blob: 953c6aa3b2bc796574416b189d53790f4857295a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
Backported from 5.0.2. Not quite sure if xrootd-4 is actually vulnerable
to this - but just in case.
From fff97c2dc6703dc1ba8b28b1bf67eeb278ff3e22 Mon Sep 17 00:00:00 2001
From: Andrew Hanushevsky <abh@stanford.edu>
Date: Wed, 2 Sep 2020 23:13:52 -0700
Subject: [PATCH] [HTTP] Prevent secret key leakage if specified in the config
file.
---
src/XrdHttp/XrdHttpProtocol.cc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/XrdHttp/XrdHttpProtocol.cc b/src/XrdHttp/XrdHttpProtocol.cc
index 66b89df20ed..5f50f2aeadd 100644
--- a/src/XrdHttp/XrdHttpProtocol.cc
+++ b/src/XrdHttp/XrdHttpProtocol.cc
@@ -1986,6 +1986,7 @@ int XrdHttpProtocol::xsslcafile(XrdOucStream & Config) {
int XrdHttpProtocol::xsecretkey(XrdOucStream & Config) {
char *val;
+ bool inFile = false;
// Get the path
//
@@ -2001,6 +2002,7 @@ int XrdHttpProtocol::xsecretkey(XrdOucStream & Config) {
// otherwise, the token itself is the secretkey
if (val[0] == '/') {
struct stat st;
+ inFile = true;
if ( stat(val, &st) ) {
eDest.Emsg("Config", errno, "stat shared secret key file", val);
return 1;
@@ -2059,6 +2061,7 @@ int XrdHttpProtocol::xsecretkey(XrdOucStream & Config) {
// Record the path
if (secretkey) free(secretkey);
secretkey = strdup(val);
+ if (!inFile) Config.noEcho();
return 0;
}
|
