From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 21 Apr 2020 14:54:19 +0000 (+0200)
Subject: MINOR: ssl/cli: disallow SSL options for directory in 'add ssl crt-list'
X-Git-Tag: v2.2-dev7~201
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b74d5640430a4122fe22c816f1790745147c0a22;p=thirdparty%2Fhaproxy.git

MINOR: ssl/cli: disallow SSL options for directory in 'add ssl crt-list'

Allowing the use of SSL options and filters when adding a file in a
directory is not really consistent with the reload of HAProxy. Disable
the ability to use these options if one try to use them with a directory.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 376e624115..9313f5e230 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -11445,6 +11445,12 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc
 		goto error;
 	}
 
+	/* this is supposed to be a directory (EB_ROOT_UNIQUE), so no ssl_conf are allowed */
+	if ((entry->ssl_conf || entry->filters) && eb_gettag(crtlist->entries.b[EB_RGHT])) {
+		memprintf(&err, "this is a directory, SSL configuration and filters are not allowed");
+		goto error;
+	}
+
 	LIST_ADDQ(&crtlist->ord_entries, &entry->by_crtlist);
 	entry->crtlist = crtlist;
 	LIST_ADDQ(&store->crtlist_entry, &entry->by_ckch_store);