Hi tech@,
I know that acme-client is unveiled properly, but isn't it better to
check token names?
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/chngproc.c,v
retrieving revision 1.16
diff -u -p -r1.16 chngproc.c
--- chngproc.c 12 Jul 2021 15:09:20 -0000 1.16
+++ chngproc.c 1 May 2022 22:28:43 -0000
@@ -77,6 +77,11 @@ chngproc(int netsock, const char *root)
goto out;
else if ((tok = readstr(netsock, COMM_TOK)) == NULL)
goto out;
+ else if (strstr(tok, "../") == tok ||
+ strstr(tok, "/../") != NULL) {
+ warnx("bad file path");
+ goto out;
+ }
if (asprintf(&fmt, "%s.%s", tok, th) == -1) {
warn("asprintf");
