commit 916d0b523d6ab11db9f8b2589a05422c6a21bfea
author William Lallemand <wlallemand@haproxy.com> Tue Apr 21 18:29:12 2020 +0200
committer William Lallemand <wlallemand@haproxy.org> Tue Apr 21 18:42:42 2020 +0200
tree 083a251660c9c534c32adbf1d46a800338bd84be
parent b74d5640430a4122fe22c816f1790745147c0a22

MINOR: ssl/cli: restrain certificate path when inserting into a directory

When trying to insert a new certificate into a directory with "add ssl
crt-list", no check were done on the path of the new certificate.

To be more consistent with the HAProxy reload, when adding a file to
a crt-list, if this crt-list is a directory, the certificate will need
to have the directory in its path.

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9313f5e..9077e91 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -11413,6 +11413,24 @@
 		goto error;
 	}
 
+	if (eb_gettag(crtlist->entries.b[EB_RGHT])) {
+		char *slash;
+
+		slash = strrchr(cert_path, '/');
+		if (!slash) {
+			memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
+			goto error;
+		}
+		/* temporary replace / by 0 to do an strcmp */
+		*slash = '\0';
+		if (strcmp(cert_path, (char*)crtlist->node.key) != 0) {
+			*slash = '/';
+			memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
+			goto error;
+		}
+		*slash = '/';
+	}
+
 	if (*cert_path != '/' && global_ssl.crt_base) {
 		if ((strlen(global_ssl.crt_base) + 1 + strlen(cert_path)) > MAXPATHLEN) {
 			memprintf(&err, "'%s' : path too long", cert_path);