MEDIUM: cli: increase the payload pattern up to 64 bytes

The maximum size allowed for the payload pattern was increase up to 64 bytes
(65 bytes because of the trailing \0), to be able to use a sha256 of random
data for instance. It could be useful to prevent any data smuggling on the
payload.

Note that on the CLI, it could be possible to have only the buffer size as a
limit, because the command line is only consumed once all commands are
executed. The payload pattern is only a pointer in the buffer where the
command line was copied. However, for the master CLI, the data are streamed
to the worker, so we must keep a copy of he payload pattern. This is why we
must limit its size.

diff --git a/doc/management.txt b/doc/management.txt
index 7d4d5e46309d89948efd4203e064083582664288..ee36f703722cd6496b2450357e2e0de506b1951f 100644 (file)
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -1646,9 +1646,10 @@ a payload, it needs to end with an empty line.
 
 The payload pattern can be customized in order to change the way the payload
 ends. In order to end a payload with something else than an empty line, a
-customized pattern can be set between '<<' and '\n'. Only 7 characters can be
-used in addition to '<<', otherwise this won't be considered a payload.
-For example, to use a PEM file that contains empty lines and comments:
+customized pattern can be set between '<<' and '\n'. Up to 64 characters can be
+used in addition to '<<', otherwise this won't be considered a payload. It
+should be enough to use random payload patterns. For example, to use a PEM file
+that contains empty lines and comments:
 
   # echo -e "set ssl cert common.pem <<%EOF%\n$(cat common.pem)\n%EOF%\n" | \
   socat /var/run/haproxy.stat -

diff --git a/include/haproxy/stream-t.h b/include/haproxy/stream-t.h
index d5f07b9c87c033a1844105f444459ab9ca6aa46d..c8f8719e01617f258fafe2fc3a2b008c175da90b 100644 (file)
--- a/include/haproxy/stream-t.h
+++ b/include/haproxy/stream-t.h
@@ -313,7 +313,7 @@ struct stream {
 
        int pcli_next_pid;                      /* next target PID to use for the CLI proxy */
        int pcli_flags;                         /* flags for CLI proxy */
-       char pcli_payload_pat[8];               /* payload pattern for the CLI proxy */
+       char pcli_payload_pat[65];              /* payload pattern for the CLI proxy, including trailing \0 */
 
        struct ist unique_id;                   /* custom unique ID */
 

diff --git a/src/cli.c b/src/cli.c
index fa180df504279f009884e654069d0bdfe2abf86d..0eb2f0e2af126e4e58d916d2cfbd339ab8a9e104 100644 (file)
--- a/src/cli.c
+++ b/src/cli.c
@@ -65,7 +65,7 @@
 #include <haproxy/tools.h>
 #include <haproxy/version.h>
 
-#define MAX_PAYLOAD_PATTERN_SIZE 7
+#define MAX_PAYLOAD_PATTERN_SIZE 64
 #define PAYLOAD_PATTERN "<<"
 
 static struct applet cli_applet;