konevsa/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MINOR: ssl/cli: restrain certificate path when inserting into a directory

Browse Source 
When trying to insert a new certificate into a directory with "add ssl
crt-list", no check were done on the path of the new certificate.

To be more consistent with the HAProxy reload, when adding a file to
a crt-list, if this crt-list is a directory, the certificate will need
to have the directory in its path.
This commit is contained in:
William Lallemand 2020-04-21 18:29:12 +02:00 committed by William Lallemand
parent b74d564043
commit 916d0b523d
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/ssl_sock.c
View File

@ -11413,6 +11413,24 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc
goto error;
}
if (eb_gettag(crtlist->entries.b[EB_RGHT])) {
char *slash;
slash = strrchr(cert_path, '/');
if (!slash) {
memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
goto error;
}
/* temporary replace / by 0 to do an strcmp */
*slash = '\0';
if (strcmp(cert_path, (char*)crtlist->node.key) != 0) {
*slash = '/';
memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
goto error;
}
*slash = '/';
}
if (*cert_path != '/' && global_ssl.crt_base) {
if ((strlen(global_ssl.crt_base) + 1 + strlen(cert_path)) > MAXPATHLEN) {
memprintf(&err, "'%s' : path too long", cert_path);