Gitweb:
http://git.exim.org/exim.git/commitdiff/c85b3043a4a2ec41cbd8371c25ea265e809237eb
Commit: c85b3043a4a2ec41cbd8371c25ea265e809237eb
Parent: 1dc92d5af0dddcee977aab6da545951c051b2c58
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Nov 20 20:17:32 2014 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Thu Nov 20 20:17:32 2014 +0000
When following a CNAME chain, if any lookup is insecure the whole must be too
---
src/src/dns.c | 11 ++++++++++-
1 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/src/src/dns.c b/src/src/dns.c
index 66633f7..56f81de 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -754,6 +754,7 @@ dns_lookup(dns_answer *dnsa, const uschar *name, int type,
{
int i;
const uschar *orig_name = name;
+BOOL secure_so_far = TRUE;
/* Loop to follow CNAME chains so far, but no further... */
@@ -808,7 +809,12 @@ for (i = 0; i < 10; i++)
/* If any data records of the correct type were found, we are done. */
- if (type_rr.data != NULL) return DNS_SUCCEED;
+ if (type_rr.data != NULL)
+ {
+ if (!secure_so_far) /* mark insecure if any element of CNAME chain was */
+ ((HEADER *)dnsa->answer)->ad = 0;
+ return DNS_SUCCEED;
+ }
/* If there are no data records, we need to re-scan the DNS using the
domain given in the CNAME record, which should exist (otherwise we should
@@ -821,6 +827,9 @@ for (i = 0; i < 10; i++)
if (datalen < 0) return DNS_FAIL;
name = data;
+ if (!dns_is_secure(dnsa))
+ secure_so_far = FALSE;
+
DEBUG(D_dns) debug_printf("CNAME found: change to %s\n", name);
} /* Loop back to do another lookup */