From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 22 Nov 2023 11:02:07 +0000 (+0100)
Subject: machine-credential: tweak --load-credential= use a bit
X-Git-Tag: v255-rc3~8^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F30143%2Fhead;p=thirdparty%2Fsystemd.git

machine-credential: tweak --load-credential= use a bit

Let's try to recognize paths (i.e. those with a "/") as source for
credentials to load, and then read them from the file system. Also, only read
credentials from an inbound credentials directory if the source
qualifies as valid credential name.

Otherwise print a nice error.
---

diff --git a/src/shared/machine-credential.c b/src/shared/machine-credential.c
index 7df36049777..17f7afc4a0f 100644
--- a/src/shared/machine-credential.c
+++ b/src/shared/machine-credential.c
@@ -90,9 +90,9 @@ int machine_credential_load(MachineCredential **credentials, size_t *n_credentia
                 if (streq(cred->id, word))
                         return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Duplicate credential '%s', refusing.", word);
 
-        if (path_is_absolute(p))
+        if (is_path(p) && path_is_valid(p))
                 flags |= READ_FULL_FILE_CONNECT_SOCKET;
-        else {
+        else if (credential_name_valid(p)) {
                 const char *e;
 
                 r = get_credentials_dir(&e);
@@ -104,7 +104,8 @@ int machine_credential_load(MachineCredential **credentials, size_t *n_credentia
                         return log_oom();
 
                 p = j;
-        }
+        } else
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential source appears to be neither a valid path nor a credential name: %s", p);
 
         r = read_full_file_full(AT_FDCWD, p, UINT64_MAX, SIZE_MAX,
                                 flags,