From: Willy Tarreau <w@1wt.eu>
Date: Thu, 26 Nov 2015 17:32:39 +0000 (+0100)
Subject: BUG/MEDIUM: cli: changing compression rate-limiting must require admin level
X-Git-Tag: v1.7-dev1~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a1c2b2c4f3e65d198a0a4b25a4f655f7b307a855;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: cli: changing compression rate-limiting must require admin level

Right now it's possible to change the global compression rate limiting
without the CLI being at the admin level.

This fix must be backported to 1.6 and 1.5.
---

diff --git a/src/dumpstats.c b/src/dumpstats.c
index 67686d3d46..3518e2ac2d 100644
--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@@ -1836,6 +1836,12 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
 				if (strcmp(args[3], "global") == 0) {
 					int v;
 
+					if (strm_li(s)->bind_conf->level < ACCESS_LVL_ADMIN) {
+						appctx->ctx.cli.msg = stats_permission_denied_msg;
+						appctx->st0 = STAT_CLI_PRINT;
+						return 1;
+					}
+
 					if (!*args[4]) {
 						appctx->ctx.cli.msg = "Expects a maximum input byte rate in kB/s.\n";
 						appctx->st0 = STAT_CLI_PRINT;