MINOR: ssl/cli: restrain certificate path when inserting into a directory

When trying to insert a new certificate into a directory with "add ssl
crt-list", no check were done on the path of the new certificate.

To be more consistent with the HAProxy reload, when adding a file to
a crt-list, if this crt-list is a directory, the certificate will need
to have the directory in its path.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9313f5e2300f47bcd1a09d9385c9e7604bbd85a3..9077e91144716ca00abd21cbeef47bb58c4ba2e9 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -11413,6 +11413,24 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc
                goto error;
        }
 
+       if (eb_gettag(crtlist->entries.b[EB_RGHT])) {
+               char *slash;
+
+               slash = strrchr(cert_path, '/');
+               if (!slash) {
+                       memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
+                       goto error;
+               }
+               /* temporary replace / by 0 to do an strcmp */
+               *slash = '\0';
+               if (strcmp(cert_path, (char*)crtlist->node.key) != 0) {
+                       *slash = '/';
+                       memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
+                       goto error;
+               }
+               *slash = '/';
+       }
+
        if (*cert_path != '/' && global_ssl.crt_base) {
                if ((strlen(global_ssl.crt_base) + 1 + strlen(cert_path)) > MAXPATHLEN) {
                        memprintf(&err, "'%s' : path too long", cert_path);