On 2022-05-02 03:04 +0430, Ali Farzanrad <ali_farzan...@riseup.net> wrote:
> Hi tech@,
>
> I know that acme-client is unveiled properly, but isn't it better to
> check token names?
Nice catch, the token is untrusted input.
We should validate this differently though.
RFC 8555, 8.5 HTTP Challenge:
token (required, string): A random value that uniquely identifies
the challenge. This value MUST have at least 128 bits of entropy.
It MUST NOT contain any characters outside the base64url alphabet
and MUST NOT include base64 padding characters ("=").
base64url is defined in
RFC 4648, 5. Base 64 Encoding with URL and Filename Safe Alphabet
It's basically isalpha || '-' || '_'.
Are you up to implementing that check instead?
>
> ===================================================================
> RCS file: /cvs/src/usr.sbin/acme-client/chngproc.c,v
> retrieving revision 1.16
> diff -u -p -r1.16 chngproc.c
> --- chngproc.c 12 Jul 2021 15:09:20 -0000 1.16
> +++ chngproc.c 1 May 2022 22:28:43 -0000
> @@ -77,6 +77,11 @@ chngproc(int netsock, const char *root)
> goto out;
> else if ((tok = readstr(netsock, COMM_TOK)) == NULL)
> goto out;
> + else if (strstr(tok, "../") == tok ||
> + strstr(tok, "/../") != NULL) {
> + warnx("bad file path");
> + goto out;
> + }
>
> if (asprintf(&fmt, "%s.%s", tok, th) == -1) {
> warn("asprintf");
>
--
I'm not entirely sure you are real.
