Ville Vesilehto 6676e6185d fix(sign): reject invalid UTF‑8 dbfile token (#7589) ...

The coredns/caddy lexer replaces invalid UTF‑8 bytes in tokens with
U+FFFD. When that lossy-decoded value is used as `dbfile` in the sign
plugin, the source zone file path never exists. On startup/refresh,
the `resign()` function sees the signed file missing and triggers
signing. Consequently `Sign()` then fails opening the bogus path,
the signed file is never created, and the cycle repeats across all
expanded origins (e.g., reverse CIDRs), causing unbounded churn/OOM.

Validate `dbfile` in setup and error if it contains U+FFFD. Add a
regression test.

Note: Unicode paths are supported; only U+FFFD (replacement-rune) is rejected.

Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>

2025-10-06 00:06:28 -07:00

2.6 KiB

Raw Blame History

View Raw