diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2017-02-19 13:23:51 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2017-02-19 13:23:51 +0100 |
commit | bbbd329e9a1274d0a7bfb7b741894f5417b43538 (patch) | |
tree | b7b772754188a2839c85bfbc85babfe185ee0136 | |
parent | fc117d6513dfa1e6287927a9b95ac0558eaea951 (diff) |
Ensure lacme's config file descriptor has the FD_CLOEXEC bit set.
-rw-r--r-- | Changelog | 2 | ||||
-rwxr-xr-x | lacme | 2 |
2 files changed, 4 insertions, 0 deletions
@@ -2,6 +2,8 @@ lacme (0.3) upstream; - When parsing config-cert files and directories (default "lacme-certs.conf lacme-certs.conf.d"), import the default section of files read earlier. + - Ensure lacme's config file descriptor is not passed to the accountd + or webserver components. -- Guilhem Moulin <guilhem@guilhem.org> Sun, 19 Feb 2017 13:08:41 +0100 @@ -68,6 +68,7 @@ $COMMAND = $COMMAND =~ /\A(new-reg|reg=\p{Print}*|new-cert|revoke-cert)\z/ ? $1 : usage(1, "Invalid command: $COMMAND"); # validate and untaint $COMMAND @ARGV = map { /\A(\p{Print}*)\z/ ? $1 : die } @ARGV; # untaint @ARGV +sub set_FD_CLOEXEC($$); my $CONFFILENAME = $OPTS{config} // first { -f $_ } ( "./$NAME.conf" , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" @@ -79,6 +80,7 @@ do { open $CONFFILE, '<', $CONFFILENAME or die "Can't open $CONFFILENAME: $!\n"; my $conf = do { local $/ = undef; <$CONFFILE> }; # don't close $CONFFILE so we can pass it to the client + set_FD_CLOEXEC($CONFFILE, 1); my $h = Config::Tiny::->read_string($conf) or die Config::Tiny::->errstr()."\n"; my $defaults = delete $h->{_} // {}; |