diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2021-02-19 00:06:49 +0100 | 
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2021-02-20 18:18:48 +0100 | 
| commit | baa7c25db322a9472c9155422057ec56aa93f439 (patch) | |
| tree | 9d6218b9fa85ae177e7c7a4593181ee21ff953f5 | |
| parent | 42a8f9813716ed3495b6f49edea429b127eef0f0 (diff) | |
Use File::Basename::dirname().
To correctly extract the parent directory of the socket path.  The
previous returned an empty string when the socket path didn't contain
‘/’.
| -rw-r--r-- | Changelog | 2 | ||||
| -rw-r--r-- | INSTALL | 2 | ||||
| -rwxr-xr-x | lacme | 7 | ||||
| -rwxr-xr-x | lacme-accountd | 5 | 
4 files changed, 11 insertions, 5 deletions
| @@ -62,6 +62,8 @@ lacme (0.7.1) upstream;   - Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME     challenge directory.   - Set the DEBUG environment variable to 0/1 instead of ""/1. + - Use File::Basename::dirname() to correctly extract the parent +   directory of the socket path.   -- Guilhem Moulin <guilhem@fripost.org>  Wed, 09 Dec 2020 18:23:22 +0100 @@ -4,6 +4,7 @@ lacme-accountd depends on the following Perl modules:    - Crypt::OpenSSL::RSA (for PEM-encoded key material)    - Crypt::OpenSSL::Bignum (for PEM-encoded key material)    - Errno (core module) +  - File::Basename (core module)    - Getopt::Long (core module)    - JSON (optionally C/XS-accelerated with JSON::XS)    - List::Util (core module) @@ -23,6 +24,7 @@ lacme depends on OpenSSL ≥1.1.0 and the following Perl modules:    - Date::Parse    - Errno (core module)    - Fcntl (core module) +  - File::Basename (core module)    - File::Temp (core module)    - Getopt::Long (core module)    - JSON (optionally C/XS-accelerated with JSON::XS) @@ -27,6 +27,7 @@ my $NAME = 'lacme';  use Errno 'EINTR';  use Fcntl qw/F_GETFD F_SETFD FD_CLOEXEC O_CREAT O_EXCL O_WRONLY SEEK_SET/; +use File::Basename 'dirname';  use File::Temp ();  use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/;  use List::Util 'first'; @@ -531,8 +532,8 @@ sub acme_client($@) {          $sockname = $sockname =~ /\A(\p{Print}+)\z/ ? $1 : die "Invalid socket name\n"; # untaint $sockname          # ensure we're the only user with write access to the parent dir -        my $dirname = $sockname =~ s/[^\/]+$//r; -        @stat = stat($dirname) or die "stat($dirname): $!"; +        my $dirname = dirname($sockname); +        @stat = stat($dirname) or die "stat($dirname): $!\n";          die "Error: insecure permissions on $dirname\n" if ($stat[2] & 0022) != 0;          # ensure we're the only user with read/write access to the socket @@ -695,7 +696,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {                    : [ "$NAME-certs.conf", "$NAME-certs.conf.d/" ];      my ($conf, %defaults);      foreach my $conffile (@$conffiles) { -        $conffile = ($CONFFILENAME =~ s#[^/]+\z##r).$conffile unless $conffile =~ /\A\//; +        $conffile = dirname($CONFFILENAME) .'/'. $conffile unless $conffile =~ /\A\//;          my @filenames;          unless ($conffile =~ s#/\z## or -d $conffile) {              @filenames = ($conffile); diff --git a/lacme-accountd b/lacme-accountd index 7b9b1ff..1dc5f03 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -28,6 +28,7 @@ my $PROTOCOL_VERSION = 1;  my $NAME = 'lacme-accountd';  use Errno 'EINTR'; +use File::Basename 'dirname';  use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/;  use List::Util 'first';  use MIME::Base64 'encode_base64url'; @@ -143,8 +144,8 @@ unless (defined $OPTS{stdio}) {      $sockname = $sockname =~ /\A(\p{Print}+)\z/ ? $1 : die "Invalid socket name\n"; # untaint $sockname      # ensure we're the only user with write access to the parent dir -    my $dirname = $sockname =~ s/[^\/]+$//r; -    my @stat = stat($dirname) or die "stat($dirname): $!"; +    my $dirname = dirname($sockname); +    my @stat = stat($dirname) or die "stat($dirname): $!\n";      die "Error: insecure permissions on $dirname\n" if ($stat[2] & 0022) != 0;      my $umask = umask(0177) // die "umask: $!"; | 
