MEDIUM: cli: increase the payload pattern up to 64 bytes

The maximum size allowed for the payload pattern was increase up to 64 bytes (65 bytes because of the trailing \0), to be able to use a sha256 of random data for instance. It could be useful to prevent any data smuggling on the payload. Note that on the CLI, it could be possible to have only the buffer size as a limit, because the command line is only consumed once all commands are executed. The payload pattern is only a pointer in the buffer where the command line was copied. However, for the master CLI, the data are streamed to the worker, so we must keep a copy of he payload pattern. This is why we must limit its size.
2026-05-02 03:30:59 +02:00 · 2026-04-14 16:08:29 +02:00 · 2026-04-14 16:08:29 +02:00 · 80776da297
commit 80776da297
parent 9b1f0a3553
3 changed files with 6 additions and 5 deletions
--- a/doc/management.txt
+++ b/doc/management.txt
@ -1646,9 +1646,10 @@ a payload, it needs to end with an empty line.

 The payload pattern can be customized in order to change the way the payload
 ends. In order to end a payload with something else than an empty line, a
-customized pattern can be set between '<<' and '\n'. Only 7 characters can be
-used in addition to '<<', otherwise this won't be considered a payload.
-For example, to use a PEM file that contains empty lines and comments:
+customized pattern can be set between '<<' and '\n'. Up to 64 characters can be
+used in addition to '<<', otherwise this won't be considered a payload. It
+should be enough to use random payload patterns. For example, to use a PEM file
+that contains empty lines and comments:

  # echo -e "set ssl cert common.pem <<%EOF%\n$(cat common.pem)\n%EOF%\n" | \
  socat /var/run/haproxy.stat -
--- a/include/haproxy/stream-t.h
+++ b/include/haproxy/stream-t.h
@ -313,7 +313,7 @@ struct stream {

 	int pcli_next_pid;                      /* next target PID to use for the CLI proxy */
 	int pcli_flags;                         /* flags for CLI proxy */
-	char pcli_payload_pat[8];               /* payload pattern for the CLI proxy */
+	char pcli_payload_pat[65];              /* payload pattern for the CLI proxy, including trailing \0 */

 	struct ist unique_id;                   /* custom unique ID */

--- a/src/cli.c
+++ b/src/cli.c
@ -65,7 +65,7 @@
 #include <haproxy/tools.h>
 #include <haproxy/version.h>

-#define MAX_PAYLOAD_PATTERN_SIZE 7
+#define MAX_PAYLOAD_PATTERN_SIZE 64
 #define PAYLOAD_PATTERN "<<"

 static struct applet cli_applet;