From 2efd4458f4db7f489ecc81f4039b8e8103edf9d9 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 16 Feb 2021 17:24:31 +0100
Subject: Don't load configuration files from ./ by default.

This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer
consider ./lacme.conf resp. ./lacme-accountd.conf as default location
for the configuration file.  Doing so has security implications when
running these program from insecure directories.
---
 lacme | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'lacme')

diff --git a/lacme b/lacme
index 045c5b4..33f947c 100755
--- a/lacme
+++ b/lacme
@@ -77,8 +77,7 @@ $COMMAND = $COMMAND =~ /\A(account|newOrder|new-cert|revokeCert|revoke-cert)\z/
 
 sub set_FD_CLOEXEC($$);
 my $CONFFILENAME = $OPTS{config} // first { -f $_ }
-   ( "./$NAME.conf"
-   , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf"
+   ( ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config") . "/lacme/$NAME.conf"
    , "@@sysconfdir@@/lacme/$NAME.conf"
    );
 do {
-- 
cgit v1.2.3