From 916d0b523d6ab11db9f8b2589a05422c6a21bfea Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Tue, 21 Apr 2020 18:29:12 +0200 Subject: [PATCH] MINOR: ssl/cli: restrain certificate path when inserting into a directory When trying to insert a new certificate into a directory with "add ssl crt-list", no check were done on the path of the new certificate. To be more consistent with the HAProxy reload, when adding a file to a crt-list, if this crt-list is a directory, the certificate will need to have the directory in its path. --- src/ssl_sock.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 9313f5e..9077e91 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -11413,6 +11413,24 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc goto error; } + if (eb_gettag(crtlist->entries.b[EB_RGHT])) { + char *slash; + + slash = strrchr(cert_path, '/'); + if (!slash) { + memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path); + goto error; + } + /* temporary replace / by 0 to do an strcmp */ + *slash = '\0'; + if (strcmp(cert_path, (char*)crtlist->node.key) != 0) { + *slash = '/'; + memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path); + goto error; + } + *slash = '/'; + } + if (*cert_path != '/' && global_ssl.crt_base) { if ((strlen(global_ssl.crt_base) + 1 + strlen(cert_path)) > MAXPATHLEN) { memprintf(&err, "'%s' : path too long", cert_path); -- 1.7.10.4