mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-04 20:46:11 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: ssl/cli: tls-keys commands are missing permission checks

Browse Source 
Both 'set ssl tls-key' and 'show tls-keys' command are missing the
permission checks so the commands can be used only in admin mode.

Must be backported to 3.3. This can be a breaking change for some users.

Initially reported by Cameron Brown.
This commit is contained in:
William Lallemand 2026-03-25 11:54:09 +01:00
parent 25366f6dc1
commit 453a01387b
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/ssl_sock.c
View File

@ -8086,8 +8086,8 @@ static int cli_parse_show_tlskeys(char **args, char *payload, struct appctx *app
{
struct show_keys_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
ha_warning("'%s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1]);
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
/* no parameter, shows only file list */
if (!*args[2]) {
@ -8113,8 +8113,8 @@ static int cli_parse_set_tlskeys(char **args, char *payload, struct appctx *appc
struct tls_keys_ref *ref;
int ret;
if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
/* Expect two parameters: the filename and the new new TLS key in encoding */
if (!*args[3] || !*args[4])