diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2017-06-29 10:52:01 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2017-06-29 11:38:18 +0200 |
commit | 7c7e01fa8d8623145078cc352c3617ad43ebe326 (patch) | |
tree | 8202ecf2a459ba7382a765ae6c049677ab1c24f3 | |
parent | a528bcffe2480245185a3b8d6e6c51307635a4ea (diff) |
Remove potential race when creating ACME challenge response files.
-rw-r--r-- | Changelog | 2 | ||||
-rwxr-xr-x | client | 18 |
2 files changed, 13 insertions, 7 deletions
@@ -28,6 +28,8 @@ lacme (0.3) upstream; vulnerability. - lacme(1), lacme-accountd(1): fix version number shown with --version. + - client: remove potential race when creating ACME challenge response + files. -- Guilhem Moulin <guilhem@guilhem.org> Sun, 19 Feb 2017 13:08:41 +0100 @@ -44,10 +44,13 @@ use warnings; my $PROTOCOL_VERSION = 1; -use LWP::UserAgent (); +use Errno 'EEXIST'; +use Fcntl qw/O_CREAT O_EXCL O_WRONLY/; +use Digest::SHA qw/sha256 sha256_hex/; use MIME::Base64 qw/encode_base64 encode_base64url/; + +use LWP::UserAgent (); use JSON (); -use Digest::SHA qw/sha256 sha256_hex/; use Config::Tiny (); @@ -266,18 +269,19 @@ elsif ($COMMAND eq 'new-cert') { @{request_json_decode($r)->{challenges} // []}; die "Missing 'http-01' challenge in server response" unless defined $challenge; die "Invalid challenge token ".($challenge->{token} // '')."\n" + # ensure we don't write outside the cwd unless ($challenge->{token} // '') =~ /\A[A-Za-z0-9_\-]+\z/; my $keyAuthorization = $challenge->{token}.'.'.$JWK_thumbprint; # serve $keyAuthorization at http://$domain/.well-known/acme-challenge/$challenge->{token} - if (-e $challenge->{token}) { - print STDERR "WARNING: File exists: $challenge->{token}\n"; - } - else { - open my $fh, '>', $challenge->{token} or die "Can't open $challenge->{token}: $!"; + if (sysopen(my $fh, $challenge->{token}, O_CREAT|O_EXCL|O_WRONLY, 0644)) { $fh->print($keyAuthorization); $fh->close() or die "Can't close: $!"; + } elsif ($! == EEXIST) { + print STDERR "WARNING: File exists: $challenge->{token}\n"; + } else { + die "Can't open $challenge->{token}: $!"; } $r = acme($challenge->{uri}, { |