MINOR: spoe: add force-set-var option in spoe-agent configuration

For security reasons, the spoe filter was only able to change values of
existing variables. In specific cases (ex : with LUA code), the name of
variables are unknown at the configuration parsing phase.
The force-set-var option can be enabled to register all variables.

diff --git a/doc/SPOE.txt b/doc/SPOE.txt
index 194fa3dba90a96cbb13f98d4c47a4a8a38e52e99..961d32a43627af6190e0e2d296b42129674ce541 100644 (file)
--- a/doc/SPOE.txt
+++ b/doc/SPOE.txt
@@ -239,6 +239,15 @@ option continue-on-error
   When set, this option bypass this behaviour and only the current event will
   be ignored.
 
+option force-set-var
+  By default, SPOE filter only register already known variables (mainly from
+  parsing of the configuration). If you want that haproxy trusts the agent and
+  registers all variables (ex: can be useful for LUA workload), activate this
+  option.
+
+  Caution : this option opens to a variety of attacks such as a rogue SPOA that
+  asks to register too many variables.
+
 
 option pipelining
 no option pipelining
@@ -310,8 +319,9 @@ option var-prefix <prefix>
   "myvar" in the "txn" scope, with the prefix "my_spoe_pfx", then you should
   use "txn.my_spoe_pfx.myvar" name in your HAProxy configuration.
 
-  An agent will never set new variables at runtime. It can only set new value
-  for existing ones.
+  By default, an agent will never set new variables at runtime: It can only set
+  new value for existing ones. If you want a different behaviour, see
+  force-set-var option
 
 
 timeout hello <timeout>

diff --git a/include/types/spoe.h b/include/types/spoe.h
index 53e7200c8822122f144ee0ef17556c87288cf5db..392cc94ef26c2e88c91509b4a0326f27f4613543 100644 (file)
--- a/include/types/spoe.h
+++ b/include/types/spoe.h
@@ -43,6 +43,7 @@
 #define SPOE_FL_ASYNC             0x00000004 /* Set when SPOE agent supports async (set by default) */
 #define SPOE_FL_SND_FRAGMENTATION 0x00000008 /* Set when SPOE agent supports sending fragmented payload */
 #define SPOE_FL_RCV_FRAGMENTATION 0x00000010 /* Set when SPOE agent supports receiving fragmented payload */
+#define SPOE_FL_FORCE_SET_VAR     0x00000020 /* Set when SPOE agent will set all variables from agent (and not only known variables) */
 
 /* Flags set on the SPOE context */
 #define SPOE_CTX_FL_CLI_CONNECTED 0x00000001 /* Set after that on-client-session event was processed */

diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 6aeabb2fd5eca00e5f000c9cc7bc192dce475032..1b69ee2589d785a6d0e7589389bc6f2ca87c14b3 100644 (file)
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -2307,7 +2307,10 @@ spoe_set_var(struct spoe_context *ctx, char *scope, char *name, int len,
        memset(varname, 0, sizeof(varname));
        len = snprintf(varname, sizeof(varname), "%s.%s.%.*s",
                       scope, agent->var_pfx, len, name);
-       vars_set_by_name_ifexist(varname, len, smp);
+       if (agent->flags & SPOE_FL_FORCE_SET_VAR)
+               vars_set_by_name(varname, len, smp);
+       else
+               vars_set_by_name_ifexist(varname, len, smp);
 }
 
 /* Helper function to unset a variable */
@@ -3399,6 +3402,11 @@ cfg_parse_spoe_agent(const char *file, int linenum, char **args, int kwm)
                        }
                        curagent->var_pfx = strdup(args[2]);
                }
+               else if (!strcmp(args[1], "force-set-var")) {
+                       if (alertif_too_many_args(1, file, linenum, args, &err_code))
+                               goto out;
+                       curagent->flags |= SPOE_FL_FORCE_SET_VAR;
+               }
                else if (!strcmp(args[1], "continue-on-error")) {
                        if (alertif_too_many_args(1, file, linenum, args, &err_code))
                                goto out;