From: Christopher Faulet Date: Tue, 14 Apr 2026 14:08:29 +0000 (+0200) Subject: MEDIUM: cli: increase the payload pattern up to 64 bytes X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=80776da29737cdec81644a90c0cd24e9064e22df;p=thirdparty%2Fhaproxy.git MEDIUM: cli: increase the payload pattern up to 64 bytes The maximum size allowed for the payload pattern was increase up to 64 bytes (65 bytes because of the trailing \0), to be able to use a sha256 of random data for instance. It could be useful to prevent any data smuggling on the payload. Note that on the CLI, it could be possible to have only the buffer size as a limit, because the command line is only consumed once all commands are executed. The payload pattern is only a pointer in the buffer where the command line was copied. However, for the master CLI, the data are streamed to the worker, so we must keep a copy of he payload pattern. This is why we must limit its size. --- diff --git a/doc/management.txt b/doc/management.txt index 7d4d5e463..ee36f7037 100644 --- a/doc/management.txt +++ b/doc/management.txt @@ -1646,9 +1646,10 @@ a payload, it needs to end with an empty line. The payload pattern can be customized in order to change the way the payload ends. In order to end a payload with something else than an empty line, a -customized pattern can be set between '<<' and '\n'. Only 7 characters can be -used in addition to '<<', otherwise this won't be considered a payload. -For example, to use a PEM file that contains empty lines and comments: +customized pattern can be set between '<<' and '\n'. Up to 64 characters can be +used in addition to '<<', otherwise this won't be considered a payload. It +should be enough to use random payload patterns. For example, to use a PEM file +that contains empty lines and comments: # echo -e "set ssl cert common.pem <<%EOF%\n$(cat common.pem)\n%EOF%\n" | \ socat /var/run/haproxy.stat - diff --git a/include/haproxy/stream-t.h b/include/haproxy/stream-t.h index d5f07b9c8..c8f8719e0 100644 --- a/include/haproxy/stream-t.h +++ b/include/haproxy/stream-t.h @@ -313,7 +313,7 @@ struct stream { int pcli_next_pid; /* next target PID to use for the CLI proxy */ int pcli_flags; /* flags for CLI proxy */ - char pcli_payload_pat[8]; /* payload pattern for the CLI proxy */ + char pcli_payload_pat[65]; /* payload pattern for the CLI proxy, including trailing \0 */ struct ist unique_id; /* custom unique ID */ diff --git a/src/cli.c b/src/cli.c index fa180df50..0eb2f0e2a 100644 --- a/src/cli.c +++ b/src/cli.c @@ -65,7 +65,7 @@ #include #include -#define MAX_PAYLOAD_PATTERN_SIZE 7 +#define MAX_PAYLOAD_PATTERN_SIZE 64 #define PAYLOAD_PATTERN "<<" static struct applet cli_applet;