aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2017-06-29 10:52:01 +0200
committerGuilhem Moulin <guilhem@fripost.org>2017-06-29 11:38:18 +0200
commit7c7e01fa8d8623145078cc352c3617ad43ebe326 (patch)
tree8202ecf2a459ba7382a765ae6c049677ab1c24f3
parenta528bcffe2480245185a3b8d6e6c51307635a4ea (diff)
Remove potential race when creating ACME challenge response files.
-rw-r--r--Changelog2
-rwxr-xr-xclient18
2 files changed, 13 insertions, 7 deletions
diff --git a/Changelog b/Changelog
index 1fd6762..5252fd2 100644
--- a/Changelog
+++ b/Changelog
@@ -28,6 +28,8 @@ lacme (0.3) upstream;
vulnerability.
- lacme(1), lacme-accountd(1): fix version number shown with
--version.
+ - client: remove potential race when creating ACME challenge response
+ files.
-- Guilhem Moulin <guilhem@guilhem.org> Sun, 19 Feb 2017 13:08:41 +0100
diff --git a/client b/client
index cd94ed8..333ae3b 100755
--- a/client
+++ b/client
@@ -44,10 +44,13 @@ use warnings;
my $PROTOCOL_VERSION = 1;
-use LWP::UserAgent ();
+use Errno 'EEXIST';
+use Fcntl qw/O_CREAT O_EXCL O_WRONLY/;
+use Digest::SHA qw/sha256 sha256_hex/;
use MIME::Base64 qw/encode_base64 encode_base64url/;
+
+use LWP::UserAgent ();
use JSON ();
-use Digest::SHA qw/sha256 sha256_hex/;
use Config::Tiny ();
@@ -266,18 +269,19 @@ elsif ($COMMAND eq 'new-cert') {
@{request_json_decode($r)->{challenges} // []};
die "Missing 'http-01' challenge in server response" unless defined $challenge;
die "Invalid challenge token ".($challenge->{token} // '')."\n"
+ # ensure we don't write outside the cwd
unless ($challenge->{token} // '') =~ /\A[A-Za-z0-9_\-]+\z/;
my $keyAuthorization = $challenge->{token}.'.'.$JWK_thumbprint;
# serve $keyAuthorization at http://$domain/.well-known/acme-challenge/$challenge->{token}
- if (-e $challenge->{token}) {
- print STDERR "WARNING: File exists: $challenge->{token}\n";
- }
- else {
- open my $fh, '>', $challenge->{token} or die "Can't open $challenge->{token}: $!";
+ if (sysopen(my $fh, $challenge->{token}, O_CREAT|O_EXCL|O_WRONLY, 0644)) {
$fh->print($keyAuthorization);
$fh->close() or die "Can't close: $!";
+ } elsif ($! == EEXIST) {
+ print STDERR "WARNING: File exists: $challenge->{token}\n";
+ } else {
+ die "Can't open $challenge->{token}: $!";
}
$r = acme($challenge->{uri}, {