Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 589570df1fafa2ce68720a64b7ffe1ebcd91666c^! / .
commit589570df1fafa2ce68720a64b7ffe1ebcd91666c[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.org>Mon May 09 10:30:51 2022 +0200
committerWilliam Lallemand <wlallemand@haproxy.org>Mon May 09 10:41:51 2022 +0200
tree3092dbf7b4e011f1c4f044cf6b0865c60b1bf0e3
parente4b93eb947362da8509ce28ace622684db62968e [diff]
MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt

Ignore the files starting with a dot when trying to load a directory
with the "crt" directive.

Should fix issue #1689.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index f4aba09..cab37b3 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -13833,13 +13833,14 @@
 
   If a directory name is used instead of a PEM file, then all files found in
   that directory will be loaded in alphabetic order unless their name ends
-  with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). This
-  directive may be specified multiple times in order to load certificates from
-  multiple files or directories. The certificates will be presented to clients
-  who provide a valid TLS Server Name Indication field matching one of their
-  CN or alt subjects. Wildcards are supported, where a wildcard character '*'
-  is used instead of the first hostname component (e.g. *.example.org matches
-  www.example.org but not www.sub.example.org).
+  with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). Files
+  starting with a dot are also ignored. This directive may be specified multiple
+  times in order to load certificates from multiple files or directories. The
+  certificates will be presented to clients who provide a valid TLS Server Name
+  Indication field matching one of their CN or alt subjects. Wildcards are
+  supported, where a wildcard character '*' is used instead of the first
+  hostname component (e.g. *.example.org matches www.example.org but not
+  www.sub.example.org).
 
   If no SNI is provided by the client or if the SSL library does not support
   TLS extensions, or if the client provides an SNI hostname which does not

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index 37f2e6f..1615ac5 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c

@@ -696,7 +696,9 @@
 			struct dirent *de = de_list[i];
 
 			end = strrchr(de->d_name, '.');
-			if (end && (strcmp(end, ".issuer") == 0 || strcmp(end, ".ocsp") == 0 || strcmp(end, ".sctl") == 0 || strcmp(end, ".key") == 0))
+			if (end && (de->d_name[0] == '.' ||
+			            strcmp(end, ".issuer") == 0 || strcmp(end, ".ocsp") == 0 ||
+			            strcmp(end, ".sctl") == 0 || strcmp(end, ".key") == 0))
 				goto ignore_entry;
 
 			snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);