From 80ed9f9dcf81842d23429149293ca06bcac50e2d Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Fri, 17 Oct 2025 17:57:40 +0200
Subject: [PATCH] MINOR: tree-wide: add missing TAINTED flags for some
 experimental directives

We normally taint the process when using experimental directives, but
a handful of places were missed so we don't always know that they are
in use. Let's fix these places (hint for future directives, just look
for places checking for "experimental_directives_allowed", and add
"mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);").
---
 src/acme.c            | 1 +
 src/cfgparse-global.c | 2 ++
 src/cfgparse-quic.c   | 1 +
 src/cfgparse-ssl.c    | 2 ++
 src/server.c          | 1 +
 5 files changed, 7 insertions(+)

diff --git a/src/acme.c b/src/acme.c
index 816de1e28..851aede88 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -264,6 +264,7 @@ static int cfg_parse_acme(const char *file, int linenum, char **args, int kwm)
 		err_code |= ERR_ALERT | ERR_FATAL;
 		goto out;
 	}
+	mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
 
 	if (strcmp(args[0], "acme") == 0) {
 		struct acme_cfg *tmp_acme = acme_cfgs;
diff --git a/src/cfgparse-global.c b/src/cfgparse-global.c
index 79005384c..4a9bcf000 100644
--- a/src/cfgparse-global.c
+++ b/src/cfgparse-global.c
@@ -1613,6 +1613,7 @@ static int cfg_parse_global_shm_stats_file(char **args, int section_type,
 		return -1;
 	}
 
+	mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
 	global.shm_stats_file = strdup(args[1]);
 	return 0;
 }
@@ -1636,6 +1637,7 @@ static int cfg_parse_global_shm_stats_file_max_objects(char **args, int section_
 		return -1;
 	}
 
+	mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
 	shm_stats_file_max_objects = atoi(args[1]);
 	return 0;
 }
diff --git a/src/cfgparse-quic.c b/src/cfgparse-quic.c
index d7c027c28..dd12cfe76 100644
--- a/src/cfgparse-quic.c
+++ b/src/cfgparse-quic.c
@@ -125,6 +125,7 @@ static int bind_parse_quic_cc_algo(char **args, int cur_arg, struct proxy *px,
 		algo = QUIC_CC_NO_CC_STR;
 		*cc_algo = quic_cc_algo_nocc;
 		arg += strlen(QUIC_CC_NO_CC_STR);
+		mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
 	}
 	else {
 		memprintf(err, "'%s' : unknown control congestion algorithm", args[cur_arg + 1]);
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 8dc923172..297809780 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -895,6 +895,7 @@ static int ssl_bind_parse_ktls(char **args, int cur_arg, struct proxy *px, struc
 			  args[cur_arg], args[cur_arg + 1]);
 		return ERR_ALERT | ERR_FATAL;
 	}
+	mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
 	return 0;
 
 }
@@ -1958,6 +1959,7 @@ static int srv_parse_ktls(char **args, int *cur_arg, struct proxy *px, struct se
 			  args[*cur_arg], args[*cur_arg + 1]);
 		return ERR_ALERT | ERR_FATAL;
 	}
+	mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
 	return 0;
 }
 
diff --git a/src/server.c b/src/server.c
index 24f0c4692..0411eb4a3 100644
--- a/src/server.c
+++ b/src/server.c
@@ -3701,6 +3701,7 @@ static int _srv_parse_init(struct server **srv, char **args, int *cur_arg,
 				goto out;
 			}
 
+			mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
 			newsrv->xprt = xprt_get(XPRT_QUIC);
 			quic_transport_params_init(&newsrv->quic_params, 0);
 		}