), state.QType()) cacheRequests.WithLabelValues(server, c.zonesMetricLabel).Inc() if i, ok := c.ncache.Get(k); ok { - ttl := i.(*item).ttl(now) - if ttl > 0 || (c.staleUpTo > 0 && -ttl < int(c.staleUpTo.Seconds())) { + itm := i.(*item) + ttl := itm.ttl(now) + if itm.matches(state) && (ttl > 0 || (c.staleUpTo > 0 && -ttl < int(c.staleUpTo.Seconds()))) { cacheHits.WithLabelValues(server, Denial, c.zonesMetricLabel).Inc() return i.(*item) } } if i, ok := c.pcache.Get(k); ok { - ttl := i.(*item).ttl(now) - if ttl > 0 || (c.staleUpTo > 0 && -ttl < int(c.staleUpTo.Seconds())) { + itm := i.(*item) + ttl := itm.ttl(now) + if itm.matches(state) && (ttl > 0 || (c.staleUpTo > 0 && -ttl < int(c.staleUpTo.Seconds()))) { cacheHits.WithLabelValues(server, Success, c.zonesMetricLabel).Inc() return i.(*item) } |