From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 16 Dec 2024 16:04:25 +0000 (+0100)
Subject: BUG/MINOR: ssl/cli: 'show ssl ca-file' escape the first '*' of a filename
X-Git-Tag: v3.2-dev2~67
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3b760ebcc45b58e121a282a3403971619e4e6c2;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl/cli: 'show ssl ca-file' escape the first '*' of a filename

When doing a 'show ssl ca-file <filename>', prefixing a filename with a '*'
allows to show the uncommited transaction asociated to this filename.

However for people using '*' as the first character of their
filename, there is no way to access this filename.

This patch fixes the problem by allowing to escape the first
character with \.

This should be backported in every stable branches.
---

diff --git a/doc/management.txt b/doc/management.txt
index 91b36af3b8..f085ad50a8 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -3523,7 +3523,7 @@ show stat [domain <resolvers|proxy>] [{<iid>|<proxy>} <type> <sid>] \
   $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \
     python -m json.tool
 
-show ssl ca-file [<cafile>[:<index>]]
+show ssl ca-file [[*][\]<cafile>[:<index>]]
   Display the list of CA files loaded into the process and their respective
   certificate counts. The certificates are not used by any frontend or backend
   until their status is "Used".
@@ -3540,7 +3540,8 @@ show ssl ca-file [<cafile>[:<index>]]
   If the index is invalid (too big for instance), nothing will be displayed.
   This command can be useful to check if a CA file was properly updated.
   You can also display the details of an ongoing transaction by prefixing the
-  filename by an asterisk.
+  filename by a '*'. If the first character of the filename is a '*', it can be
+  escaped with '\*'.
 
   Example :
 
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 7e9dd44e57..c2d3640dd4 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -3584,7 +3584,7 @@ yield:
 }
 
 
-/* parsing function for 'show ssl ca-file [cafile[:index]]'.
+/* parsing function for 'show ssl ca-file [[*][\]<cafile>[:index]]'.
  * It prepares a show_cafile_ctx context, and checks the global
  * cafile_transaction under the ckch_lock (read only).
  */
@@ -3626,18 +3626,27 @@ static int cli_parse_show_cafile(char **args, char *payload, struct appctx *appc
 		}
 
 		if (*args[3] == '*') {
+			char *filename = args[3]+1;
+
+			if (filename[0] == '\\')
+				filename++;
+
 			if (!cafile_transaction.new_cafile_entry)
 				goto error;
 
 			cafile_entry = cafile_transaction.new_cafile_entry;
 
-			if (strcmp(args[3] + 1, cafile_entry->path) != 0)
+			if (strcmp(filename, cafile_entry->path) != 0)
 				goto error;
 
 		} else {
+			char *filename = args[3];
+
+			if (filename[0] == '\\')
+				filename++;
 			/* Get the "original" cafile_entry and not the
 			 * uncommitted one if it exists. */
-			if ((cafile_entry = ssl_store_get_cafile_entry(args[3], 1)) == NULL || cafile_entry->type != CAFILE_CERT)
+			if ((cafile_entry = ssl_store_get_cafile_entry(filename, 1)) == NULL || cafile_entry->type != CAFILE_CERT)
 				goto error;
 		}