MINOR: spoe: add force-set-var option in spoe-agent configuration
For security reasons, the spoe filter was only able to change values of
existing variables. In specific cases (ex : with LUA code), the name of
variables are unknown at the configuration parsing phase.
The force-set-var option can be enabled to register all variables.
diff --git a/doc/SPOE.txt b/doc/SPOE.txt
index 194fa3d..961d32a 100644
--- a/doc/SPOE.txt
+++ b/doc/SPOE.txt
@@ -239,6 +239,15 @@
When set, this option bypass this behaviour and only the current event will
be ignored.
+option force-set-var
+ By default, SPOE filter only register already known variables (mainly from
+ parsing of the configuration). If you want that haproxy trusts the agent and
+ registers all variables (ex: can be useful for LUA workload), activate this
+ option.
+
+ Caution : this option opens to a variety of attacks such as a rogue SPOA that
+ asks to register too many variables.
+
option pipelining
no option pipelining
@@ -310,8 +319,9 @@
"myvar" in the "txn" scope, with the prefix "my_spoe_pfx", then you should
use "txn.my_spoe_pfx.myvar" name in your HAProxy configuration.
- An agent will never set new variables at runtime. It can only set new value
- for existing ones.
+ By default, an agent will never set new variables at runtime: It can only set
+ new value for existing ones. If you want a different behaviour, see
+ force-set-var option
timeout hello <timeout>
diff --git a/include/types/spoe.h b/include/types/spoe.h
index 53e7200..392cc94 100644
--- a/include/types/spoe.h
+++ b/include/types/spoe.h
@@ -43,6 +43,7 @@
#define SPOE_FL_ASYNC 0x00000004 /* Set when SPOE agent supports async (set by default) */
#define SPOE_FL_SND_FRAGMENTATION 0x00000008 /* Set when SPOE agent supports sending fragmented payload */
#define SPOE_FL_RCV_FRAGMENTATION 0x00000010 /* Set when SPOE agent supports receiving fragmented payload */
+#define SPOE_FL_FORCE_SET_VAR 0x00000020 /* Set when SPOE agent will set all variables from agent (and not only known variables) */
/* Flags set on the SPOE context */
#define SPOE_CTX_FL_CLI_CONNECTED 0x00000001 /* Set after that on-client-session event was processed */
diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 6aeabb2..1b69ee2 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -2307,7 +2307,10 @@
memset(varname, 0, sizeof(varname));
len = snprintf(varname, sizeof(varname), "%s.%s.%.*s",
scope, agent->var_pfx, len, name);
- vars_set_by_name_ifexist(varname, len, smp);
+ if (agent->flags & SPOE_FL_FORCE_SET_VAR)
+ vars_set_by_name(varname, len, smp);
+ else
+ vars_set_by_name_ifexist(varname, len, smp);
}
/* Helper function to unset a variable */
@@ -3399,6 +3402,11 @@
}
curagent->var_pfx = strdup(args[2]);
}
+ else if (!strcmp(args[1], "force-set-var")) {
+ if (alertif_too_many_args(1, file, linenum, args, &err_code))
+ goto out;
+ curagent->flags |= SPOE_FL_FORCE_SET_VAR;
+ }
else if (!strcmp(args[1], "continue-on-error")) {
if (alertif_too_many_args(1, file, linenum, args, &err_code))
goto out;