diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2017-06-29 22:47:24 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2017-06-29 22:47:24 +0200 |
commit | 3a9a58b9556c4ccd07c10429c040e6c98781fd45 (patch) | |
tree | 7058ff1bfebb25d247111428d194a828e1cac253 /client | |
parent | c8e2cd230a90b58b7e962f658fafb2d1306a579d (diff) | |
parent | d93660085ceba3f81631bba4744b23af7984cd9d (diff) |
Merge branch 'master' into debian
Diffstat (limited to 'client')
-rwxr-xr-x | client | 18 |
1 files changed, 11 insertions, 7 deletions
@@ -44,10 +44,13 @@ use warnings; my $PROTOCOL_VERSION = 1; -use LWP::UserAgent (); +use Errno 'EEXIST'; +use Fcntl qw/O_CREAT O_EXCL O_WRONLY/; +use Digest::SHA qw/sha256 sha256_hex/; use MIME::Base64 qw/encode_base64 encode_base64url/; + +use LWP::UserAgent (); use JSON (); -use Digest::SHA qw/sha256 sha256_hex/; use Config::Tiny (); @@ -266,18 +269,19 @@ elsif ($COMMAND eq 'new-cert') { @{request_json_decode($r)->{challenges} // []}; die "Missing 'http-01' challenge in server response" unless defined $challenge; die "Invalid challenge token ".($challenge->{token} // '')."\n" + # ensure we don't write outside the cwd unless ($challenge->{token} // '') =~ /\A[A-Za-z0-9_\-]+\z/; my $keyAuthorization = $challenge->{token}.'.'.$JWK_thumbprint; # serve $keyAuthorization at http://$domain/.well-known/acme-challenge/$challenge->{token} - if (-e $challenge->{token}) { - print STDERR "WARNING: File exists: $challenge->{token}\n"; - } - else { - open my $fh, '>', $challenge->{token} or die "Can't open $challenge->{token}: $!"; + if (sysopen(my $fh, $challenge->{token}, O_CREAT|O_EXCL|O_WRONLY, 0644)) { $fh->print($keyAuthorization); $fh->close() or die "Can't close: $!"; + } elsif ($! == EEXIST) { + print STDERR "WARNING: File exists: $challenge->{token}\n"; + } else { + die "Can't open $challenge->{token}: $!"; } $r = acme($challenge->{uri}, { |