From d04a56e17ddb2b907dac6feb1523fa32e665f74c Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 7 May 2026 18:31:40 +0200 Subject: [PATCH] BUG/MEDIUM: stick-table: properly check permissions on CLI's set/clear cmd The "set stick-table" CLI command's permissions are checked a bit too late in the I/O handler, because the lookups performed at parsing time can already cause an entry to be created at level "user" even though the user does not have the permission to go further and to fill the data in. Note that the impact remains pretty low since the entry is created without data being touchable, and all within the table's settings (max entries, expire etc). In addition it cannot even be used to periodically refresh an entry and prevent it from expiring because only a creation is handled at this point. Let's add the check in cli_parse_table_req() so that these privileged commands are entirely denied past the table lookup. This way it remains possible to know that the table doesn't exist, like for the "show" command but not more. This should be backported to all stable branches, because the bug right now cannot result in an accidental use (entries are not properly created and deletion does not work). Thanks to Omkhar Arasaratnam for finding and reporting this. --- src/stick_table.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/stick_table.c b/src/stick_table.c index db55a543b..f94d674ba 100644 --- a/src/stick_table.c +++ b/src/stick_table.c @@ -5702,6 +5702,10 @@ static int cli_parse_table_req(char **args, char *payload, struct appctx *appctx return 0; } + /* only "show" is permitted to level user, others (clear/set) require "oper" */ + if (ctx->action != STK_CLI_ACT_SHOW && !cli_has_level(appctx, ACCESS_LVL_OPER)) + return 1; + if (strcmp(args[3], "key") == 0) return table_process_entry_per_key(appctx, args); if (strcmp(args[3], "ptr") == 0)