From 2a7cebaddbd89a534539fd733f73bdb89d248e7d Mon Sep 17 00:00:00 2001
From: Peter Thomassen <peter@desec.io>
Date: Thu, 10 Jul 2025 15:28:12 +0200
Subject: [PATCH] auth: fix set-meta for single-value metadata

---
 pdns/pdnsutil.cc | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index d43bb2387c..527c4b259b 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -4249,13 +4249,16 @@ static int setMeta(vector<string>& cmds, const std::string_view synopsis)
   const static std::array<string, 7> multiMetaWhitelist = {"ALLOW-AXFR-FROM", "ALLOW-DNSUPDATE-FROM",
     "ALSO-NOTIFY", "TSIG-ALLOW-AXFR", "TSIG-ALLOW-DNSUPDATE", "GSS-ALLOW-AXFR-PRINCIPAL",
     "PUBLISH-CDS"};
-  bool clobber = true;
-  if (cmds.at(0) == "add-meta") {
-    clobber = false;
-    if (find(multiMetaWhitelist.begin(), multiMetaWhitelist.end(), kind) == multiMetaWhitelist.end() && kind.find("X-") != 0) {
+  bool clobber = (cmds.at(0) != "add-meta");
+  if (find(multiMetaWhitelist.begin(), multiMetaWhitelist.end(), kind) == multiMetaWhitelist.end() && kind.find("X-") != 0) {
+    if(!clobber) {
       cerr<<"Refusing to add metadata to single-value metadata "<<kind<<endl;
       return 1;
     }
+    if(cmds.size() > 4) {
+      cerr<<"Refusing to set several metadata to single-value metadata "<<kind<<endl;
+      return 1;
+    }
   }
   vector<string> meta(cmds.begin() + 3, cmds.end());
   return addOrSetMeta(zone, kind, meta, clobber);
-- 
2.47.2