Check that the challenge token which is turned into a filename is

base64url encoded.
We have only the challenge directory unveil(2)'ed so funny business
like ../ will not work, but we shouldn't generate garbage filenames
that someone else might trip over either.
Pointed out and diff by Ali Farzanrad (ali_farzanrad AT riseup.net)
OK beck

diff --git a/usr.sbin/acme-client/chngproc.c b/usr.sbin/acme-client/chngproc.c
index 0cbfaf2..63c0d4d 100644 (file)
--- a/usr.sbin/acme-client/chngproc.c
+++ b/usr.sbin/acme-client/chngproc.c
@@ -1,4 +1,4 @@
-/*     $Id: chngproc.c,v 1.16 2021/07/12 15:09:20 beck Exp $ */
+/*     $Id: chngproc.c,v 1.17 2022/05/05 19:51:35 florian Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -16,6 +16,7 @@
  */
 
 #include <assert.h>
+#include <ctype.h>
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -77,6 +78,18 @@ chngproc(int netsock, const char *root)
                        goto out;
                else if ((tok = readstr(netsock, COMM_TOK)) == NULL)
                        goto out;
+               else if (strlen(tok) < 1) {
+                       warnx("token is too short");
+                       goto out;
+               }
+
+               for (i = 0; tok[i]; ++i) {
+                       int ch = (unsigned char)tok[i];
+                       if (!isalnum(ch) && ch != '-' && ch != '_') {
+                               warnx("token is not a valid base64url");
+                               goto out;
+                       }
+               }
 
                if (asprintf(&fmt, "%s.%s", tok, th) == -1) {
                        warn("asprintf");

diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c
index 65ea2cf..bec1725 100644 (file)
--- a/usr.sbin/acme-client/main.c
+++ b/usr.sbin/acme-client/main.c
@@ -1,4 +1,4 @@
-/*     $Id: main.c,v 1.54 2020/05/10 12:06:18 benno Exp $ */
+/*     $Id: main.c,v 1.55 2022/05/05 19:51:35 florian Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -20,6 +20,7 @@
 #include <ctype.h>
 #include <err.h>
 #include <libgen.h>
+#include <locale.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -56,6 +57,9 @@ main(int argc, char *argv[])
        struct domain_c         *domain = NULL;
        struct altname_c        *ac;
 
+       if (setlocale(LC_CTYPE, "C") == NULL)
+               errx(1, "setlocale");
+
        while ((c = getopt(argc, argv, "Fnrvf:")) != -1)
                switch (c) {
                case 'F':