From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 3 Dec 2019 12:32:54 +0000 (+0100)
Subject: BUG/MINOR: ssl/cli: 'ssl cert' cmd only usable w/ admin rights
X-Git-Tag: v2.2-dev1~219
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=230662a0dd66b97ff46e7e3304a69f95ebccbcb8;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl/cli: 'ssl cert' cmd only usable w/ admin rights

The 3 commands 'set ssl cert', 'abort ssl cert' and 'commit ssl cert'
must be only usable with admin rights over the CLI.

Must be backported in 2.1.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e36c03e631..e0d3f10143 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -10371,6 +10371,9 @@ static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appc
 {
 	char *err = NULL;
 
+	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+		return 1;
+
 	if (!*args[3])
 		return cli_err(appctx, "'commit ssl cert expects a filename\n");
 
@@ -10423,6 +10426,9 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
 	struct cert_key_and_chain *ckch;
 	struct buffer *buf;
 
+	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+		return 1;
+
 	if ((buf = alloc_trash_chunk()) == NULL)
 		return cli_err(appctx, "Can't allocate memory\n");
 
@@ -10645,6 +10651,9 @@ static int cli_parse_abort_cert(char **args, char *payload, struct appctx *appct
 {
 	char *err = NULL;
 
+	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+		return 1;
+
 	if (!*args[3])
 		return cli_err(appctx, "'abort ssl cert' expects a filename\n");