plugin: reorder rewrite before acl to prevent bypass#7882
Merged
Conversation
Signed-off-by: younevsky <younevsky@gmail.com>
3bb14bf to
e4b9a97
Compare
yongtang
approved these changes
Feb 25, 2026
12 tasks
yongtang
pushed a commit
to yongtang/coredns
that referenced
this pull request
Mar 18, 2026
gerrit-photon
pushed a commit
to vmware/photon
that referenced
this pull request
Mar 23, 2026
Change-Id: I0a4bcd447216757022b9487045000c316a1d709a CVE-2026-26017: coredns/coredns#7882 CVE-2026-26018: coredns/coredns#7881 Reviewed-on: http://photon-gerrit.lvn.broadcom.net/c/photon/+/27255 Tested-by: gerrit-photon <svc.photon-ci@broadcom.com> Reviewed-by: <mukul.sikka@broadcom.com> Reviewed-by: Harinadh Dommaraju <harinadh.dommaraju@broadcom.com>
gerrit-photon
pushed a commit
to vmware/photon
that referenced
this pull request
Mar 23, 2026
Change-Id: I6f6e47a9e218e1daaf9b976425929782469bd7f8 CVE-2026-26017: coredns/coredns#7882 CVE-2026-26018: coredns/coredns#7881 Reviewed-on: http://photon-gerrit.lvn.broadcom.net/c/photon/+/27254 Reviewed-by: <mukul.sikka@broadcom.com> Tested-by: gerrit-photon <svc.photon-ci@broadcom.com> Reviewed-by: Harinadh Dommaraju <harinadh.dommaraju@broadcom.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
1. Why is this pull request needed and what does it do?
In the default
plugin.cfg, theaclplugin (and other security/policy plugins) are ordered before therewriteplugin. This creates a Time-of-Check Time-of-Use (TOCTOU) vulnerability where an access control check is performed on the original query name, but the query is subsequently rewritten to a restricted internal domain (e.g., in a Kubernetes multi-tenant cluster) and resolved by the backend.2. Which issues (if any) are related?
Relates to GitHub Security Advisory: GHSA-c9v3-4pv7-87pr
3. Which documentation changes (if any) need to be made?
None
4. Does this introduce a backward incompatible change or deprecation?
Yes and No. It changes the execution order of plugins. Users who implicitly relied on
aclblocking a query before arewriterule applied to it will now have the rewrite applied first. This is the logically secure flow, but represents a behavior change in the pipeline order.