RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-11 03:31:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt

Browse Source 
Ignore the files starting with a dot when trying to load a directory
with the "crt" directive.

Should fix issue #1689.
This commit is contained in:
William Lallemand 2022-05-09 10:30:51 +02:00
parent e4b93eb947
commit 589570df1f
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
doc/configuration.txt
View File

@ -13833,13 +13833,14 @@ crt <cert>
If a directory name is used instead of a PEM file, then all files found in
that directory will be loaded in alphabetic order unless their name ends
with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). This
directive may be specified multiple times in order to load certificates from
multiple files or directories. The certificates will be presented to clients
who provide a valid TLS Server Name Indication field matching one of their
CN or alt subjects. Wildcards are supported, where a wildcard character '*'
is used instead of the first hostname component (e.g. *.example.org matches
www.example.org but not www.sub.example.org).
with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). Files
starting with a dot are also ignored. This directive may be specified multiple
times in order to load certificates from multiple files or directories. The
certificates will be presented to clients who provide a valid TLS Server Name
Indication field matching one of their CN or alt subjects. Wildcards are
supported, where a wildcard character '*' is used instead of the first
hostname component (e.g. *.example.org matches www.example.org but not
www.sub.example.org).
If no SNI is provided by the client or if the SSL library does not support
TLS extensions, or if the client provides an SNI hostname which does not

4
src/ssl_crtlist.c
View File

@ -696,7 +696,9 @@ int crtlist_load_cert_dir(char *path, struct bind_conf *bind_conf, struct crtlis
struct dirent *de = de_list[i];
end = strrchr(de->d_name, '.');
if (end && (strcmp(end, ".issuer") == 0 || strcmp(end, ".ocsp") == 0 || strcmp(end, ".sctl") == 0 || strcmp(end, ".key") == 0))
if (end && (de->d_name[0] == '.' ||
strcmp(end, ".issuer") == 0 || strcmp(end, ".ocsp") == 0 ||
strcmp(end, ".sctl") == 0 || strcmp(end, ".key") == 0))
goto ignore_entry;
snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);