MINOR: ssl/cli: restrain certificate path when inserting into a directory
When trying to insert a new certificate into a directory with "add ssl crt-list", no check were done on the path of the new certificate. To be more consistent with the HAProxy reload, when adding a file to a crt-list, if this crt-list is a directory, the certificate will need to have the directory in its path.
This commit is contained in:
William Lallemand
William Lallemand
parent
b74d564043
commit
916d0b523d
@ -11413,6 +11413,24 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (eb_gettag(crtlist->entries.b[EB_RGHT])) {
|
||||||
|
char *slash;
|
||||||
|
|
||||||
|
slash = strrchr(cert_path, '/');
|
||||||
|
if (!slash) {
|
||||||
|
memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
/* temporary replace / by 0 to do an strcmp */
|
||||||
|
*slash = '\0';
|
||||||
|
if (strcmp(cert_path, (char*)crtlist->node.key) != 0) {
|
||||||
|
*slash = '/';
|
||||||
|
memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
*slash = '/';
|
||||||
|
}
|
||||||
|
|
||||||
if (*cert_path != '/' && global_ssl.crt_base) {
|
if (*cert_path != '/' && global_ssl.crt_base) {
|
||||||
if ((strlen(global_ssl.crt_base) + 1 + strlen(cert_path)) > MAXPATHLEN) {
|
if ((strlen(global_ssl.crt_base) + 1 + strlen(cert_path)) > MAXPATHLEN) {
|
||||||
memprintf(&err, "'%s' : path too long", cert_path);
|
memprintf(&err, "'%s' : path too long", cert_path);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user