BUG/MINOR: ssl/cli: 'show ssl cert' escape the first '*' of a filename

When doing a 'show ssl cert <filename>', prefixing a filename with a '*'
allows to show the uncommited transaction asociated to this filename.

However for people using '*' as the first character of their filename,
there is no way to access this filename.

This patch fixes the problem by allowing to escape the first character
with \.

This should be backported in every stable branches.

diff --git a/doc/management.txt b/doc/management.txt
index c3ecd3af072661d661acdb12b4a4dae15bb2ae1b..12d3788227f600ab7ca4d9abfcd08fb771999890 100644 (file)
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -3572,14 +3572,15 @@ show ssl ca-file [<cafile>[:<index>]]
     Serial: 587A1CE5ED855040A0C82BF255FF300ADB7C8136
     [...]
 
-show ssl cert [<filename>]
+show ssl cert [[*][\]<filename>]
   Display the list of certificates loaded into the process. They are not used
   by any frontend or backend until their status is "Used".
   If a filename is prefixed by an asterisk, it is a transaction which is not
   committed yet. If a filename is specified, it will show details about the
   certificate. This command can be useful to check if a certificate was well
   updated. You can also display details on a transaction by prefixing the
-  filename by an asterisk.
+  filename by a '*'. If the first character of the filename is a '*', it can be
+  escaped with '\*'.
   This command can also be used to display the details of a certificate's OCSP
   response by suffixing the filename with a ".ocsp" extension. It works for
   committed certificates as well as for ongoing transactions. On a committed
@@ -3611,6 +3612,11 @@ show ssl cert [<filename>]
     Status: Unused
     [...]
 
+    $ echo "@1 show ssl cert \*.local.pem" | socat /var/run/haproxy.master -
+    Filename: *.local.pem
+    Status: Used
+    [...]
+
 show ssl crl-file [<crlfile>[:<index>]]
   Display the list of CRL files loaded into the process. They are not used
   by any frontend or backend until their status is "Used".

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 4b12f2565597d8889452749d37b24926c82b925f..869b4a2d1325096a20acb9ca0cc122ccc5795d3f 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -2203,7 +2203,7 @@ yield:
 #endif
 }
 
-/* parsing function for 'show ssl cert [certfile]' */
+/* parsing function for 'show ssl cert [[*][\]<certfile>]' */
 static int cli_parse_show_cert(char **args, char *payload, struct appctx *appctx, void *private)
 {
        struct show_cert_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
@@ -2232,17 +2232,27 @@ static int cli_parse_show_cert(char **args, char *payload, struct appctx *appctx
                }
 
                if (*args[3] == '*') {
+                       char *filename = args[3]+1;
+
                        from_transaction = 1;
                        if (!ckchs_transaction.new_ckchs)
                                goto error;
 
                        ckchs = ckchs_transaction.new_ckchs;
 
-                       if (strcmp(args[3] + 1, ckchs->path) != 0)
+                       if (filename[0] == '\\')
+                               filename++;
+
+                       if (strcmp(filename, ckchs->path) != 0)
                                goto error;
 
                } else {
-                       if ((ckchs = ckchs_lookup(args[3])) == NULL)
+                       char *filename = args[3];
+
+                       if (filename[0] == '\\')
+                               filename++;
+
+                       if ((ckchs = ckchs_lookup(filename)) == NULL)
                                goto error;
 
                }