BUG/MEDIUM: stick-table: properly check permissions on CLI's set/clear cmd

The "set stick-table" CLI command's permissions are checked a bit too late in the I/O handler, because the lookups performed at parsing time can already cause an entry to be created at level "user" even though the user does not have the permission to go further and to fill the data in. Note that the impact remains pretty low since the entry is created without data being touchable, and all within the table's settings (max entries, expire etc). In addition it cannot even be used to periodically refresh an entry and prevent it from expiring because only a creation is handled at this point. Let's add the check in cli_parse_table_req() so that these privileged commands are entirely denied past the table lookup. This way it remains possible to know that the table doesn't exist, like for the "show" command but not more. This should be backported to all stable branches, because the bug right now cannot result in an accidental use (entries are not properly created and deletion does not work). Thanks to Omkhar Arasaratnam for finding and reporting this.
2026-05-08 06:26:10 +02:00 · 2026-05-07 18:31:40 +02:00 · 2026-05-07 18:31:40 +02:00 · d04a56e17d
commit d04a56e17d
parent 81abfaa4df
1 changed files with 4 additions and 0 deletions
--- a/src/stick_table.c
+++ b/src/stick_table.c
@ -5702,6 +5702,10 @@ static int cli_parse_table_req(char **args, char *payload, struct appctx *appctx
 		return 0;
 	}

+	/* only "show" is permitted to level user, others (clear/set) require "oper" */
+	if (ctx->action != STK_CLI_ACT_SHOW && !cli_has_level(appctx, ACCESS_LVL_OPER))
+		return 1;
+
 	if (strcmp(args[3], "key") == 0)
 		return table_process_entry_per_key(appctx, args);
 	if (strcmp(args[3], "ptr") == 0)