mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-16 16:34:42 +00:00
haproxy public development tree
9e8db138c9
This patch adds a few improvements in order to secure the use of converters that accept base64 string and variable name as arguments. The first change is within related function sample_conv_var2smp_str() which now flags the sample as SMP_F_CONST if the argument is of type ARGT_STR. This makes the sample more safe for later use. A new function sample_check_arg_base64() is added. It checks an argument and fills it with a variable type if the argument string contains a valid variable name. If failed, it tries to perform a base64 decode operation on a non-empty string, and fills the argument with the decoded content which can be used later, without any additional base64dec() function calls during runtime. This means that haproxy configuration check may fail if variable lookup fails and an invalid base64 encoded string is specified as an argument for such converters. Both converters, "aes_gcm_dec" and "hmac", now use alloc_trash_chunk() in order to allocate additional buffers for various conversions, and avoid the use of a pre-allocated trash chunks directly (usually returned by get_trash_chunk()). The function sample_check_arg_base64() is used for both converters in order to check their arguments specified within the haproxy configuration. This patch should be backported as far as 2.0. However, it is important to keep in mind a few things. The "hmac" converter is only available starting with 2.2. In versions prior to 2.2, the "aes_gcm_dec" converter and sample_conv_var2smp_str() are implemented in src/ssl_sock.c. Thus the patch will have to be adapted on these versions. Note that this patch is required for a subsequent, more important fix. |
||
|---|---|---|
| .github | ||
| contrib | ||
| doc | ||
| examples | ||
| include | ||
| reg-tests | ||
| scripts | ||
| src | ||
| tests | ||
| .cirrus.yml | ||
| .gitattributes | ||
| .gitignore | ||
| .travis.yml | ||
| BRANCHES | ||
| CHANGELOG | ||
| CONTRIBUTING | ||
| INSTALL | ||
| LICENSE | ||
| MAINTAINERS | ||
| Makefile | ||
| README | ||
| ROADMAP | ||
| SUBVERS | ||
| VERDATE | ||
| VERSION | ||
The HAProxy documentation has been split into a number of different files for ease of use. Please refer to the following files depending on what you're looking for : - INSTALL for instructions on how to build and install HAProxy - BRANCHES to understand the project's life cycle and what version to use - LICENSE for the project's license - CONTRIBUTING for the process to follow to submit contributions The more detailed documentation is located into the doc/ directory : - doc/intro.txt for a quick introduction on HAProxy - doc/configuration.txt for the configuration's reference manual - doc/lua.txt for the Lua's reference manual - doc/SPOE.txt for how to use the SPOE engine - doc/network-namespaces.txt for how to use network namespaces under Linux - doc/management.txt for the management guide - doc/regression-testing.txt for how to use the regression testing suite - doc/peers.txt for the peers protocol reference - doc/coding-style.txt for how to adopt HAProxy's coding style - doc/internals for developer-specific documentation (not all up to date)